Windows: Cleanup Permissions from deleted Active Directory Objects

Hi,

in domain environments it sometimes happens that user or groups would be deleted but is still authorized on many object, i.e. filesystems, shares etc..


icacls just shows the SID of the orphaned object but cannot delete such a permission

C:\> icacls E:\Folder
E:\Folder
....
          S-1-5-21-12820228123-987170752-682003330-877999:(OI)(CI)(M)
          S-1-5-21-12820228123-987170752-623643330-876799:(OI)(CI)(M)
....

But there is a good old resource kit tool which can do this. Microsofts subinacl

There are two possibilities to do a cleanup with subinacl. Delete all entries from deleted user or groups or delete a specific SID(s).

This example deletes 2 specific SIDs from the folder E:\Folder and all subdirectories

C:\> subinacl.exe /subdirectories E:\Folder /revoke=S-1-5-21-12820228123-987170752-682003330-877999 /revoke=S-1-5-21-12820228123-987170752-623643330-876799

and this all orphaned SID permissions, but you have to specify the DomainName to which the SIDs belongs to.

C:\> subinacl.exe /subdirectories E:\Folder /cleandeletedsidsfrom=DomainName=all

Michael

Leave a Reply