"account unknown" on acl cannot be removed without blocking inheritence

[David Grant]

I have several folders with an "Account Unknown" entry on
the ACL that cannot be removed without turning off
inheriting permissions. However, the parent folder does
not contain that ACL entry, indicating to me that
the "Account Unknown" ACL entry is not being inherited.
My questions are:

1. Why do I need to turn off inheritence when clearly
that particular ACL entery is not being inherited?

2. Why do "Account Unknown" entries show up in the first
place and how can I easily remove them?

More info:

Our domain has never had a trust relationship. The box
in question is a DC running Windows 2000 Server SP4.
Some of the files and directories may have been copied
from an NT4 DC in the past.

 

[Marco]

Gary

the account unknown may be due to the fact that some accounts got their SID
changed when migrated to AD. When AD does not have the account SID in AD
then it displays unknown account. For what concerns the inheritance I
suspect (again) that these files are left for from your NT4 installation as
NT4 had a very different inheritance model. Some may go as far as saying
that NT4 did not have an inheritance model at all.

 

[Joe Richards [MVP]]

Let me guess that this is somewhere in the SYSVOL folder structure? Some of
the folders there aren't really directories, they are links to other folders
somewhere else on the file system.

Which folder specifically are you having an issue with?

 

[David Grant]

This is happening in a number of folders. They are all
normal folders that contain Word documents, spreadsheets,
etc.

 

[Joe Richards [MVP]]

I would go through and look at each folder to see if it is a link instead of
a real folder.

This can also get screwed up if someone is playing with ACLs with custom
scripts/apps that don't know how to do things right.