The issue is that there is no automated service in AD/Windows that reconciles the SIDs in AD with those used to ACL the file system; and AD ACLs are separate and disconnected from the OS ACLs. Imagine deleting a group or user that had permissions on hundreds of computers around your network the OS on each box would have to *know* that the user or group was deleted then scan itself for obsolete SIDs or alternativly some service on the DC could contact each server to scan it for obsolete SIDs. As Deji correctly pointed out this is another example of why you should use groups to do your permissioning... it is also one of the reasons why many administrators choose to disable user accounts rather than just delete them when they become obsolete. Bob
________________________________ From: [EMAIL PROTECTED] on behalf of Yann Sent: Thu 1/4/2007 5:35 AM To: [email protected] Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file & directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD<->file server) leave this dirty sid and that there is no synchronisation that updates the "link" between the AD object and the ACE.... What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann "Akomolafe, Deji" <[EMAIL PROTECTED]> a écrit : It's "normal". You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Yann Sent: Thu 1/4/2007 1:52 AM To: [email protected] Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all & Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file & directory ACLs. Is this normal ? If not,what could be the reason(s) & how to investigate this issue ? Thanks, Yann __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
