Windows: Cleanup Permissions from deleted Active Directory Objects


in domain environments it sometimes happens that user or groups would be deleted but is still authorized on many object, i.e. filesystems, shares etc..

icacls just shows the SID of the orphaned object but cannot delete such a permission

C:\> icacls E:\Folder

But there is a good old resource kit tool which can do this. Microsofts subinacl

There are two possibilities to do a cleanup with subinacl. Delete all entries from deleted user or groups or delete a specific SID(s).

This example deletes 2 specific SIDs from the folder E:\Folder and all subdirectories

C:\> subinacl.exe /subdirectories E:\Folder /revoke=S-1-5-21-12820228123-987170752-682003330-877999 /revoke=S-1-5-21-12820228123-987170752-623643330-876799

and this all orphaned SID permissions, but you have to specify the DomainName to which the SIDs belongs to.

C:\> subinacl.exe /subdirectories E:\Folder /cleandeletedsidsfrom=DomainName=all


Advertisment to support

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.