Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 17, 2015 5:39 PM
Could you pls help here.
Task 1 - find the orphaned SID
Task 2 - delete them and give a output with the result to a text/cs file.
Many Thanks!
Inderjit
All replies (5)
Wednesday, June 17, 2015 6:14 PM ✅Answered
The orphaned SIDS are on ACLs on almost any object. The easiest way to be rid of the offending SID is to use SubInAcl.exe which has a function that detects and reports on orphaned sids and optionally removes them.
https://www.microsoft.com/en-us/download/details.aspx?id=23510
\(ツ)_/
Thursday, June 18, 2015 9:48 AM ✅Answered
Hi Inderjit,
If you want to remove the Orphaned SID in ACL, you can use Subinacl.exe as Jrv mentioned, and The action "cleanDeletedSIDsFrom" removes SIDs that cannot be resolved from files/folders.
Refer to:
We can also remove the orphaned SID from ACL via Powershell cdmlet "Get-Acl" and "Set-Acl".
Rerfer to:
Remove orphaned SIDs from File/Folder ACL (PowerShell)
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Wednesday, June 17, 2015 5:58 PM
Please elaborate on this, what do you mean with orphaned SID? The ones you see on ACLs?
This post is provided AS IS with no warranties or guarantees, and confers no rights.
Questo post non fornisce garanzie e non conferisce diritti
------------------------------------------------------------------------
<sub>Thursday, June 18, 2015 9:36 AM</sub>
Be very careful when deleting old SIDs, as i know of one client who deleted their SID History from an old domain migration and caused trouble with users connecting to shared mailboxes / calenders / sendas permissions
There is a free tool that you can use to run a report on orphaned SIDS - http://cjwdev.co.uk/Software/ViewDeletedADObjects/Info.html
If you are going to clean up your orphaned SIDs, do it in phases and not all in one go
There are big product names like Varonis, which is a great infrastructure tool that will give a report of your orphaned SIDS and allow you to delete, depending on your companies budget - http://www.varonis.com/products/datadvantage/directory-services/
Cheers,
Andrew
Microsoft Infrastructure Consultant
**Blog:** [Network Angel](http://www.networkangel.net) **LinkedIn:** [](https://www.linkedin.com/pub/andrew-fitzgerald/18/a2/415)
Note: Please remember to mark as "propose as answer" to help other members. Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
------------------------------------------------------------------------
<sub>Thursday, June 18, 2015 9:44 AM</sub>
There is no relationship between 'orphaned SIDs" and SID history. There is no need to alter SID history. Orphaned SIDS are in ACLs and can bere moved easily and safely with SubInAcl.
Try not to confuse the issue of SID history and orphaned SIDs.
\\(ツ)\_/