Need help with ADUC "Account Unknown"

[gpegue]

Greetings-

If I examine the "Users" container in ADUC, I see the folowing two
entries in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)

If I examine each distribution list (I'm running Exchange 2003 on
another member server Win2K3 box in my domain) in the "Users" container
in ADUC, I see the same two entries noted above in the Security tab.

If I examine each user and each security group in the "Users" container
in ADUC, I see the following entry in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)

Here's my questions for the AD gurus:

1) Knowing that these entries most likely represent a user account that
was deleted from AD and that most likely was an administrator of some
kind whose term of service here predates mine, is it safe to delete
these entries?

2) If the answer to 1) is "Yes, it's OK to delete them", is there a way
to delete them en masse as opposed to mamually deleting each entry from
each object?

3) Is there anyway to determine more info about the unknown account,
like when it was deleted etc?

4) What is the significance of the last 4 digits in the entries?
TIA
Gordon Pegue
CG Engineers
Albuquerque, NM

 

[ptwilliams]

2) If the answer to 1) is "Yes, it's OK to delete them", is there a way to

delete them en masse as opposed to mamually deleting each entry from each
object?

Yes. Go to the highest OU or container that these permissions are set on
and delete them there. They're more than likely inheriting these
permissions from higher above.

3) Is there anyway to determine more info about the unknown account, like
when it was deleted etc?

Not really, unless this is a recent thing. If you've been auditing
directory services events and the like, you may find some info. in the
security logs of the DCs. Otherwise, I'm unaware of a way of doing this.

4) What is the significance of the last 4 digits in the entries?

These are the RIDs - the unique portion of the SID. The majority of that
SID represents the domain, and a couple of standard bits at the
beginning -version, type, etc. All in all, every single bit of that SID
other than the RIS is unique to your domain. The RID is allocated to each
new user by the creating DC and is taken from a RID pool -allocated in
blocks of 499 to each DC from the RID master.

There are well known RIDs -those that are always used, e.g. -500 is
administrator; -501 is guest.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Greetings-

If I examine the "Users" container in ADUC, I see the folowing two
entries in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)

If I examine each distribution list (I'm running Exchange 2003 on
another member server Win2K3 box in my domain) in the "Users" container
in ADUC, I see the same two entries noted above in the Security tab.

If I examine each user and each security group in the "Users" container
in ADUC, I see the following entry in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)

Here's my questions for the AD gurus:

1) Knowing that these entries most likely represent a user account that
was deleted from AD and that most likely was an administrator of some
kind whose term of service here predates mine, is it safe to delete
these entries?

2) If the answer to 1) is "Yes, it's OK to delete them", is there a way
to delete them en masse as opposed to mamually deleting each entry from
each object?

3) Is there anyway to determine more info about the unknown account,
like when it was deleted etc?

4) What is the significance of the last 4 digits in the entries?
TIA
Gordon Pegue
CG Engineers
Albuquerque, NM

 

[lforbes]

Greetings-

If I examine the "Users" container in ADUC, I see the folowing
two
entries in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1261)
Account Unknown (S-1-5-21-861567501-1500820517-725345543-1265)

If I examine each distribution list (I'm running Exchange 2003
on
another member server Win2K3 box in my domain) in the "Users"
container
in ADUC, I see the same two entries noted above in the
Security tab.

If I examine each user and each security group in the "Users"
container
in ADUC, I see the following entry in the Security tab:

Account Unknown (S-1-5-21-861567501-1500820517-725345543-1263)

Here's my questions for the AD gurus:

1) Knowing that these entries most likely represent a user
account that
was deleted from AD and that most likely was an administrator
of some
kind whose term of service here predates mine, is it safe to
delete
these entries?

2) If the answer to 1) is "Yes, it's OK to delete them", is
there a way
to delete them en masse as opposed to mamually deleting each
entry from
each object?

3) Is there anyway to determine more info about the unknown
account,
like when it was deleted etc?

4) What is the significance of the last 4 digits in the
entries?
TIA
Gordon Pegue
CG Engineers
Albuquerque, NM

Hi,

Yes it is safe to delete them. I have this a lot when an account is
deleted without deleting the users files etc. If you enable Quotas on
the Drive in question then you can go into Quota Manager and delete
all files/folders owned by that SID.

Cheers,

Lara