Re: Finding Unknown user by its SID

Unknown user indicates that the group or user that had been added to the ACL for this file or directory has been deleted. Windows does not remove these entries from files when you delete users/groups. To remove this entry you can view the file or directory from Hyena, then click OK to have it resave the ACL without the missing entry.

Re: Finding Unknown user by its SID

Thanks.
So there is no harm in removing these "unknown" user file, share and directory ACL entries? It is safe to delete them anywhere I see them?

Thanks

Re: Finding Unknown user by its SID

Yes, just delete them as the account no longer exist. <span style="font-weight: bold">Caution</span> If you are on a slow network, the domain ctrl is slow to respond, you have allot of acl's on that file. It may take up to a minute or so to resolve.

Re: Finding Unknown user by its SID

I would think that it should be rare that you are seeing very many of these. Windows does not generally show these entries for deleted accounts, as it knows they have been deleted. Be careful when you remove them if they might belong to a domain that is not currently operational or for which a trust relationship has failed.

Re: Finding Unknown user by its SID

Appreciate the info. We have only one domain so there is no trust issues and I'm referring to unknow user entries that I've seen for a couple of months but have not done anyhting about them yet.

Thanks again!

Re: Finding Unknown user by its SID

Kevin, I have seen this on 2000 file servers but can't recall seeing it on 2003. Most likley the new OS cleans up if the account was deleted?

Re: Finding Unknown user by its SID

You should never (technically) see this due to a deleted account. The sid entries are there, but the name comes back as SID_TYPE_DELETED so an application can choose to not display them. This is what Hyena does for share and security ACLs when it displays them. I think what Windows does internally is retain the old Sids for deleted groups and users so that it will know that they are no longer valid. That is why a user/group always gets a new sid and it can't be re-used.

But, if a remote computer system is down, the entries become orphaned and you will see the unknown account. If the raw SID can be determined, it would be just a matter of determining what computer the SID is coming from.

Re: Finding Unknown user by its SID

Just a note, as we're experiencing this a lot around here:

Beware that usernames with SIDs after them may be residual from a migration from one domain to the next. If a SID History cleanup isn't ran on the systems in the new domain, before the old domain is taken down and the trust broken, you will end up with a lot of these. They may look like duplicates when viewing in a Hyena "right pane display and a Hyena native Security dialog box (and therefore impossible to determine which ones to delete), but when viewing them in in the Computer Management MMC or a default NTFS Security dialog box, the SID shows up after the name and it can be determined which to remove.

As stated before, this is a direct result of SID history on the user and group objects in the new AD.

I've been tweaking Microsoft's VBScript that will remove the SID History attribute from users, and trying to make a tool out of it. I'll try to post once complete.

Joel

Re: Finding Unknown user by its SID

Well, that didn't take as long as I thought it would...

But I have a minor issue to make this work perfectly.

I need to know what %E% equals when right clicking on a group: the AD Directory Attribute of "name", "sAMAccountName" or "displayName"?

Same thing with a user. What Directory Attribute is passed?

Thanks!

Joel

Re: Finding Unknown user by its SID

I noticed that there's a difference in the Directory Attribute that's passed depending on where you select the item (left pane or right pane).

My tests show that when I select the left pane, the CN or NAME is passed. But the right pane click results in either the DISPLAYNAME or SAMACCOUNTNAME.

What's up with that?

Re: Finding Unknown user by its SID

Which item gets returned depends on the version and what is displayed, but this is something I can't change for backward compatibility. If you used the %C?% variable, however, you will have a predictable item returned. In the left window, %C1% should return the display element that you see (not including the comment in parenthesis)

Re: Finding Unknown user by its SID

Well, here's what I've got. It works GREAT in our environment, and since I'm sure the most benefit of this would be to be able to select multiple objects at the same time, I've focused on the results returned from the right-pane (using 6.5 Beta B).

******* Script starts here ************
'================================================= =========================
'
' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 3.1
'
' NAME: RemoveSIDHistory.vbs
'
' AUTHOR: Joel Thoreson
' DATE : 7/26/2005
'
' COMMENT: Script to remove SID History from user and group objects
' by providing an argument (the AD Name of the object)
'
' This is a simplified version of Microsoft's script. The original Is
' located at: http://support.microsoft.com/default...b;en-us;295758
'
' This script has been customized to be used with Hyena from SystemTools.
' When incorporating this into Hyena's tools, be aware of the argument that
' is provided by Hyena to the script.
'
'================================================= =========================
Option Explicit
Const ADS_PROPERTY_DELETE = 4

Dim strDomainNC, oConnection, varArgs, i, strArgs, ret, strFilter, strQuery, oRecordSet

Dim WshShell : Set WshShell = WScript.CreateObject("WScript.Shell")
' Find the domain naming context
Dim oRootDSE : Set oRootDSE = GetObject("LDAP://RootDSE")
strDomainNC = oRootDSE.Get("defaultNamingContext")
Set oRootDSE = Nothing

' Setup the ADO connection
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "ADs Provider"

' get the script's arguments
Set varArgs = WScript.Arguments
'WScript.Echo varArgs.Count
If varArgs.Count > 1 Then ' if the name of the object contains spaces, this keeps them together
For i = 0 To varArgs.Count-1
'WScript.Echo i & VbCrLf & varArgs(i)
strArgs = strArgs & " " & varArgs(i)
Next
Else
strArgs = varArgs(0)
End If

' needed to trim the leading space if there were spaces in the object's name (and good practice anyway)
strArgs = Trim(strArgs)

' needed just in case the parameter passed includes the domain
If InStr(strArgs,"") Then
strArgs = Mid(strArgs,(InStr(strArgs,"")+1))
End If

' confirm whether it's a User or Group object
' and set the filter string
ret = MsgBox("Is """ & strArgs & """ a User <YES> or Group <NO>?",35,"Select whether this is a User or Group")
Select Case ret
Case 6
strFilter = "(&(sAMAccountName=" & strArgs & ")(objectCategory=Person)(objectClass=User))"
Case 7
strFilter = "(&(name=" & strArgs & ")(objectCategory=Group)(objectClass=Group))"
Case Else
WScript.Quit
End Select

' establisht the query String
strQuery = "<LDAP://" & strDomainNC & ">;" & strFilter & ";distinguishedName,objectClass,name,sidHistory;su btree"

'Execute the query
set oRecordSet = oConnection.Execute(strQuery)
if oRecordSet.Eof then
WshShell.Popup strArgs & " was not found",3,"Object NOT Found!!"
WScript.Quit(0)
Else
Dim vClasses, strClass, oDirObject, vArray, vSid

WshShell.Popup "The object " & strArgs & " was found.",3,"Object Found"

'On Error Resume Next

' Iterate through the objects that match the filter
While Not oRecordset.Eof
vClasses = oRecordset.Fields("objectClass").Value
strClass = vClasses(UBound(vClasses))

If IsNull(oRecordSet.Fields("sIDHistory").Value ) Then
WshShell.Popup "This object does not have a sidHistory",5,"No SID History to clear!"
Else
set oDirObject = GetObject("LDAP://" & oRecordset.Fields("distinguishedName").Value)
vArray = oDirObject.GetEx("sIDHistory")
For Each vSid in vArray
oDirObject.PutEx ADS_PROPERTY_DELETE, "sIDHistory", array(vSid)
oDirObject.SetInfo
Next
WshShell.Popup "The sidHistory has been cleared for this object!",5,"Success!!"
End if
oRecordset.MoveNext
Wend
End if

'Clean up
Set oRecordset = Nothing
Set oConnection = Nothing
******** Script end here *********

Hope this helps!

Joel