acls remain for deleted items after 60 days

[JonathanG]

Have an active directory environment with multiple sites and domains
(Windows 2000 SP3), when we delete an object its acl does not
dissappear (specific case was for an account set through ADSIEDIT and
Exchange System Manager) but instead appears as an unresolved SID.

In testing this is still the case even after object no longer appears
in the deleted items container
i.e. the 60 day tombstoning has kicked in and garbage collection has
removed the item

Conclusion from this would be:-
There is no process which removes the SIDs of deleted objects from the
Access Control Lists on Active Directory containers; therefore cleanup
will have to be done manually.

Be grateful if this could be confirmed...

 

[Richard McCall [MSFT]]

That is correct. I have not looked at DSACLS but SUBINACLS can be used to
remove deleted\unresolved SIDs from the file system objects.

 

[JonathanG]

thanks Richard - do you have an understanding of why this happens or
any hints on tools to remove it from AD rather than just file system
object..

many thanks
Jonathan

That is correct. I have not looked at DSACLS but SUBINACLS can be used to
remove deleted\unresolved SIDs from the file system objects.

--
Richard McCall [MSFT]

"This posting is provided "AS IS" with no warranties, and confers no
rights."

Have an active directory environment with multiple sites and domains
(Windows 2000 SP3), when we delete an object its acl does not
dissappear (specific case was for an account set through ADSIEDIT and
Exchange System Manager) but instead appears as an unresolved SID.

In testing this is still the case even after object no longer appears
in the deleted items container
i.e. the 60 day tombstoning has kicked in and garbage collection has
removed the item

Conclusion from this would be:-
There is no process which removes the SIDs of deleted objects from the
Access Control Lists on Active Directory containers; therefore cleanup
will have to be done manually.

Be grateful if this could be confirmed...

 

[Dale Weiss]

Hello,

You are correct in that there is no process that deletes a user's Access
Control Entries from files and directory objects if the user object is
deleted. This must be done manually.

There is no data stored regarding the user and his or her resources, and it
is impractical to search every object in the enterprise for the user's SID
when the object is deleted.

Dale Weiss MCSA MCSE CISSP
PSS Security

This posting is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer. Use of included script samples are subject
to the terms
specified at http://www.microsoft.com/info/cpyright.htm

 

[JonathanG]

Given the number of objects that get deleted from an enterprise
implementation of AD (currently we have 8000 objects in deleted
items)- Im not clear then why if there is no process to remove aces
from objects why I do not see lots of unregognized sids in ad?

I take the point that mostly it will be groups that have entries on
the acl hence deletion of users would not show

regards

 

[Richard McCall [MSFT]]

Generally speaking permissions for files and folders are usually give to
Groups when the user is deleted then there is no reason to cleanup. Any
background task that would check and remove would have to scan everything
which is pretty cpu costly.