Solved

Group Policy - Unknown SID's

Posted on 2014-07-23
3
1,769 Views
Last Modified: 2014-08-20
In Default Domain Policy : Computer Configuration-->Policies-->Windows Settings-->Security Settings-->Local Policies-->User Rights Assignment we have many policies with unknown SID's. All of them begin with *S-1-5-21. Are these unknown SID's safe to delete from the policy or are some of them actually being used somewhere and they are just not resolving to a User or a Group.

Plan is to back up the Default Domain Policy, delete the unknown SID's, do a gpupdate /force, and then reboot clients,

So I'm looking for any of the gotcha's in this, really would like to clean this up...

V
0
Comment
Question by:Vince Glisson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:Keith Langmead
ID: 40215115
It doesn't really answer your question, but have a look at http://support.microsoft.com/kb/243330 which lists all the commonly known SIDs and may allow you to identify what the group is for.

From the document all the S-1-5-21 SIDs appear to relate to various default domain groups, for instance Domain Administrator, Domain Users etc, but the crucial info comes after the bit you listed. If the domain part of the SID is different to your current domain then perhaps they relate to an old domain that was part of it in the past and no longer there, or perhaps there's an actual issue with AD such that those names are unable to resolve (in which case I'd suggest you need to fix that, not just delete the groups).
0
 
LVL 10

Author Comment

by:Vince Glisson
ID: 40215376
The well known SID's all end with a 500 series number as in S-1-5-21-domain-500 , 501, 502 etc...

The SID's i have all end with 4 digits -3326 thru 3346 so there are 20 unknown SID's in one policy (logon as a service).

There are so many i wanted to ask the Experts before i attempted a clean up...

v
0
 
LVL 3

Accepted Solution

by:
Liam Somerville earned 500 total points
ID: 40271041
I'd suggest the following:

1. Try manually resolving SIDs to Users/Groups (http://technet.microsoft.com/en-us/library/ff730940.aspx)
2. Get your hands on a blank Default Domain Policy. I've attached one, but you may want to spin up your own VM and pull a report.
3. Remove the unresolved SIDs, readd users/groups if required, or otherwise mirror your Default Domain Policy.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
upgrade exchange 2013 CU7 to CU15 9 59
Doing AD cleanup with Powershell 9 57
User Account issue 6 41
Importing ExtensionAttribute into AD user accounts 10 37
This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question