Solved

How do I remove a SID as well as the ACL using PowerShell?

Posted on 2012-04-11
1
1,642 Views
Last Modified: 2012-04-30
Hi all,

I’m new to the world of Powershell scripting, and I must say that it is a very easy syntax to learn. And once I added the Quest ActiveRoles AD Management snap-in, a whole new world of commands was at my fingertips.

My situation:

I’m writing a script which will automate the creation of Exchange accounts with the use of data from a CSV file using Powershell. This script creates the mailbox, modifies its Active Directory account details, create a few directories and sets its folder permissions (or ACL) for the user of this account. This script works.

I’ve also written a script which automates the cleanup of the Exchange account, where the folder permissions are removed, the directories are deleted and the mailbox is deleted (which in effect deletes the AD account). As far as I can see this works too.

My problem:

When I re-run the creation script, it completes without errors. However, when I go to check folder permissions on the home folder, the permissions are still set to the Security ID (SID) of the previous incarnation of the AD account. Therefore the current incarnation of the user account does not have access to its own home directories because it has a different SID if its own.

This is the code I’m using to remove the ACL from the folder.
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainUser,"Modify",$inherit,$propagation,"Allow")
$acl = Get-acl $folder
$acl.RemoveAccessRuleAll($accessRule)
set-Acl -aclobject $acl $folder

Open in new window


My requirement:

I would like to know if there is a PowerShell command that removes the ACL and the SID at the same time so that if an account is deleted then re-created, I will not run into any issues with accessing the directories.

I have seen code out there that can remove unknown SIDs but it looks more like housekeeping. I want to be able to prevent the problem from happening.

If you need me to post more code or have other questions, let me know. I look forward to your responses.
0
Comment
Question by:stvmph
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 42

Accepted Solution

by:
sedgwick earned 500 total points
ID: 37851283
you can use Ashley Mcglone's powershell scripts to remove sid history when clean the ACL:
http://blogs.technet.com/b/ashleymcglone/archive/2011/11/23/how-to-remove-sid-history-with-powershell.aspx
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question