By: scriptlover

scriptlover — Wed, 08 Sep 2010 17:39:19 +0000

The fellow above is correct. Don’t let the problem happen AT ALL. Unfortunately sometimes you inherit an environment where this has already happened.

Firstly be CAREFULL!! Make sure you test the following scripts against your environment carefully before you try and run it whole hog!!

Powershell is the answer.
First Find the Orphaned SIDS:

$SearchFolder = “W:”

Get-ChildItem $searchfolder -Recurse | foreach {
if ($_.PSIsContainer -eq $True)
{
$folderacl = $_.getaccesscontrol()
$folder=$_
$Orphans = @()
$folderacl.Access | foreach {
if (-not $_.isinherited)
{
if ($_.IdentityReference -match “S-1-5-21-”)
{
$Orphans += $_
}
}
}
foreach ($Orphan in $Orphans)
{
$folder.fullname + ” ” + $Orphan.IdentityReference >> OUtput.txt
}
}
}

The code to remove the orphaned SIDS goes under “foreach ($Orphan in $Orphans).” I created a second script identical to the first one and simply replaced the section as follows:

foreach ($Orphan in $Orphans)
{
$folder.fullname + ” ” + $Orphan.IdentityReference
$ACLtoRemove = $Orphan
$folder.fullname + ” ” + $ACLtoRemove.IdentityReference

$colRights = $ACLtoRemove.FileSystemRights
$InheritanceFlag = $ACLtoRemove.InheritanceFlags
$PropagationFlag = $ACLtoRemove.PropagationFlags

$objType = $ACLtoRemove.AccessControlType

$objUser =$ACLtoRemove.IdentityReference

$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL = Get-Acl $folder.fullname
$objACL.RemoveAccessRule($objACE)

Set-Acl $folder.fullname $objACL
}

By: epsign2001

epsign2001 — Thu, 14 Jan 2010 16:34:18 +0000

There is a tool that will centrally help you locate orphaned SIDs across the servers. Security Explorer.

Comments on: Managing Orphaned SIDs on AD objects

By: scriptlover

By: epsign2001