Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Delete Orphaned SIDs In ACLs
31 views
Skip to first unread message
Avent Oster
Dec 28, 2023, 2:41:01 PM12/28/23
to
I need to delete all the orphaned SIDs in the ACLs of about 20 shares (between 100GB/6TB) and change full control of users groups to other permissions (modify or read/execute). I have done this script but I'm pretty sure it's easy to improve. Any advice?
Delete orphaned SIDs in ACLs
DOWNLOAD https://t.co/aKIOpdmAE8
After a bit of frantically Googling and testing stuff I realized I couldn't restore the SIDHistory attributes and was going to need to search through and modify file ACLs on multiple fileservers to catch any orphaned SIDs. Thankfully I had exported the deleted SIDHistory values... except I didn't check the exported output closely enough and PowerShell had chopped some of the SID values in half to make the output look "pretty". We have DC backups though so I found a guide to load an old version of ntds.dit and query it to get the deleted SIDHistory values. I wrote a PowerShell script that does the following:
In an effort to continue cleaning up the current NetApp infrastructure, I am looking to delete a bunch of orphaned SIDs that exist with the Local Users and Groups. Note: I do not have access to the domain controllers, so the ldp.exe would not be useful for this issue.
These lines are showing an orphaned ACL. The orphaned ACL occurs when a user is deleted from Active Directory, but the permission is not removed from the Public Folder. This leaves just the security identifier (the SID) showing because it cannot be resolved to an actual user account.
0aad45d008
Delete orphaned SIDs in ACLs
DOWNLOAD https://t.co/aKIOpdmAE8
After a bit of frantically Googling and testing stuff I realized I couldn't restore the SIDHistory attributes and was going to need to search through and modify file ACLs on multiple fileservers to catch any orphaned SIDs. Thankfully I had exported the deleted SIDHistory values... except I didn't check the exported output closely enough and PowerShell had chopped some of the SID values in half to make the output look "pretty". We have DC backups though so I found a guide to load an old version of ntds.dit and query it to get the deleted SIDHistory values. I wrote a PowerShell script that does the following:
In an effort to continue cleaning up the current NetApp infrastructure, I am looking to delete a bunch of orphaned SIDs that exist with the Local Users and Groups. Note: I do not have access to the domain controllers, so the ldp.exe would not be useful for this issue.
These lines are showing an orphaned ACL. The orphaned ACL occurs when a user is deleted from Active Directory, but the permission is not removed from the Public Folder. This leaves just the security identifier (the SID) showing because it cannot be resolved to an actual user account.
0aad45d008
0 new messages