Remove orphaned SID permissions from a mailbox

How to remove orphaned SID permissions from a mailbox? Sometimes the object is removed, but the orphaned SID remains​ in the security tab. In this article, you will learn what a SID is, if it’s safe to remove an orphaned SID and how to remove orphaned SID from a mailbox.

What is a SID?

A SID stands for security identifier and is always unique. It is a number used to identify user, group, and computer accounts in Windows. A SID gets created when the account is first created in Windows.

Check orphaned SID mailbox in ADUC

Start Active Directory Users and Computers (ADUC). Make sure to enable Advanced Features in the Action panel. Search for the user object and double-click to open properties. Open Access Control List by clicking on the tab Security. Check if you have Account Unknown (S-1-5-21) showing. These are orphaned SID accounts. You don’t see a name because the user or security group is already deleted. We call them orphaned SIDs.

Remove or keep orphaned SID

A SID becomes orphaned when used in an ACL (Access Control List) entry, but the corresponding object (computer, user, or group) no longer exists in Windows. This indicates that the specified SID can no longer be translated to a user or group.

When doing a security audit, it is always more interesting to report only valid accounts! To keep it organized and clean, we recommend removing the orphaned SID. Also, you can get permission issues when there are orphaned SIDs.

Remove orphaned SID in ADUC

Start Active Directory Users and Computers and enable Advanced Features.

Find the user object and double-click on it to open properties. Click the tab Security. Have a look and find the SID S-1-5-21 accounts. Select the Account Unknown(S-1-5-21). Click Remove. Click OK when finished.

Note: You can only click one user at a time to remove it.

It is also possible that you only see the SID S-1-5-21 without Account Unknown.

What to do if you have a lot of orphaned SID accounts (S-1-5-21) showing? PowerShell to the rescue.

Remove orphaned SID with PowerShell

Run Exchange Management Shell as administrator. List all the orphaned SID accounts of the mailbox.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Format-Table User

User
----
S-1-5-21-1938637243-4146217999-3199856483-1119
S-1-5-21-1938637243-4146217999-3199856483-1269
S-1-5-21-1938637243-4146217999-3199856483-1121

Delete the orphaned accounts. Confirm with A and press Enter.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Remove-ADPermission

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "exoip.local/Company/Users/HR/Christopher Payne" for user
"S-1-5-21-1938637243-4146217999-3199856483-1119" with access rights "'WriteProperty'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

Go to ADUC and open the mailbox properties. Go to the tab Security and verify that you no longer see an orphaned SID account.

You removed the orphaned SID account successfully.

Read more: Remove orphaned SIDs with PowerShell »

Conclusion

You learned what these SID S-1-5-21 accounts are and how to remove orphaned SID permissions from a mailbox. Delete orphaned SID permissions from Active Directory Users and Computer (ADUC) or with PowerShell.

Did you enjoy this article? You may also like List all users in a Security Group through PowerShell. Don’t forget to follow us and share this article.