Find orphaned foreign security principals and remove them from groups

active-directorygroupswindows-server-2008-r2

We have a Windows 2008 R2 Domain with multiple outgoing trusts.
In this domain we add the users from the trusted domains to domain local security groups.
It seems that some or all deleted accounts from the foreign domains remain in the groups after deletion (from the originating domain), leaving a SID in the group which cannot be resolved.

What is the easiest way to find such accounts and remove them from the groups?

Best Answer

I dont have a script handy. But personally I'd do something like this.

Enumerate objects in the cn=foreignsecurityprincipals,dc=doamin,dc=com container to build list of FPO SIDs
Use a batch file to iterate through each and do a psgetsid.exe (sysinternals) against SID to see if it resolves. 0 means can resolve and -1 means unavailable or possibly even cant contact correct DC
If %errorlevel% is -1 write that "bad" SID to another file

you can go through the SIDs reported as -1 to see if you really want to delete the FPO represented. Deleting the FPO will clean up any membership its used in. YOu can use DSRM to script deleting the FPO later if desired using a for loop to iterate txt file.

Related Solutions

How to clean up orphaned SID’s in ACEs in AD

I haven't tested this so forgive my preemptive post (but I don't have a test domain and don't plan on testing this in production) but perhaps you're looking for SUBINACL. Download it here

subinacl.exe /help /cleandeletedsidsfrom provides the following:

/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]

delete all ACEs containing deleted (no valid) Sids from DomainName
You can specify which part of the security descriptor will be scanned
(default=all)
If the owner is deleted, new owner will be the Administrators group.
If the primary group is deleted, new primary group will be the Users group.

Appears you can use this with /samobject switch to apply to Users or Groups.

Domain Trust 2008 to 2003

I can set up the incoming side of the trust relationship on domain "a" so that it trusts domain "b".

This is strange. Because if the trust is incoming on domain a it means a is the trusted domain. ie: b trusts a.

Try to set the outgoing part of the trust first.

Your command tries to create the outgoing (trusting) part of the trust on domain b only. I think you need to set a trust password in this case. See: http://technet.microsoft.com/de-de/library/cc835085(WS.10).aspx

TRUSTING: Specifies to create or remove the trust object on the trusting domain. This value is valid only if you specify the /add or /remove parameter. The /passwordt parameter is required when you use the /add or /remove parameter.

Why do you use /oneside? Why not let netdom create both sides of the trust at once?

And make sure you don't have DCs with same names in both domains or else verification of the trust will fail.

Best Answer

Related Solutions

How to clean up orphaned SID’s in ACEs in AD

Domain Trust 2008 to 2003

Related Topic