Is there a way to give NTFS file permissions to users from other Windows installations?

Question

I am trying to set file permissions so users from two Windows installations can access certain files from a shared NTFS hard disk, withouth resorting to give "Everyone" permissions.

From within an installation I can get rights for its local user(s), but I can't give permissions to the other user by SID:

icacls * /grant *S-1-5-21-3699620855-3856482933-2467390241-1001:R /T *S-1-5-21-3699620855-3856482933-2467390241-1001: No mapping between account names and security IDs was done.

Apparently Windows has to have record of the SID somehow. Is there a way to force it to give permissions to a "foreign" SID?

Answer 1

I was able to find this powershell function that purports to do exactly what you want:

function SetNTFSPermissionsBySid([string]$directory, [System.DirectoryServices.DirectoryEntry]$objAD)
{
    # Convert byte array sid to sid string
    $sID = New-Object System.Security.Principal.SecurityIdentifier $objAD.objectsid[0],0

    # Inheritance This Folder, Subfolders and Files)
    $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [system.security.accesscontrol.PropagationFlags]"None"

    # Retrieve the ACL
    $aCL = Get-Acl $directory

    # Create Ace
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sID, "Modify", $inherit, $propagation, "Allow")

    # Add Ace to Acl    
    $aCL.AddAccessRule($accessrule)

    # Set Acl to the directory
    Set-Acl -aclobject $aCL -path $directory
}

All credit goes to Settings NTFS Permissions by SID in PowerShell by Remko Weijnen.

This would require PowerShell 3.0+ due to its use of Get-Acl and Set-Acl.