How can I remove dead SIDS from my file perms and groups that were added from a domain we no longer

  • Thread starter Thread starter Mike Matheny
  • Start date Start date
M

Mike Matheny

Guess the subject says it all - can't resolve the names, can't delete the
unresolved names!!!!
 
??? but one does not delete names,
one deletes the sids

How are you trying to do this? (user interface,
wmi, adsi, NetFx system namespace, ??)
 
Is there an example of how to do this? So far hitting a dead end with
command line parameters.
 
I am lost.
AD Users and Computers has no problem removing a member
from a group when the member only appears as a SID.
The NTFS permissions dialog can remove an ACE from a
file or folder security descriptor when the SID of the ACE
cannot be resolved to friendly name (i.e. shows as SID but
it is still deleteable).
If you are automating you can add or remove members, using
only their SIDs, from groups using ADSI.
Exactly where are you having problems?
 
Hello,

I have a similar issue and have looked at Subinacl but unfortunately I don't
have the original domain name for the SIDS.

This came from data being restored to a new environment where some users
have been migrated from a different forest. I have tried using the domain
portion of the SID with subinacl but without any luck.

Is there any way of first reporting all of the unresolved sids from the file
system (dumpsec just tells me it's unresolved)?
Is there a tool/script that can remove sids that don't resolve?
 
Yeah there are some options in there to do that, I want to say it is
dumpcachedsids and you just tell it to enumerate the resources and it will
generate a file with all of the SIDS, been awhile.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top