none
Unknown User Reference on Folder Security

    Question

  • I have found 6 unknown users on one of my folder. The Icon is a question mark (?) and face profile. The names are all like this:

    S-1-5-21-343818398-1390067357-839522115-500

    S-1-5-21-343818398-1390067357-839522115-512

    S-1-5-21-343818398-1390067357-839522115-513

    S-1-5-21-343818398-1390067357-839522115-515

     

    All the same except the last 3 digits. Anyone know why they are there and is it safe to assume removing them will not harm anything?

     

     

    Thanks

    Grajek

    Friday, December 09, 2011 8:29 PM

Answers

  • Hello,

    those are SIDs. Possible that these accounts were removed and their permissions have not not been removed.

    Another thing is that it is possible that the server that hosts the resource on which you found the SIDs is not able to locate your domain. Here, just check that the server is able to communicate with your DCs.

    You can remove the entries and if needed you can give permissions to the wanted users if you identify them (Possible that their accounts have been changed).

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by M.Laichour Saturday, December 10, 2011 12:32 PM
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Friday, December 09, 2011 9:36 PM
  • Hi,

    They are the SIDs of unknown accounts. When you delete an account, the permissions are not removed automatically, you have to remove them manually.

    You may use a SID2Username tool to find out the object: http://blogs.sepago.de/d/research-development/downloads/sid2username.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Saturday, December 10, 2011 7:56 PM
  • This could be posibly SID of unknow account which has been removed form Active Directory.You can remove the same.

    This could also be also if the server/client where the share is hosted could not locate the DC.Please check the connectivity between the servers.

    Since you have only four SID's you can remove the same and if any user report issue you can add the same to the folder shares.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Sunday, December 11, 2011 6:14 AM
  • This is normally seen when an account is deleted or corrupted in AD and it remains there as unknown. You can delete it safely. Also, take a look at below link it might not be the issue with SID translation.

    http://blogs.technet.com/b/askds/archive/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:36 PM
    Sunday, December 11, 2011 8:24 AM
    Moderator
  • Hello,

     

    You can use SubInACL tool and delete it.

    Test command before delete:

    SubInACL /subdirectories c:\*.* /cleandeletedsidsfrom=domain /testmode

    Delete command:

    SubInACL /subdirectories c:\*.* /cleandeletedsidsfrom=domain

     

    Regards

    • Marked as answer by JPGrajek Monday, December 12, 2011 8:36 PM
    Sunday, December 11, 2011 4:16 PM

All replies

  • Hello,

    those are SIDs. Possible that these accounts were removed and their permissions have not not been removed.

    Another thing is that it is possible that the server that hosts the resource on which you found the SIDs is not able to locate your domain. Here, just check that the server is able to communicate with your DCs.

    You can remove the entries and if needed you can give permissions to the wanted users if you identify them (Possible that their accounts have been changed).

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by M.Laichour Saturday, December 10, 2011 12:32 PM
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Friday, December 09, 2011 9:36 PM
  • Hi,

    They are the SIDs of unknown accounts. When you delete an account, the permissions are not removed automatically, you have to remove them manually.

    You may use a SID2Username tool to find out the object: http://blogs.sepago.de/d/research-development/downloads/sid2username.

    Regards,


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Saturday, December 10, 2011 7:56 PM
  • This could be posibly SID of unknow account which has been removed form Active Directory.You can remove the same.

    This could also be also if the server/client where the share is hosted could not locate the DC.Please check the connectivity between the servers.

    Since you have only four SID's you can remove the same and if any user report issue you can add the same to the folder shares.

    Hope this helps

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:37 PM
    Sunday, December 11, 2011 6:14 AM
  • This is normally seen when an account is deleted or corrupted in AD and it remains there as unknown. You can delete it safely. Also, take a look at below link it might not be the issue with SID translation.

    http://blogs.technet.com/b/askds/archive/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Marked as answer by JPGrajek Monday, December 12, 2011 8:36 PM
    Sunday, December 11, 2011 8:24 AM
    Moderator
  • Hello,

     

    You can use SubInACL tool and delete it.

    Test command before delete:

    SubInACL /subdirectories c:\*.* /cleandeletedsidsfrom=domain /testmode

    Delete command:

    SubInACL /subdirectories c:\*.* /cleandeletedsidsfrom=domain

     

    Regards

    • Marked as answer by JPGrajek Monday, December 12, 2011 8:36 PM
    Sunday, December 11, 2011 4:16 PM
  • Thanks everyone for ALL the help. One of my servers died a couple of weeks ago but it was not my DC/AD server.  Seeing just 1 unknown SID I figured came from the dead server but multiples I was not sure.

     

    thanks for the links and command line options, this really does help a lot.

     

     

    Thanks

    Again

    -Grajek

    Monday, December 12, 2011 8:34 PM
  • I have same problem also

    when we move / copy data from NetApp NAS to HNAS we encounter a lot of SID and the problem is not allowing us to copy the content of the shared folder to the new directory

    is there any solution ???

    and how to delete unwanted SID from the AD in the fast way ??

    Friday, October 02, 2015 12:15 PM