I am lost.
AD Users and Computers has no problem removing a member
from a group when the member only appears as a SID.
The NTFS permissions dialog can remove an ACE from a
file or folder security descriptor when the SID of the ACE
cannot be resolved to friendly name (i.e. shows as SID but
it is still deleteable).
If you are automating you can add or remove members, using
only their SIDs, from groups using ADSI.
Exactly where are you having problems?
I have a similar issue and have looked at Subinacl but unfortunately I don't
have the original domain name for the SIDS.
This came from data being restored to a new environment where some users
have been migrated from a different forest. I have tried using the domain
portion of the SID with subinacl but without any luck.
Is there any way of first reporting all of the unresolved sids from the file
system (dumpsec just tells me it's unresolved)?
Is there a tool/script that can remove sids that don't resolve?
Yeah there are some options in there to do that, I want to say it is
dumpcachedsids and you just tell it to enumerate the resources and it will
generate a file with all of the SIDS, been awhile.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition www.joeware.net
---O'Reilly Active Directory Third Edition now available---
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
