Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Bulk remove orphaned SID
Bulk remove orphaned SID [message #156173] Thu, 11 June 2009 10:23 Go to next message
dfw63  is currently offline dfw63
Messages: 6
Registered: June 2009
Junior Member
I would like to bulk remove an orphaned SID that was granted Send As rights
to many accounts in our domain. What is the best way to do this?
Re: Bulk remove orphaned SID [message #156175 is a reply to message #156173] Thu, 11 June 2009 10:36 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello dfw63,

Check out:
subinacl

Download it here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

With:
subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com

you can remove them for example from a shared folder "data" on the d-drive

Try it out in a lab before.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I would like to bulk remove an orphaned SID that was granted Send As
> rights to many accounts in our domain. What is the best way to do
> this?
>
Re: Bulk remove orphaned SID [message #156176 is a reply to message #156175] Thu, 11 June 2009 10:55 Go to previous messageGo to next message
dfw63  is currently offline dfw63
Messages: 6
Registered: June 2009
Junior Member
I did look at this tool but am having trouble with syntax. Specifically, I
want to bulk remove an orphaned SID that was granted Send As permission from
many user accounts in a domain. I don't have a test environment available so
would like to test on a single user.

Best regards

"Meinolf Weber [MVP-DS]" wrote:

> Hello dfw63,
>
> Check out:
> subinacl
>
> Download it here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> With:
> subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
>
> you can remove them for example from a shared folder "data" on the d-drive
>
> Try it out in a lab before.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I would like to bulk remove an orphaned SID that was granted Send As
> > rights to many accounts in our domain. What is the best way to do
> > this?
> >
>
>
>
Re: Bulk remove orphaned SID [message #156184 is a reply to message #156176] Thu, 11 June 2009 11:31 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello dfw63,

This deletes all ACEs containing deleted (not valid) SIDs from Domain.com:
subinacl /samobject /cleandeletedsidsfrom=doamin.com=all

You can also run a test:
subinacl /samobject /cleandeletedsidsfrom=doamin.com=all /testmode


/samobject---> Specifies that object_name is a Security Accounts Manager
(SAM) object, such as a user, local group, or global group

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I did look at this tool but am having trouble with syntax.
> Specifically, I want to bulk remove an orphaned SID that was granted
> Send As permission from many user accounts in a domain. I don't have
> a test environment available so would like to test on a single user.
>
> Best regards
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello dfw63,
>>
>> Check out:
>> subinacl
>> Download it here:
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8F
>> E-4A91-93CF-ED6985E3927B&displaylang=en
>> With:
>> subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
>> you can remove them for example from a shared folder "data" on the
>> d-drive
>>
>> Try it out in a lab before.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I would like to bulk remove an orphaned SID that was granted Send As
>>> rights to many accounts in our domain. What is the best way to do
>>> this?
>>>
Re: Bulk remove orphaned SID [message #156235 is a reply to message #156175] Fri, 12 June 2009 08:30 Go to previous messageGo to next message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
does not work against AD

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662750f8cbb8c9dbc85503@msnews.microsoft.com...
> Hello dfw63,
>
> Check out:
> subinacl
>
> Download it here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>
> With:
> subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
>
> you can remove them for example from a shared folder "data" on the d-drive
>
> Try it out in a lab before.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I would like to bulk remove an orphaned SID that was granted Send As
>> rights to many accounts in our domain. What is the best way to do
>> this?
>>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4150 (20090612) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4150 (20090612) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Re: Bulk remove orphaned SID [message #156247 is a reply to message #156235] Fri, 12 June 2009 09:25 Go to previous messageGo to next message
dfw63  is currently offline dfw63
Messages: 6
Registered: June 2009
Junior Member
Do you have an alternate suggestion? Your statement seems to be correct
because I'm not getting any results back from my test, yet I know there
should be hundreds of matches.

Regards

"Jorge de Almeida Pinto [MVP - DS]" wrote:

> does not work against AD
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------ ------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ------------------------------
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662750f8cbb8c9dbc85503@msnews.microsoft.com...
> > Hello dfw63,
> >
> > Check out:
> > subinacl
> >
> > Download it here:
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
> >
> > With:
> > subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
> >
> > you can remove them for example from a shared folder "data" on the d-drive
> >
> > Try it out in a lab before.
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >> I would like to bulk remove an orphaned SID that was granted Send As
> >> rights to many accounts in our domain. What is the best way to do
> >> this?
> >>
> >
> >
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature database 4150 (20090612) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> >
>
> __________ Information from ESET Smart Security, version of virus signature database 4150 (20090612) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
Re: Bulk remove orphaned SID [message #156250 is a reply to message #156247] Fri, 12 June 2009 10:13 Go to previous messageGo to next message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
if I would have a suggestion I would definitely tell you about it...

either use a third party tool if it exists (do not know of any) or create
your own scripts

This is another reason why having a correct delegation of control design is
so important

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"dfw63" <dfw63@discussions.microsoft.com> wrote in message
news:395CD60E-7D42-4510-967D-3AF90C3E09C0@microsoft.com...
> Do you have an alternate suggestion? Your statement seems to be correct
> because I'm not getting any results back from my test, yet I know there
> should be hundreds of matches.
>
> Regards
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> does not work against AD
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------ ------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before implementing!
>> ------------------------------------------------------------ ------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------ ------------------------------
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb662750f8cbb8c9dbc85503@msnews.microsoft.com...
>> > Hello dfw63,
>> >
>> > Check out:
>> > subinacl
>> >
>> > Download it here:
>> > http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
>> >
>> > With:
>> > subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
>> >
>> > you can remove them for example from a shared folder "data" on the
>> > d-drive
>> >
>> > Try it out in a lab before.
>> >
>> > Best regards
>> >
>> > Meinolf Weber
>> > Disclaimer: This posting is provided "AS IS" with no warranties, and
>> > confers no rights.
>> > ** Please do NOT email, only reply to Newsgroups
>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >
>> >> I would like to bulk remove an orphaned SID that was granted Send As
>> >> rights to many accounts in our domain. What is the best way to do
>> >> this?
>> >>
>> >
>> >
>> >
>> > __________ Information from ESET Smart Security, version of virus
>> > signature database 4150 (20090612) __________
>> >
>> > The message was checked by ESET Smart Security.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4150 (20090612) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4150 (20090612) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4150 (20090612) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Re: Bulk remove orphaned SID [message #156266 is a reply to message #156235] Fri, 12 June 2009 15:45 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Jorge de Almeida Pinto [MVP - DS],

Thanks for clarifying this part, after some more testing i realized that
also.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> does not work against AD
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
> #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ----------
> --------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before
> implementing!
> ------------------------------------------------------------ ----------
> --------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ----------
> --------------------
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662750f8cbb8c9dbc85503@msnews.microsoft.com...
>
>> Hello dfw63,
>>
>> Check out:
>> subinacl
>> Download it here:
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=E8B A3E56-D8F
>> E-4A91-93CF-ED6985E3927B&displaylang=en
>> With:
>> subinacl /subdirectories d:\data /cleandeletedsidsfrom=domain.com
>> you can remove them for example from a shared folder "data" on the
>> d-drive
>>
>> Try it out in a lab before.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I would like to bulk remove an orphaned SID that was granted Send As
>>> rights to many accounts in our domain. What is the best way to do
>>> this?
>>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4150 (20090612) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
> __________ Information from ESET Smart Security, version of virus
> signature database 4150 (20090612) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
Previous Topic:Policie not running exe file
Next Topic:where to look for delegate in Active Directorey
Goto Forum:
  


Current Time: Fri Oct 20 03:11:14 EDT 2017

Total time taken to generate the page: 0.50121 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software