? Mystery SID ?

[xjbone]

What is the best tool/ method of discovering, identifying and deleting orphaned SID's from AD?

While broswing account permissions on my Exchange mailboxes, I noticed the permissions of EVERY mailbox had a rogue account listed with Full Access- nothing listed but a SID.

I want to get rid of this ASAP, both because it's a security risk, and it's polluting my AD.

Thanks.

 

[porkchopexpress]

Did you have any trusts that have been broken?

You can use this tool to try and resolve the SID to an account name.

http://www.petri.co.il/obj_sid.htm

 

[xjbone]

I tried the above tool, but it could not resolve the SID to a name. Any other ideas?

 

[porkchopexpress]

I don't know an awfull lot about Exchange so it might be worth posting in the Exxhange forum forum955, it looks like an account that had access to all of the mailboxes has been removed so Exchange can no longer resolve it.

You didn't say if you had any trusts in the past.

 

[xjbone]

Yes, there was a temporary trust in place that has since been removed.

 

[porkchopexpress]

If you have access to the other domain still then run Obj/Sid there and see if it finds the account, my guess is that is was a user account from the trusted domain that can no longer be found now the trust is gone.

 

[xjbone]

OK, I fired up the old DC (the trusting domain), which is now offline, but that still didn't identify the SID.

However, I did discover that the SID in question it the Local Admin account of the Exchange server. Once I completely removed this security account from the Exchange database itself, my mystery SID disappeared from every mailbox.

Thanks for the help!

 

[porkchopexpress]

Nice one.