How to Find Files with No Owner in Batch Script

In a perfectly managed Windows environment, every file has an owner, usually the user who created it or the Administrators group. However, "orphaned" files can occur when a user account is deleted from Active Directory without first transferring their data, or during a messy disk migration.

Files with no valid owner are a security and maintenance risk. They might be inaccessible to everyone, or they might hide the fact that a deleted user still "controls" the object via their stale Security Identifier (SID).

In this guide, we will use Batch scripting to identify these orphaned files by looking for SIDs that cannot be resolved to a human name.

The Challenge: What does "No Owner" look like?

Windows doesn't actually have a "No Owner" state. Instead, it has a Stale SID state. When an account is deleted, the file owner property doesn't become empty; it remains as a raw SID string (e.g., S-1-5-21-362...).

Our Batch script needs to search for dir /Q output where the owner column contains an "S-1-5" pattern instead of a standard DOMAIN\User name.

Method 1: Searching for Stale SIDs with DIR /Q

This is the most straightforward way to audit a directory for orphaned files.

The Orphan Finder Script

@echo off
setlocal enabledelayedexpansion

set "targetDir=D:\Archive"
set "reportFile=orphaned_files.txt"

echo Scanning %targetDir% for orphaned files (missing owners^)...
echo ----------------------------------------------------------------------

:: 1. /S = Recursive
:: 2. /Q = Show Owner
:: 3. findstr searches for "S-1-5" which is the start of every domain/local user SID
:: 4. dir /Q shows owners in the format DOMAIN\User for resolved accounts
::    and as a raw SID (S-1-5-21-...) for unresolved accounts.
::    Both formats contain a backslash or a SID, so we simply grep for the SID pattern.

dir /S /Q "%targetDir%" 2>nul | findstr /R /C:"S-1-5-" > "%reportFile%"

:: Check if the report file has content
for %%A in ("%reportFile%") do set "fileSize=%%~zA"

if defined fileSize if !fileSize! GTR 0 (
    echo.
    echo [FOUND] Orphaned files detected. See %reportFile% for details.
) else (
    echo.
    echo [CLEAN] No orphaned files (stale SIDs^) were found.
    del "%reportFile%" 2>nul
)

endlocal
pause

How the filter works:

dir /Q displays the owner of each file. Resolved accounts appear as DOMAIN\User or COMPUTER\User. Unresolved (orphaned) accounts appear as raw SIDs like S-1-5-21-3623811015-....
findstr /R /C:"S-1-5-": Finds all lines where a raw SID is present in the owner column. Resolved accounts show a human-readable name, not a SID pattern, so they are naturally excluded.
File size check: We check whether the report file actually contains any output, since findstr writes nothing when there are no matches, and relying on ERRORLEVEL after a pipe is unreliable (the exit code reflects the last command in the pipe, but can be masked by buffering or edge cases).

Method 2: High-Precision Audit using ICACLS

Modern versions of icacls don't easily find "unowned" files in a single switch, but they do handle large volumes faster than dir.

If you want to perform a deep audit, we can dump the permissions and search for any line where the owner isn't a resolved account but a raw SID.

@echo off
setlocal

set "searchPath=C:\Users"
set "tempFile=%TEMP%\temp_acl_%RANDOM%.txt"

echo Auditing %searchPath% for unresolved accounts...

:: Use /save to get a raw dump of permissions including SIDs
:: /T = Recurse, /C = Continue on errors, /Q = Quiet
icacls "%searchPath%" /save "%tempFile%" /T /C /Q 2>nul

:: Look for lines containing unresolved SIDs
findstr /C:"S-1-5-" "%tempFile%"

if %ERRORLEVEL% EQU 0 (
    echo.
    echo [FOUND] Unresolved SIDs detected in ACLs. Review output above.
) else (
    echo.
    echo [CLEAN] No unresolved SIDs found in ACLs.
)

:: Clean up temp file
del "%tempFile%" 2>nul

endlocal
pause

Reclaiming Orphaned Files

Once you find these files, you likely want to fix them. The most common solution is to recursively take ownership as an Administrator.

@echo off
setlocal

set "orphanDir=D:\Archive\OldProject"

echo Reclaiming orphaned objects in %orphanDir%...

:: Forcefully take ownership for the Administrators group
:: /F = target, /A = give to Administrators, /R = recurse, /D Y = default answer Yes
takeown /F "%orphanDir%" /A /R /D Y

if %ERRORLEVEL% NEQ 0 (
    echo.
    echo [ERROR] takeown failed. Make sure you are running as Administrator.
    pause
    exit /b 1
)

:: Reset permissions to inheritance defaults
:: /reset = restore inherited ACLs, /T = recurse, /C = continue on error, /Q = quiet
icacls "%orphanDir%" /reset /T /C /Q

echo.
echo Done. All files now owned by Administrators.

endlocal
pause

Note on System Files

You may see SID-based owners on certain system files (like those owned by TrustedInstaller). These are not orphans! Do not attempt to "fix" ownership on Windows system folders (C:\Windows or C:\Program Files) as this will break your OS.

Summary

Finding orphaned files in Batch is an exercise in text parsing. By using dir /Q to expose the ownership metadata and filtering for the S-1-5 SID pattern using findstr, you can quickly generate a list of files that were left behind by deleted users. Reclaiming these files via takeown ensures your data stays accessible and your file system storage remains manageable.

The Challenge: What does "No Owner" look like?​

Method 1: Searching for Stale SIDs with DIR /Q​

The Orphan Finder Script​

How the filter works:​

Method 2: High-Precision Audit using ICACLS​

Reclaiming Orphaned Files​

Summary​

Table of Contents