We have a Windows 2008 R2 Domain with multiple outgoing trusts.
In this domain we add the users from the trusted domains to domain local security groups.
It seems that some or all deleted accounts from the foreign domains remain in the groups after deletion (from the originating domain), leaving a SID in the group which cannot be resolved.
What is the easiest way to find such accounts and remove them from the groups?
Best Answer
I dont have a script handy. But personally I'd do something like this.
you can go through the SIDs reported as -1 to see if you really want to delete the FPO represented. Deleting the FPO will clean up any membership its used in. YOu can use DSRM to script deleting the FPO later if desired using a for loop to iterate txt file.