What is the recommened steps to remove objects so Unknown Account permissions don't show up on other AD objects or resources?

What is the recommended steps to remove AD accounts?
We see a lot of permissions on objects that have unknown accounts showing as "S-23234235-12564124..."

Are these because an account was deleted and permissions not removed? If so, what is the proper procedure so this mess doesn't occur, or is this normal to happen?
Scotch TechITAsked:
Who is Participating?
 
Peter HutchisonSenior Network Systems SpecialistCommented:
Ideally you would use groups to apply permissions to resources whether its files, folders, or other objects.

Groups are less likely to be added and removed as often as individual accounts, and it would minimise the occurrence of orphaned SIDs from showing. But it would not guarantee from SIDs from appearing in the future.
0
 
Kevin StanushApplication DeveloperCommented:
AD has no mechanism to remove the permissions from objects when you remove an account, as there isn't any way to know where/what objects the user was assigned permissions to.  That is one reason its best to assign permissions to groups instead of individual users.

Some GUI displays will removed deleted SID entries, so where/how are you viewing this information?  Is it on a file/directory security display?

Also, if the object is from a trusted domain with a broken trust, you will also see an unresolved SID, so you might need to research to see if the domain portion of the sid is the local domain or not before removing it.
0
 
Tom CieslikIT EngineerCommented:
Also if your computer was a member of other domain before or had some local user that was removed, you'll see this.
You can delete unknown users.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Do your domain SIDs start with S-23234235-1256412? Where do you see these stale permissions, GPO objects?
0
 
Scotch TechITAuthor Commented:
We see these permissions on AD objects such as users. I believe they're being inherited from above.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Did you try subinacl tool?
subinacl.exe /help /cleandeletedsidsfrom

Open in new window

https://serverfault.com/questions/198163/how-to-clean-up-orphaned-sids-in-aces-in-ad
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.