acls remain for deleted items after 60 days

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Have an active directory environment with multiple sites and domains (Windows 2000 SP3), when we delete an object its acl does not dissappear (specific case was for an account set through ADSIEDIT and Exchange System Manager) but instead appears as an unresolved SID

In testing this is still the case even after object no longer appears in the deleted items containe
i.e. the 60 day tombstoning has kicked in and garbage collection has removed the ite

Conclusion from this would be:
There is no process which removes the SIDs of deleted objects from the Access Control Lists on Active Directory containers; therefore cleanup will have to be done manually

Be grateful if this could be confirmed..
 
The issue you are describing is documented in the following article:
247482 Error Message: Security Policies Are Propagated with Warning. 0x534
http://support.microsoft.com/?id=247482

You may or may not be getting this error, but it describes the SID "hanging
around" in ACLs. It is, unfortunately, as you suspected, and you will need
to clean it up by hand.

David Waldron
MCSE+I, MCP+I, MCDBA, MCSA, MCT
Microsoft Enterprise Support
EPS Directory Services Team
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top