As users and groups get deleted from Active Directory, so files and folders that were once secured to allow those users and groups access will be left with “orphaned SIDS” appearing in their ACLs (or Discretionary Access Control Lists to be precise).
These orphaned SIDs would have once resolved to the name of a user or group, but since that object has been removed from the AD, that is no longer possible, leaving behind all sorts of harmless untidyness to annoy the more obsessive compulsive sysadmins amongst us.
There is a very powerful free tool available called SetACL to delete orphaned sids
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
which can perform all kinds of clever functions against security access control lists of all sorts of objects, not just folders and files. It is concisely well documented too, so I won’t even attempt writing a full overview of it’s capabilities in one post. I’ll very likely write many posts with working examples that achieve common difficult tasks though, so look forward to those.
Back to those orphans though. using SetACL, they can be quickly and easily removed, leaving your DACLs nice and tidy once more.
setacl -on myfolder -ot file -actn delorphanedsids -rec cont_obj
The setacl command is essentially made up of three parts,
-on (object name),
-ot (object type)
-actn (action)
with the option of -rec (recurse) to carry on “down the tree” applying actions to cont, cont_obj or obj (folders, folders & files or files) as it goes, or turned off with no. More than one action can be specified if you’re particularly ambitious. Object types can be file (folders and files), or printers, registry keys and other objects too.
It can also be used to replace ACE’s for one user/group with another, and also users and groups in one domain with another using a csv file (to be covered in a later post).