skip to Main Content

Remove orphaned SID permissions from a mailbox

How to remove orphaned SID permissions from a mailbox? Sometimes the object is removed but the orphaned SID remains​ under the security tab. In this article, you will learn what a SID is. If it’s safe to remove an orphaned SID. How to remove orphaned SID from a mailbox.

What is a SID?

A SID stands for security identifier. It is a number used to identify user, group, and computer accounts in Windows. A SID gets created when the account is first created in Windows and no two SIDs on a computer are ever the same. The term security ID is sometimes used in place of SID or security identifier.

Check orphaned SID mailbox in ADUC

Sart Active Directory Users and Computers (ADUC). Make sure to enable Advanced Features in the Action panel. Search for the user object and double-click to open it. Open Access Control List by clicking on the tab Security. Check if you have Account Unknown (S-1-5-21) showing. These are orphaned SID accounts. You don’t see a name because the user or security group is already deleted. We call them orphaned SIDs.

Remove or keep orphaned SID

When doing an audit of security, it is always more interesting to report only valid accounts! To keep it organized and clean, I recommend removing the orphaned SID.

Remove orphaned SID through ADUC

Start ADUC and enable Advanced Features.

Remove orphaned SID permissions from a mailbox ADUC advanced features

Find the user object and double click on it to open the properties. Click the tab Security. Have a look and find the SID S-1-5-21 accounts. Select the Account Unknown(S-1-5-21). It is also possible that you only see the SID S-1-5-21 without Account Unknown. Click Remove. You can only click one user at a time to remove it. Click OK when finished.

Remove orphaned SID permissions from mailbox ADUC

What to do if you have a lot of orphaned SID accounts (S-1-5-21) showing? PowerShell to the rescue.

Remove orphaned SID through PowerShell

List all the orphaned SID accounts of the mailbox. Run Exchange Management Shell as administrator.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Format-Table User


Run the cmdlet to delete the orphaned accounts. Confirm with A and press Enter.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Remove-ADPermission

Are you sure you want to perform this action?
Removing Active Directory permission "exoip.local/Company/Users/HR/Christopher Payne" for user
"S-1-5-21-1938637243-4146217999-3199856483-1119" with access rights "'WriteProperty'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

The orphaned SID account is removed. Go to ADUC and open the mailbox properties. Go to the tab Security and verify that you no longer see an orphaned SID account.

Remove orphaned SID permissions from mailbox ADUC confirm removed orphaned accounts


In this article, you learned what these SID S-1-5-21 accounts are. You also learned how to remove orphaned SID permissions from a mailbox. Not only through the ADUC but also through PowerShell. Did you enjoy this article? You may also like List all users in a Security Group through PowerShell. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. Dear Ali
    How do use the command to delete all orphaned/unknown SIDs from the whole active directory [in a single domain]

Leave a Reply

Your email address will not be published. Required fields are marked *