It's not uncommon to see entries in Windows ACLs (NTFS files/folders, registry, AD objects, etc.) with the name "Account Unknown (SID)". Obviously these are because of old AD users or groups which at some point had permissions manually configured on the relevant object and have since been deleted.
Does anyone know if it is safe to remove these "Account Unknown" ACEs?
My gut feeling is that it should be just fine, but I'm wondering if anyone has any past experiences where doing this has caused trouble?
Normally I just ignore these, but the company I'm working at now seems to have an abnormal number of these, most likely due to past admins' inexperience with AD/Windows and assigning permissions to user accounts rather than groups in all sorts of weird places.
FWIW, our environment is not complex, a single domain forest, 4 DCs in 3 sites, with all network connectivity and replication healthy, so I'm certain that these "Account Unknown" entries are really old accounts, and not just because of some failure to resolve the SID to a human-readable name.
Best Answer
As long as you have no connectivity problems, yes, it's safe to delete them. Do be careful because Windows will show "Account Unknown" if it can't connect to AD, or if you have multiple domains it might take a few moments to cross the domain boundaries, etc.