locked
Folder Groups deletion from AD RRS feed

  • Question

  • Hi,

    Please let us know if there a way to find the groups which are deleted from AD and the folders still has a entry of it as S15-

    Using the SID in the folder, how can we identify the group in AD?


    kits

    Wednesday, May 16, 2012 3:04 AM

Answers

  • Thanks all for your prompt replies.. OK we have figured out that these groups might be migrated from others domains.  So my question is:

    1) Since these groups are now displaying SID of the present domain where it resides.. Is there a way to map or find out its old Sid of previous domain by any means

    Nope.

    2) Will these groups work since there is no trust between these two domains..

    No because these groups can only be authenticated to the domain where they exists.

    Please let me know what you think as the problem is getting complicated and no clue where to start from ?


    kits

    See my inline comments.You can clean old SIDHistory from the target domain using below links.

    http://blog.joeware.net/2006/09/16/621/

    http://blog.joeware.net/2011/11/20/2338/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Friday, May 18, 2012 5:20 AM
    • Marked as answer by fiona09 Sunday, May 20, 2012 7:19 AM
    Friday, May 18, 2012 5:04 AM

All replies


  • First thing that happens when the group is deleted is that it is moved to the Deleted Objects container in AD, this is normally not visible even to Admins but can be viewed with LDP.

    Viewing deleted objects in Acrive Directory:
    http://support.microsoft.com/kb/258310

    Reanimating Active Directory Tombstone objects:
    http://technet.microsoft.com/en-us/magazine/cc137800.aspx

    Searching for Deleted Objects
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbc_nar_cxyn.mspx?mfr=true

    More on What happens when a group is deleted
    http://blogs.technet.com/b/instan/archive/2008/09/29/what-happens-when-a-group-is-deleted.aspx

    You can refer below link to convert an SID to a group name from Active Directory
    http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23193360.html

    For better assistance related to scripting you can also refer below link:
    http://social.technet.microsoft.com/Forums/en-US/category/scripting
     
    Normally the SID in the folder security is due to the user/group is deleted from AD or there could be name resolution issue.If the SID is of deleted object the same can be removed from folder security permission.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, May 16, 2012 3:31 AM
  • Try the ADRestore GUI tool. It shows the SID in the properties of a deleted account. If you find a match, (assuming the deletion remains within your AD's tombstone), you can reanimate it.

    ADRestore GUI version
    http://askaresh.blogspot.com/2008/11/adrestore-gui-version.html

    .

    Moving forward, I would kindly suggest a few things to prevent this in the future, such as enabling the 2008 R2 AD recycle bin, configure AD auditing for changes such as deletions, additions, etc, and have some sort of change management to keep track of change requests, impact of the change, etc.

    .

    Also, on a side note, here's a PS utility to get the SID of all active account. This way you can create a database of account names to SIDs, if you like.

    PowerShell: Get SID from AD (Active Directory) User / Group using PowerShell
    http://www.christiano.ch/wordpress/2009/08/26/powershell-get-sid-from-ad-active-directory-user-group-using-powershell/

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Wednesday, May 16, 2012 4:03 AM - Clarified that the deleted accounts can be reanimated with ADRestore
    • Proposed as answer by Meinolf Weber Friday, May 18, 2012 4:25 PM
    Wednesday, May 16, 2012 4:01 AM
  • Is there a commadn line to convert SID to Group Name

    kits

    Wednesday, May 16, 2012 5:41 AM
  • Is there a commadn line to convert SID to Group Name

    kits

    No, not if it's been deleted. I provided a way to find the SID of a deleted object.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, May 16, 2012 5:48 AM
  • See this utility:

    PsGetSid  http://technet.microsoft.com/en-us/sysinternals/bb897417

    It allows you to translate SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts.

    Regards,

    Miya


    Miya Yao

    TechNet Community Support

    Wednesday, May 16, 2012 7:20 AM
  • You can use Adfind Tool to check the SID sAMaccountname.

    adfind -default -f "objectsid=YourSID" samaccountname

    YOu can run below command line to check wheather it is flushed out from AD (i.e Permenantely deleted from AD after corrssing tombstone life)

    adfind -default -binenc -showdel  -f "&(isdeleted=true)(objectsid={{sid:YourSID}})"  
    samaccountname

    If above results none , that means Object is deleted Permanantly.

    Reference - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27578834.html (Check out Mike Post in this)

    You can download the Adfind Tool from below location

    http://www.joeware.net/freetools/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.



    Wednesday, May 16, 2012 7:23 AM
  • If these SID can be converted to name that means the object exists in AD and if they can't then surely those accounts are removed from the AD database itself.

    http://blogs.technet.com/b/heyscriptingguy/archive/2010/10/12/use-powershell-to-translate-a-user-s-sid-to-an-active-directory-account-name.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Friday, May 18, 2012 4:25 PM
    Wednesday, May 16, 2012 8:53 AM
  • In addition, if you don't see them in ADRestore, they were deleted long ago, and are totally gone. As Awinish said, if they existed, you wouldn't see the SIDs in the ACLs.

    Run the following. What value do you see?

    Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domainname" -attr tombstoneLifetime

    If it's blank or <not set>, then it's 60 days, otherwise it may show 180 days. Whatever the value, the object was deleted way before this value and the garbage collection process had already removed it from the AD database when it reached 60 or 180 days beyond it's deletion time.

    .

    My suggestion is to delete them. THere really isn't much more you can do.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, May 16, 2012 9:39 PM
  • Thanks all for your prompt replies.. OK we have figured out that these groups might be migrated from others domains.  So my question is:

    1) Since these groups are now displaying SID of the present domain where it resides.. Is there a way to map or find out its old Sid of previous domain by any means

    Re-establish the trust, then the names will appear.

    .

    2) Will these groups work since there is no trust between these two domains..

    No, because their home domain can't be contacted to get authenticated.

    .

    Please let me know what you think as the problem is getting complicated and no clue where to start from ?


    kits

    It's not that it's getting complicated, rather it appears that your options are limited. The accounts live at in the other domain. Without the trust, they are useless. There are no known tools that I am aware of that can do what you're asking. I believe you've received plenty of great suggestions from everyone.

    If you feel everyone's suggestions were not helpful, and this issue is causing problems with productivity and must be resolved immediately, I suggest to give Microsoft support a call. For a one time fee of USD $259.00 plus tax, they will take whatever time required to resolve it. Here's the link with the phone numbers to get you started if you choose this option:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS  

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Awinish Friday, May 18, 2012 5:04 AM
    Friday, May 18, 2012 4:13 AM
  • Thanks all for your prompt replies.. OK we have figured out that these groups might be migrated from others domains.  So my question is:

    1) Since these groups are now displaying SID of the present domain where it resides.. Is there a way to map or find out its old Sid of previous domain by any means

    Nope.

    2) Will these groups work since there is no trust between these two domains..

    No because these groups can only be authenticated to the domain where they exists.

    Please let me know what you think as the problem is getting complicated and no clue where to start from ?


    kits

    See my inline comments.You can clean old SIDHistory from the target domain using below links.

    http://blog.joeware.net/2006/09/16/621/

    http://blog.joeware.net/2011/11/20/2338/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Ace Fekay [MCT] Friday, May 18, 2012 5:20 AM
    • Marked as answer by fiona09 Sunday, May 20, 2012 7:19 AM
    Friday, May 18, 2012 5:04 AM
  • ok will do my guess i was sidhistory will allow file share access and does nt requires trust in case of nt4 domain

    kits

    SIDHistory? Was this from a migration?

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, May 18, 2012 5:22 AM