Discussion:
orphaned SID in a restricted group definition in default domain GP
(too old to reply)
Paul Williams [MVP]
2007-01-12 10:48:31 UTC
Permalink
There's two reasons why you'll see a SID and not an object's CN.

The account no longer exists, i.e. it has been deleted.
The SID cannot be resolved, e.g. Power Users on a Domain Controller.


You are correct that there's no cleanup task. It's not the ADs job to
cleanup references to objects it holds, and the clients generally don't
clean up such things are there's valid reasons why a SID can't be resolved
(see above or temporary network problem).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Jorge de Almeida Pinto [MVP - DS]
2007-01-13 22:24:23 UTC
Permalink
use ADFIND to query for the SID in AD.....
http://www.joeware.net/win/free/tools/adfind.htm

if it does not exist, then the security principal that belongs to that SID
does also not exist anymore

adfind -default -binenc -f "(objectSID={{SID:<PLACE SID HERE>}})" -dn

replace <PLACE SID HERE> with the actual SID....


example:
C:\>adfind -default -binenc -f
"(objectSID={{SID:S-1-5-21-3495709831-2249124843-
3216744473-500}})" -dn

AdFind V01.34.00cpp Joe Richards (***@joeware.net) November 2006

Transformed Filter:
(objectSID=\01\05\00\00\00\00\00\05\15\00\00\00\87L\5C\D0\EB
\EB\0E\86\19\A0\BB\BF\F4\01\00\00)
Using server: RDC01.AD.LAN:389
Directory: Windows Server 2003
Base DN: DC=AD,DC=LAN

dn:CN=Administrator,CN=Users,DC=AD,DC=LAN

1 Objects returned

C:\>
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
I just noticed a orphaned SID in a restricted group definition in our
default
domain GPO.
I think I understand orphaned SIDs and how they occur so in this case am I
correct in assuming that they can occur in GPOs becuase the GPT component
of
the GPO resides in the file system (sysvol) and there is no backlinking
between AD and the file system?
Loading...