Determining if an SID Is a Deleted User or Group
If an SID is found in place of a user or group name in an ACL, the user or group might have been deleted.
November 20, 2007
Q: What does it mean when you see an SID instead of the name of the user or group in an ACL?
A: It means one of two things. First, the user or group might have been deleted. When you delete a user or group, Windows can’t check the ACL of every object on every computer of the local domain and all trusted domains for the access control entries (ACEs) assigned to the user or group and delete such ACEs. Therefore, you end up with “orphaned” ACEs, which aren't a threat to security. The other possibility is that the user or group still exists but the computer was unable to connect to the appropriate domain controller (DC) to resolve the SID's name because of network problems, a failed trust relationship, or because a DC is down. To determine if the SID is simply that of a deleted user or group, you can search for the object’s tombstone, which is something Active Directory (AD) leaves after an object is deleted. Tombstones include the name of the user or group, the object type, and the SID. However, the process for finding tombstones is fairly involved and requires the LDP tool, which is part of the Windows Server 2003 Support Tools. For detailed instructions about how to search for tombstones, see the Windows IT Security article "Searching for Tombstones," (http://www.securityprovip.com/articles/articleid/41578/41578.html).
About the Author
You May Also Like