RE: [ActiveDir] Orphaned SIDs

[joe]

Well a quick verification would be to strip the rid off and see if you can resolve the domain, if you can you know the account is dead, no need to dig through tombstones, doing so seems a bit silly to me unless you are going from the other side, digging out tombstoned users/groups/etc and chasing through acls looking for their sids.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 01, 2005 1:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Orphaned SIDs Al, you know that a resolution problem will sometimes prevent SID translations. So, the mere fact that you see SIDs (rather than names) listed in your ACL does not necessarily indicate that those accounts are dead. So, verification is in order here, IMO.   Deji   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 01, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Orphaned SIDs   I'm trying to figure out why you wouldn't want to assume that the accont is either gone or tombstoned?  Why the verification step of looking for tombstoned items?   In any event, it takes different rights and settings to see those tombstoned objects.  I wouldn't guess that Zeffy would care about those since they're tombstoned.    Also, if the object is listed incorrectly or referenced by something other than the proper dir object, then what would be the point of keeping it in the ACLs?  There's obviously something wrong at that point right?     Help me understand the logic/business drivers for this...   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, Ivor Sent: Friday, April 01, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Orphaned SIDs I’ve seen quite a bit of info on this subject but would like to get a firm grip on the situation. I recently deleted a bunch of disabled users from my directory. However, I’m left with quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean these up with VERIFICATION, i.e. I would like to know which user SID I’m deleting before ripping the SID out of the ACL.   I encountered a few tools on the web but they don’t really help in this situation.   http://www.petri.co.il/obj_sid.htm  - This is a cool applet that allows you to do a SID lookup or a reverse SID lookup. If the object doesn’t exist in the directory, it doesn’t access the tombstone information for a match.   Then there’s tombstone-user.exe. This util will dump all the tombstone objects from a particular DC. I dumped the tombstones from a DC (it displays SIDs only) and did a find on a couple of the SIDs I see tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s still within 60 days of the objects being deleted.   Any help on this issue will be appreciated.     Ivor   This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.