locked
Account Unknown on Active Directory RRS feed

  • Question

  • How can I delete Account Unknown on Active Directory? is there a tool or script for deleting 1000 Account Unknown on Active Directory?
    Wednesday, August 27, 2014 7:55 AM

Answers

  • Generally, Account Unknown may appear if the system cannot find the account SID which was recorded in ACL of an object in local system or AD database. This issue may occur if user accounts were deleted or the Account Unknown belongs to other system(dual boot configuration). This is reason that we recommend granting permission on resources to the Domain Local security group instead of individual users. It will be much easier for management and will not generate orphaned SID because user group is stabler.
    If you don’t have another system on the same computer or Domain Trust, we can delete the unknown accounts safely.
    However, It would be suggested to create a delegation report using the following command before deleting unknown accounts. I will help check them.
    for /f "delims=" %x in ('dsquery OU "OU=HR,DC=d1,DC=com"') do acldiag %x > %x.txt

    Please refer to this earlier discussed thread that is based on same concern : http://social.technet.microsoft.com/Forums/windowsserver/en-US/d3d6b211-7c31-4ebc-aff6-489d60fd9910/active-directory-security-permissions-account-unknown?forum=winserverDS

    Since, there is a number of unknown accounts that is required to be deleted, you may try this AD cleaner tool that can be helpful to accomplish this task in quick attempt.


    Carlo

    • Proposed as answer by Meinolf Weber Wednesday, August 27, 2014 3:54 PM
    • Marked as answer by Amy Wang_ Thursday, September 4, 2014 8:22 AM
    Wednesday, August 27, 2014 9:41 AM

All replies

  • Generally, Account Unknown may appear if the system cannot find the account SID which was recorded in ACL of an object in local system or AD database. This issue may occur if user accounts were deleted or the Account Unknown belongs to other system(dual boot configuration). This is reason that we recommend granting permission on resources to the Domain Local security group instead of individual users. It will be much easier for management and will not generate orphaned SID because user group is stabler.
    If you don’t have another system on the same computer or Domain Trust, we can delete the unknown accounts safely.
    However, It would be suggested to create a delegation report using the following command before deleting unknown accounts. I will help check them.
    for /f "delims=" %x in ('dsquery OU "OU=HR,DC=d1,DC=com"') do acldiag %x > %x.txt

    Please refer to this earlier discussed thread that is based on same concern : http://social.technet.microsoft.com/Forums/windowsserver/en-US/d3d6b211-7c31-4ebc-aff6-489d60fd9910/active-directory-security-permissions-account-unknown?forum=winserverDS

    Since, there is a number of unknown accounts that is required to be deleted, you may try this AD cleaner tool that can be helpful to accomplish this task in quick attempt.


    Carlo

    • Proposed as answer by Meinolf Weber Wednesday, August 27, 2014 3:54 PM
    • Marked as answer by Amy Wang_ Thursday, September 4, 2014 8:22 AM
    Wednesday, August 27, 2014 9:41 AM
  • Hi,

    In addition to the above information,

    Please refer below link for PowerShell script to remove all unknown SIDs in AD domain,

    http://gallery.technet.microsoft.com/How-to-remove-all-unknown-9d594f3a

    Regards,
    Gopi
    JiJi Technologies

    Wednesday, August 27, 2014 10:01 AM