Delete orphaned SIDs in ACLs
Orphaned SIDs are security identifiers that belong to deleted or migrated users, groups, or computers. They can cause security issues, performance problems, and clutter in Active Directory (AD) and file system access control lists (ACLs). In this article, we will show you how to delete orphaned SIDs in ACLs using PowerShell and a third-party tool.
Delete Orphaned SIDs In ACLs
What are ACLs and SIDs?
An ACL is a list of permissions that control who can access an object, such as a file, folder, registry key, or AD object. Each permission entry in an ACL is called an access control entry (ACE), which consists of a SID and an access mask. A SID is a unique identifier that represents a user, group, or computer account in Windows. A SID consists of a domain identifier and a relative identifier (RID), which are assigned by the domain controller when the account is created. For example, the SID for the Administrator account in the domain contoso.com is S-1-5-21-1234567890-1234567890-1234567890-500, where S-1-5-21-1234567890-1234567890-1234567890 is the domain identifier and 500 is the RID.
What are orphaned SIDs?
Orphaned SIDs are SIDs that cannot be resolved to a valid account name because the corresponding account no longer exists in Windows. This can happen when an account is deleted, disabled, renamed, or migrated to another domain. Orphaned SIDs can remain in ACLs of objects that the account had access to before it was removed. For example, if a user account Bob was deleted from the domain contoso.com, but Bob had access to a file share on a server in the domain, the file share's ACL would still contain Bob's SID as an ACE.
Why delete orphaned SIDs?
Orphaned SIDs can cause several problems, such as:
Security risks: Orphaned SIDs can be exploited by attackers who can create accounts with the same RIDs as the deleted accounts and gain access to the objects that the deleted accounts had access to.
Performance issues: Orphaned SIDs can increase the size of ACLs and AD objects, which can affect the replication and backup of AD and the processing of ACLs by the system.
Clutter: Orphaned SIDs can make it difficult to manage and audit ACLs and AD objects, as they appear as unknown accounts or strings of numbers.
Therefore, it is recommended to delete orphaned SIDs from ACLs and AD objects periodically to maintain security, performance, and cleanliness.
How to delete orphaned SIDs using PowerShell?
PowerShell is a powerful scripting language that can be used to automate various tasks in Windows. One of the tasks that PowerShell can perform is deleting orphaned SIDs from ACLs using the Get-Acl and Set-Acl cmdlets. The Get-Acl cmdlet retrieves the ACL of an object, and the Set-Acl cmdlet sets the ACL of an object. To delete orphaned SIDs from ACLs using PowerShell, you need to follow these steps:
Get the list of objects that you want to scan for orphaned SIDs. You can use various cmdlets to get different types of objects, such as Get-ChildItem for files and folders, Get-ADObject for AD objects, Get-RegistryKey for registry keys, etc.
For each object in the list, get its ACL using the Get-Acl cmdlet.
For each ACE in the ACL, check if the SID can be resolved to a valid account name using the Translate method of the System.Security.Principal.SecurityIdentifier class. If not, remove the ACE from the ACL.
Set the modified ACL back to the object using the Set-Acl cmdlet.
The following is an example of a PowerShell script that deletes orphaned SIDs from files and folders in a given path:
```powershell Define the path to scan
$path = "C:\Temp" Get all files and folders in the path
$items = Get-ChildItem -Path $path -Recurse Loop through each item
foreach ($item in $items)
Get the ACL of the item
$acl = Get-Acl -Path $item.FullName Loop through each ACE in the ACL
foreach ($ace in $acl.Access) Try to resolve the SID to a name
try $name = $ace.IdentityReference.Translate([System.Security.Principal.NTAccount]).Value catch If the SID cannot be resolved, remove the ACE from the ACL
$acl.RemoveAccessRule($ace) Set the modified ACL back to the item
Set-Acl -Path $item.FullName -AclObject $acl ``` How to delete orphaned SIDs using a third-party tool?
If you prefer a graphical user interface (GUI) or a more advanced functionality, you can use a third-party tool to delete orphaned SIDs from ACLs. One of the tools that can do this is SubInACL, which is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and to transfer this information from user to user, from local or global group to group, and from domain to domain. SubInACL can also remove orphaned SIDs from ACLs using the /remove parameter. For example, the following command removes all orphaned SIDs from files and folders in C:\Temp:
```cmd subinacl /subdirectories C:\Temp\* /remove=*
``` Another tool that can delete orphaned SIDs from ACLs is SolarWinds Access Rights Manager (ARM), which is a comprehensive solution that helps you manage and audit access rights across your IT infrastructure. ARM can scan your file servers, AD, Exchange, SharePoint, SQL Server, and more for orphaned SIDs and other security issues. You can then use ARM to delete orphaned SIDs from ACLs in bulk or individually, with a few clicks. You can also use ARM to generate reports on access rights, permissions, and changes, and to automate access rights management tasks.
Conclusion
Orphaned SIDs are a common problem that can affect the security, performance, and cleanliness of your Windows environment. To delete orphaned SIDs from ACLs, you can use PowerShell or a third-party tool such as SubInACL or SolarWinds ARM. By deleting orphaned SIDs from ACLs, you can improve your security posture, optimize your system resources, and simplify your access rights management.
References:
[Remove orphaned SIDs with PowerShell]
[Is it possible remove bulk orphaned SID's from bulk ACL group using PowerShell script?]
[Orphaned SID's in AD - how can we get a list of those to clean it]
[Remove invalid SIDs from filesystem ACLs in Windows]
a104e7fe7e