Solved

identifying orphaned SIDs

Posted on 2009-07-13
5
2,267 Views
Last Modified: 2012-06-21
when looking at permissions for groups and files, from time to time i run accross some orphaned SIDs. is there a way to identify the orphaned SIDs to delete? how should these be handled?
0
Comment
Question by:geriatricgeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:Viper640
ID: 24841292
http://itknowledgeexchange.techtarget.com/itanswers/managing-orphaned-sids-on-ad-objects/ - Uses groups instead of users to prevent orphans.

http://support.microsoft.com/kb/243330 - Well known sids in Windows

http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=1501 - Script to find orphaned Sids in AD

HTH

Viper640
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 24842065
do i run the script on the domain controller?
0
 
LVL 4

Expert Comment

by:Viper640
ID: 24842421
yes, it's a vb script. so copy to a notepad and save as a vbs ext and run it.
0
 
LVL 1

Author Comment

by:geriatricgeek
ID: 24852439
is there a way to look at the script? it does not open in notepad like other vbs'.
0
 
LVL 4

Accepted Solution

by:
Viper640 earned 500 total points
ID: 24852865
Here it is i just opened it with notepad. let me know if you need anything else.

Viper640
'Created by Michael Troy Mckee
'Date 10/05/06
'VbScript to check all running machines on a domain
'for orphaned SIDs.
 
 
Const ADS_SCOPE_SUBTREE = 2
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
 
Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name from 'LDAP://DC=yourdomain,DC=com' " _
        & "Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRunningComp = 0
objDownComp = 0
objRecordSet.MoveFirst
 
On Error Resume Next
 
Do Until objRecordSet.EOF
 
    hostComp = objRecordSet.Fields("Name").Value
    strComputer = "."
 
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 
    queryString = "Select * from Win32_PingStatus Where Address = '" & hostComp & "'"
    'Wscript.Echo queryString
    Set colPingedComputers = objWMIService.ExecQuery(querystring)
 
 
        For Each objComputer in colPingedComputers
            Set colGroups = GetObject("WinNT://" & hostComp & "")
            'Wscript.Echo hostComp
            colGroups.Filter = Array("group")
            For Each objGroup In colGroups
            'Wscript.Echo objGroup.Name
            For Each objUser in objGroup.Members
                'Set sidName = objUser.Name
                'Wscript.Echo sidName
                If Left(objUser.Name, 8) = "S-1-5-21" Then
                Wscript.Echo hostComp
                Wscript.Echo objGroup.Name
                Wscript.Echo vbTab & objUser.Name
            End If
        Next
 
      Next
    Next
 
    objRecordSet.MoveNext
Loop
 
'Wscript.Echo "There are " & objRunningComp & " machines currently active."
'Wscript.Echo "There are " & objDownComp & " machines not responding."

Open in new window

0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question