Managing Orphaned SIDs on AD objects

15 pts.
Tags:
Developers
Development
Exchange security
Security
Windows
We discovered that many distribution groups have had individual permissions assigned using the security tab. Primarily this is because the 'managedBy' field allows only 1 manager to control membership of the group. Unfortunately when a user is removed from AD the SID is left behind on the various objects the user was granted permission to. Does an application exist that would identify orphaned SIDs on objects and remove them? If not, how would you recommend removing the orphaned SIDs?
ASKED: February 14, 2008  5:09 PM
UPDATED: January 26, 2011  10:26 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Security Explorer will allow you to centrally discover and remove Orphaned SIDs. www.securityexplorer.com

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Epsign2001
    There is a tool that will centrally help you locate orphaned SIDs across the servers. Security Explorer.
    25 pointsBadges:
    report
  • ScriptLover
    The fellow above is correct. Don't let the problem happen AT ALL. Unfortunately sometimes you inherit an environment where this has already happened. Firstly be CAREFULL!! Make sure you test the following scripts against your environment carefully before you try and run it whole hog!! Powershell is the answer. First Find the Orphaned SIDS: $SearchFolder = "W:" Get-ChildItem $searchfolder -Recurse | foreach { if ($_.PSIsContainer -eq $True) { $folderacl = $_.getaccesscontrol() $folder=$_ $Orphans = @() $folderacl.Access | foreach { if (-not $_.isinherited) { if ($_.IdentityReference -match "S-1-5-21-") { $Orphans += $_ } } } foreach ($Orphan in $Orphans) { $folder.fullname + " " + $Orphan.IdentityReference >> OUtput.txt } } } The code to remove the orphaned SIDS goes under "foreach ($Orphan in $Orphans)." I created a second script identical to the first one and simply replaced the section as follows: foreach ($Orphan in $Orphans) { $folder.fullname + " " + $Orphan.IdentityReference $ACLtoRemove = $Orphan $folder.fullname + " " + $ACLtoRemove.IdentityReference $colRights = $ACLtoRemove.FileSystemRights $InheritanceFlag = $ACLtoRemove.InheritanceFlags $PropagationFlag = $ACLtoRemove.PropagationFlags $objType = $ACLtoRemove.AccessControlType $objUser =$ACLtoRemove.IdentityReference $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ` ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACL = Get-Acl $folder.fullname $objACL.RemoveAccessRule($objACE) Set-Acl $folder.fullname $objACL }
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following