Hi,
We noticed that the ACL on some share folders has SID entries instead of
object names and it looks like those SID belongs to the domain. Can
someone advice how I can find out the actual object name based on those
SID no.?
Thanks
Hi,
We noticed that the ACL on some share folders has SID entries instead of
object names and it looks like those SID belongs to the domain. Can
someone advice how I can find out the actual object name based on those
SID no.?
Thanks
This is the common side effect when permission has been granted to the user
account and that user account has subsequently been deleted. This can also
be the case if the computer with the resource is not able to "map" SID to
account name (again, because it does not exist, ie account deleted, or the
computer does not have right to do a lookup in the domain, ie - computer
account disjoined from domain or some other problem preventing lookup like
global catalog unaccessible).
I would assume that it is safe to delete unused SID from the resource's ACL.
You do know who has the right to access resource, don't you?
For the best practice, use A-G-DL-P strategy. For the shared resource, add
Account (A) to global group (G). Add (G) to Domain Local group (DL). On the
resource, assign permission (P) to the (DL).
"OM" <om@discussions.microsoft.com> wrote in message
news:uLp2u0LUJHA.5376@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> We noticed that the ACL on some share folders has SID entries instead of
> object names and it looks like those SID belongs to the domain. Can
> someone advice how I can find out the actual object name based on those
> SID no.?
>
> Thanks
Thanks,
I would also like to find out who that SID belongs to originally. Does
AD keep a history of the SID which can be looked up?
Dusko Savatovic wrote:
> This is the common side effect when permission has been granted to the
> user account and that user account has subsequently been deleted. This
> can also be the case if the computer with the resource is not able to
> "map" SID to account name (again, because it does not exist, ie account
> deleted, or the computer does not have right to do a lookup in the
> domain, ie - computer account disjoined from domain or some other
> problem preventing lookup like global catalog unaccessible).
>
> I would assume that it is safe to delete unused SID from the resource's
> ACL. You do know who has the right to access resource, don't you?
>
> For the best practice, use A-G-DL-P strategy. For the shared resource,
> add Account (A) to global group (G). Add (G) to Domain Local group (DL).
> On the resource, assign permission (P) to the (DL).
>
>
> "OM" <om@discussions.microsoft.com> wrote in message
> news:uLp2u0LUJHA.5376@TK2MSFTNGP02.phx.gbl...
>> Hi,
>>
>> We noticed that the ACL on some share folders has SID entries instead
>> of object names and it looks like those SID belongs to the domain. Can
>> someone advice how I can find out the actual object name based on
>> those SID no.?
>>
>> Thanks
>
"OM" <om@discussions.microsoft.com> wrote in message
news:OvB%231iMUJHA.5200@TK2MSFTNGP05.phx.gbl...
> Thanks,
>
> I would also like to find out who that SID belongs to originally. Does AD
> keep a history of the SID which can be looked up?
No, AD does not keep (direct) history of used SID's. However, objects do not
get deleted from AD immediately. Instead, they are marked as tombstoned.
When the tombstone period (three months by default) expires, the deleted
objects are purged from AD. So there's still a chance to find deleted
objects in AD. It would involve some "dumpster diving".
Hello OM,
These old SID's normally are deleted accounts and they are removed from the
database after the tombstone lifetime. With this you can maybe find it:
http://www.joeware.net/freetools/too...name/index.htm
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi,
>
> We noticed that the ACL on some share folders has SID entries instead
> of object names and it looks like those SID belongs to the domain. Can
> someone advice how I can find out the actual object name based on
> those SID no.?
>
> Thanks
>
Posting Permissions
Reply With Quote
Bookmarks