Cleanup Orphaned SIDs listed in File and Folder ACL
We all know the proper way of setting up file permissions according to Microsoft. UGDLP or AGDLP, depending on when you learned it, is the acronym used to remember “Add Users/Accounts to Global Groups, then to Domain Local Groups, then apply permissions to the Domain Local Group.” This allows for the nested groups and permissions to be easily added and removed over time. And should be followed 100% of the time…
Put into practice in the real-world, proper procedures are not always followed. This leads to issues down the road. People are in a hurry, staff does not understand the group structure, or you have a pushy boss looking over your shoulder expecting you to have a new permission up and running in 0.5 seconds. So, you just add the user to the folder and boom done. It is quick. It gets the results you are looking for. And it is dirty. We will not be going into why this is not the best practices from Microsoft but you can read all about it here. A great article explaining the setup and reasoning behind a nested group strategy.
Anyway, a few months pass and the user leaves and the account gets deleted. No big deal. Except you are left with an annoying little eminent. The SID of the account is still listed in the ACL for the shared folder. Let’s be VERY clean. This does in no way affect the functioning of the system, the folder, or the permissions. But for the more anally obsessed among us this will just not do. This can also happen during domain migrations when moving a server with shared folders and then breaking the domain trusts.
Photo taken on windows 10. Other versions may appear slightly diffrent
Solution for the Orphaned SIDs
I was recently working with a client who went through a domain merger where we were left with hundreds of these orphaned or ghost ACLs. To resolve the issue and to help others in the future I wrote a GUI based application so users can just browse to the folder and removed all orphaned SIDs on that folder as well as all sub folders. Without using PowerShell or VBS or any other command or scripting tools out there.
Have an IT Support Expert Help you
SID removal can be complicated and time consuming for assistance please check out our business support page. We would love to help you out.
Otherwise give it a try and let me know what you think. This is just the first version and I can say it worked on my client as well as all my test but you should test it out before using it in production.