I'm currently cleaning up my Active Directory and have stumbled upon some orphaned SIDs that hold permissions on the domain root and various OUs. I've examined them thoroughly and confirmed these permissions are indeed orphaned. However, whenever I attempt to remove them through Active Directory Users and Computers (ADUC) by navigating to security settings, I receive a warning that indicates my action will lead to 122 new permissions being added to the access control list (ACL). I hesitated and canceled this action before, which resulted in some of the domain root permissions getting altered strangely, leaving out several entries apart from the usual administrative groups like administrators and domain admins. I even tried restoring permissions using a backup of the SDDL, but to no avail. I also attempted to use ADSI Edit and scripted solutions involving the CMD DSACLS command, but I still couldn't resolve it. It's critical for me to eliminate these orphaned SIDs as they have administrative delegated permissions on the root. Has anyone faced a similar issue or has any suggestions for removal? Thanks in advance!
3 Answers
Oof, dealing with orphaned SIDs can be tricky! Before you dive back into removing them, make sure you've got a solid backup of Active Directory. Consider using PowerShell for this task; it gives you more granular control than DSACLS. If you run a command like this:
```powershell
$acl = Get-ACL "AD:"
$acl.RemoveAccessRule()
Set-ACL "AD:" $acl
```
Also, check the inheritance settings as those 122 new permissions could be due to inherited entries. Disabling inheritance temporarily could help you remove the SID without adding those permissions back.
You might want to consider crossposting your issue to specialized forums for more targeted advice. The changes to the ACL could be coming from your privileged account's other security group associations due to the modifications you're attempting. In my experience, I've escalated such situations to the Enterprise Admin in our AD forest. They typically have a designated account with minimal permissions specifically for managing these types of issues.
Yeah, those SIDs can be a nightmare! Another thought: if you dig into the inheritance settings for your domain root, that might shed some light. Sometimes, removing an orphan SID at the top level can take care of inherited permissions below it. If you want to play it safe, you could do a 'dry run' with NTFS permissions on folders to see what might happen without the risk to your AD setup.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures