Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, August 29, 2016 9:53 PM
Hi. I had hoped to figure this out on my own, but I threw up my hands and decided to ask.
We migrated our domain from a parent company and hundreds of OUs now have orphaned SIDs. I would like to use Powershell to take a CSV file listing the DistinguishedName of the OU and remove the dead SID.
I thought it would be based on this command, but it seems more involved.
Get-Acl-Path"AD:\OU=CompanyComputers,DC=wingtiptoys,DC=local"|Where-object($_.IdentityReference -like'S-1-5-21-9999705215-1832128825-2807327032-512') |(RemoveProblemSID)
Has anyone run into this situation before? I see several for sale utilities which do the same, but I was hoping PS could do the work.
Thanks
All replies (8)
Monday, August 29, 2016 10:06 PM ✅Answered
The SubInAcl utility was designed to do this. It is the recommended way to fix "orphaned" IDS. You can either translate teh SIDS *recomemnded) or remove them. It works in batch against a folder hierarchy or for a single file or folder.
https://www.microsoft.com/en-us/download/details.aspx?id=23510
\(ツ)_/
Tuesday, August 30, 2016 5:02 PM ✅Answered
It sounds to me like you did not complete the migration. What the migration tool does is to add copies of the old domain SIDs into SID history and they will resolve.
If you did the migration but did not migrate the accounts then this step will have been missed and the SIDs will be orphaned.
If the new accounts are correctly added then you can remove the SID but if the accounts have not been migrated then you may lose access with the new accounts. If you have AD set up correctly the only extra SIDs should be Domain Admins that may have gotten added for maintenance purposes. If everything is working then this is not important. Be sure your admin accounts have full access where needed. This would be through Domain Admins group. Anything that falls out can be fixed as long as you have admin access to all areas of AD requiring it. Where you would see issues is with a migrated file system as the users would not retain ownership or access with orphaned SIDs. You could also have issues with services.
\(ツ)_/
Tuesday, August 30, 2016 1:50 AM
Thanks. I downloaded the SubInAcl.
You mentioned folders and files. Is there a way to point SubInAcl to a specific AD OU?
Also I might mention that the original domain does not exist now. Not sure if SubInAcl needed to contact the original domain.
Tuesday, August 30, 2016 6:39 AM
Hi,
This is only supports for XP,windows 2000 &2003:
https://www.microsoft.com/en-us/download/details.aspx?id=23510
I suppose we could refer to links below to do this:
SID History Removal
OUs contains users and computers and both of them has SID property, so you could try the above method.
Best regards,
Andy_Pan
Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact <[email protected]>.
Tuesday, August 30, 2016 8:20 AM
Andy. Not true. SubInAcl also works for all current systems.
We are not trying to edit SID history. We are trying to fix "orphaned" SIDS.
\(ツ)_/
Tuesday, August 30, 2016 8:28 AM
Thanks. I downloaded the SubInAcl.
You mentioned folders and files. Is there a way to point SubInAcl to a specific AD OU?
Also I might mention that the original domain does not exist now. Not sure if SubInAcl needed to contact the original domain.
Why would you have orphaned SIDs in AD. Foreign SIDs may appear to be orphaned if the remote domain is unreachable.
If you have a broken migration look at ADMT and moving SID history. Whatever you do you have to have a clear description of the problem and its cause.
\(ツ)_/
Tuesday, August 30, 2016 4:40 PM
Good discussion. Thanks
We had orphaned SIDs in our OUs because the Dell Migration Manager for Active Directory modifies the OU ACL to add a new duplicate SID with the new domain name for each ACE. However after the domain migration was complete, the old domain SID remained in the ACL. Now that communication with the old domain is discontinued, the old SID appears as an unresolvable SID.
I think I found a (somewhat) quick fix. DSACLS has a /R remove switch and will accept a non-resolvable SID to remove the entry.
i.e. dsacls OU=CompanyComputers,DC=wingtiptoys,DC=local /R S-1-5-21-9999705215-1832128825-2807327032-512
I tested it on several OUs manually and it seems to work. Now I should be able to create a ForEach loop in Powershell and pull the information from a CSV file.
Thanks for all your advice.
Tuesday, August 30, 2016 6:22 PM
Thanks. I may have missed a step or two in the final process which would have cleaned up after the migration.
I'll remove the SIDs in small batches and then wait for my phone to ring. Otherwise we should be good to go.