Register

Forgot Password

Site FAQ

Home > IT Answers > Development > Managing Orphaned SIDs on AD objects

Justthefacts

15 pts.

Managing Orphaned SIDs on AD objects

Developers, Development, Exchange security, Security, Windows

We discovered that many distribution groups have had individual permissions assigned using the security tab. Primarily this is because the 'managedBy' field allows only 1 manager to control membership of the group. Unfortunately when a user is removed from AD the SID is left behind on the various objects the user was granted permission to. Does an application exist that would identify orphaned SIDs on objects and remove them? If not, how would you recommend removing the orphaned SIDs?

Software/Hardware used:

ASKED: February 14, 2008 5:09 PM

UPDATED: January 26, 2011 10:26 PM

RELATED QUESTIONS

Answer Wiki:

Security Explorer will allow you to centrally discover and remove Orphaned SIDs. www.securityexplorer.com

Last Wiki Answer Submitted: January 26, 2011 10:26 pm by Buddyfarr

6,850 pts.

All Answer Wiki Contributors: Buddyfarr

6,850 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jan 14, 2010 4:34 PM (GMT)

There is a tool that will centrally help you locate orphaned SIDs across the servers. Security Explorer.

Epsign2001

25 pts.

POSTED: Sep 8, 2010 5:39 PM (GMT)

The fellow above is correct. Don’t let the problem happen AT ALL. Unfortunately sometimes you inherit an environment where this has already happened.

Firstly be CAREFULL!! Make sure you test the following scripts against your environment carefully before you try and run it whole hog!!

Powershell is the answer.
First Find the Orphaned SIDS:

$SearchFolder = “W:”

Get-ChildItem $searchfolder -Recurse | foreach {
if ($_.PSIsContainer -eq $True)
{
$folderacl = $_.getaccesscontrol()
$folder=$_
$Orphans = @()
$folderacl.Access | foreach {
if (-not $_.isinherited)
{
if ($_.IdentityReference -match “S-1-5-21-”)
{
$Orphans += $_
}
}
}
foreach ($Orphan in $Orphans)
{
$folder.fullname + ” ” + $Orphan.IdentityReference >> OUtput.txt
}
}
}

The code to remove the orphaned SIDS goes under “foreach ($Orphan in $Orphans).” I created a second script identical to the first one and simply replaced the section as follows:

foreach ($Orphan in $Orphans)
{
$folder.fullname + ” ” + $Orphan.IdentityReference
$ACLtoRemove = $Orphan
$folder.fullname + ” ” + $ACLtoRemove.IdentityReference

$colRights = $ACLtoRemove.FileSystemRights
$InheritanceFlag = $ACLtoRemove.InheritanceFlags
$PropagationFlag = $ACLtoRemove.PropagationFlags

$objType = $ACLtoRemove.AccessControlType

$objUser =$ACLtoRemove.IdentityReference

$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL = Get-Acl $folder.fullname
$objACL.RemoveAccessRule($objACE)

Set-Acl $folder.fullname $objACL
}

ScriptLover

10 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags