none
Account Unknown on Active Directory RRS feed

  • Question

  • How can I delete Account Unknown on Active Directory? is there a tool or script for deleting 1000 Account Unknown on Active Directory?
    Wednesday, August 27, 2014 7:55 AM

Answers

  • Generally, Account Unknown may appear if the system cannot find the account SID which was recorded in ACL of an object in local system or AD database. This issue may occur if user accounts were deleted or the Account Unknown belongs to other system(dual boot configuration). This is reason that we recommend granting permission on resources to the Domain Local security group instead of individual users. It will be much easier for management and will not generate orphaned SID because user group is stabler.
    If you don’t have another system on the same computer or Domain Trust, we can delete the unknown accounts safely.
    However, It would be suggested to create a delegation report using the following command before deleting unknown accounts. I will help check them.
    for /f "delims=" %x in ('dsquery OU "OU=HR,DC=d1,DC=com"') do acldiag %x > %x.txt

    Please refer to this earlier discussed thread that is based on same concern : http://social.technet.microsoft.com/Forums/windowsserver/en-US/d3d6b211-7c31-4ebc-aff6-489d60fd9910/active-directory-security-permissions-account-unknown?forum=winserverDS

    Since, there is a number of unknown accounts that is required to be deleted, you may try this AD cleaner tool that can be helpful to accomplish this task in quick attempt.


    Carlo

    Wednesday, August 27, 2014 9:41 AM

All replies