How to check mailbox creation date in Exchange Server? Sometimes we are being asked to…
Remove orphaned SID permissions from a mailbox
How to remove orphaned SID permissions from a mailbox? Sometimes the object is removed, but the orphaned SID remains in the security tab. In this article, you will learn what a SID is, if it’s safe to remove an orphaned SID and how to remove orphaned SID from a mailbox.
Table of contents
What is a SID?
A SID stands for security identifier and is always unique. It is a number used to identify user, group, and computer accounts in Windows. A SID gets created when the account is first created in Windows.
Check orphaned SID mailbox in ADUC
Start Active Directory Users and Computers (ADUC). Make sure to enable Advanced Features in the Action panel. Search for the user object and double-click to open properties. Open Access Control List by clicking on the tab Security. Check if you have Account Unknown (S-1-5-21) showing. These are orphaned SID accounts. You don’t see a name because the user or security group is already deleted. We call them orphaned SIDs.
Remove or keep orphaned SID
A SID becomes orphaned when used in an ACL (Access Control List) entry, but the corresponding object (computer, user, or group) no longer exists in Windows. This indicates that the specified SID can no longer be translated to a user or group.
When doing a security audit, it is always more interesting to report only valid accounts! To keep it organized and clean, we recommend removing the orphaned SID. Also, you can get permission issues when there are orphaned SIDs.
Remove orphaned SID in ADUC
Start Active Directory Users and Computers and enable Advanced Features.
Find the user object and double-click on it to open properties. Click the tab Security. Have a look and find the SID S-1-5-21 accounts. Select the Account Unknown(S-1-5-21). Click Remove. Click OK when finished.
Note: You can only click one user at a time to remove it.
It is also possible that you only see the SID S-1-5-21 without Account Unknown.
What to do if you have a lot of orphaned SID accounts (S-1-5-21) showing? PowerShell to the rescue.
Remove orphaned SID with PowerShell
Run Exchange Management Shell as administrator. List all the orphaned SID accounts of the mailbox.
[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Format-Table User
User
----
S-1-5-21-1938637243-4146217999-3199856483-1119
S-1-5-21-1938637243-4146217999-3199856483-1269
S-1-5-21-1938637243-4146217999-3199856483-1121
Delete the orphaned accounts. Confirm with A and press Enter.
[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Remove-ADPermission
Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "exoip.local/Company/Users/HR/Christopher Payne" for user
"S-1-5-21-1938637243-4146217999-3199856483-1119" with access rights "'WriteProperty'".
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): A
Go to ADUC and open the mailbox properties. Go to the tab Security and verify that you no longer see an orphaned SID account.
You removed the orphaned SID account successfully.
Read more: Remove orphaned SIDs with PowerShell »
Conclusion
You learned what these SID S-1-5-21 accounts are and how to remove orphaned SID permissions from a mailbox. Delete orphaned SID permissions from Active Directory Users and Computer (ADUC) or with PowerShell.
Did you enjoy this article? You may also like List all users in a Security Group through PowerShell. Don’t forget to follow us and share this article.
Hi Ali,
Thanks for the script. It is working fine in our Dev\Test setup.
However, in Production I am getting an error.
The script failed due to call Deapth Overflow
Category Info : Invalid Operations: (0:Int32) [] ParentContainsErrorRecrodException
FullyQualifiedErroID : CallDepthOverflow.
Can you please help me on this. Thanks in advance.
How do I remove a SID if I get an error that we cannot delete due to the object inheriting permissions from its parent… to remove, turn off option for inheriting permissions. This is on an Administrator account
Dear Ali
How do use the command to delete all orphaned/unknown SIDs from the whole active directory [in a single domain]
Thanks
You can use a PowerShell script to accomplish that task. Read more in the article: Remove orphaned SIDs with PowerShell.
Just what I need. I Love the content.