Solved

identifying orphaned SIDs

Posted on 2009-07-13
5
2,178 Views
Last Modified: 2012-06-21
when looking at permissions for groups and files, from time to time i run accross some orphaned SIDs. is there a way to identify the orphaned SIDs to delete? how should these be handled?
0
Comment
Question by:geriatricgeek
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:Viper640
ID: 24841292
http://itknowledgeexchange.techtarget.com/itanswers/managing-orphaned-sids-on-ad-objects/ - Uses groups instead of users to prevent orphans.

http://support.microsoft.com/kb/243330 - Well known sids in Windows

http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=1501 - Script to find orphaned Sids in AD

HTH

Viper640
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 24842065
do i run the script on the domain controller?
0
 
LVL 4

Expert Comment

by:Viper640
ID: 24842421
yes, it's a vb script. so copy to a notepad and save as a vbs ext and run it.
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 24852439
is there a way to look at the script? it does not open in notepad like other vbs'.
0
 
LVL 4

Accepted Solution

by:
Viper640 earned 500 total points
ID: 24852865
Here it is i just opened it with notepad. let me know if you need anything else.

Viper640
'Created by Michael Troy Mckee

'Date 10/05/06

'VbScript to check all running machines on a domain

'for orphaned SIDs.
 
 

Const ADS_SCOPE_SUBTREE = 2
 

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand =   CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"
 

Set objCommand.ActiveConnection = objConnection

objCommand.CommandText = _

    "Select Name from 'LDAP://DC=yourdomain,DC=com' " _

        & "Where objectClass='computer'"

objCommand.Properties("Page Size") = 1000

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objRecordSet = objCommand.Execute

objRunningComp = 0

objDownComp = 0

objRecordSet.MoveFirst
 

On Error Resume Next
 

Do Until objRecordSet.EOF
 

    hostComp = objRecordSet.Fields("Name").Value

    strComputer = "."
 

    Set objWMIService = GetObject("winmgmts:" _

        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 

    queryString = "Select * from Win32_PingStatus Where Address = '" & hostComp & "'"

    'Wscript.Echo queryString

    Set colPingedComputers = objWMIService.ExecQuery(querystring)
 
 

        For Each objComputer in colPingedComputers

            Set colGroups = GetObject("WinNT://" & hostComp & "")

            'Wscript.Echo hostComp

            colGroups.Filter = Array("group")

            For Each objGroup In colGroups

            'Wscript.Echo objGroup.Name

            For Each objUser in objGroup.Members

                'Set sidName = objUser.Name

                'Wscript.Echo sidName

                If Left(objUser.Name, 8) = "S-1-5-21" Then

                Wscript.Echo hostComp

                Wscript.Echo objGroup.Name

                Wscript.Echo vbTab & objUser.Name

            End If

        Next
 

      Next

    Next
 

    objRecordSet.MoveNext

Loop
 

'Wscript.Echo "There are " & objRunningComp & " machines currently active."

'Wscript.Echo "There are " & objDownComp & " machines not responding."

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now