none
Can I remove unresolved SIDs from a local computer group with powershell the same way I remove regular users? RRS feed

  • Question

  • Aloha!

    I have roughly 600 unresolved SID entries in roughly 1400 servers.  I have a CSV including the server, group and SID.  I can write a script to remove user accounts in this way but I didn't know if I can treat the SID like a regular user account or if there are special considerations?

    Monday, May 12, 2014 6:10 PM

Answers

  • SubInAcl is the MS tool fro removing "orphaned" SIDs.  Just because a SID is unresolved does not mean it is orphaned.  Network conditions and other issues can cause a SID to be unre3solved.  You can query AD with your SID list then query the machine they cam from.  If the query does not return an a count it is safe to delete.  Get-ACL and the DACL have a method to remove a ACE by SID.

    I recommend using SubInAcl as it does all of this in one line including recursing all folders and files.


    ¯\_(ツ)_/¯

    Monday, May 12, 2014 7:11 PM

All replies

  • Why the question? What happens when you try it?


    -- Bill Stewart [Bill_Stewart]

    Monday, May 12, 2014 6:29 PM
    Moderator
  • Well...  I suppose before I ran a script with unknown results against production servers I was looking for some guidance from those who perhaps have had the experience previously. 

    I assumed (perhaps mistakenly?) this was not an uncommon issue to resolve.  However, I wasn't able to find much with regards to using powershell to resolve it with local groups.  Most of what I found related to NTFS permissions or domain groups.

    Monday, May 12, 2014 6:42 PM
  • SubInAcl is the MS tool fro removing "orphaned" SIDs.  Just because a SID is unresolved does not mean it is orphaned.  Network conditions and other issues can cause a SID to be unre3solved.  You can query AD with your SID list then query the machine they cam from.  If the query does not return an a count it is safe to delete.  Get-ACL and the DACL have a method to remove a ACE by SID.

    I recommend using SubInAcl as it does all of this in one line including recursing all folders and files.


    ¯\_(ツ)_/¯

    Monday, May 12, 2014 7:11 PM
  • Thank you for the information, jrv...  I was under the impression SubInACL was only for file and folder ACLs, not for local groups.   Looks like I was mistaken.  Though it looks like I can script out a powershell to incorporate the SubACL list I think this will be much simpler to do natively with VBScript.

    Mahalo to everyone for their comments.

    Monday, May 12, 2014 7:48 PM