skip to Main Content

Remove orphaned SID permissions from a mailbox

How to remove orphaned SID permissions from a mailbox? Sometimes the object is removed, but the orphaned SID remains​ in the security tab. In this article, you will learn what a SID is, if it’s safe to remove an orphaned SID and how to remove orphaned SID from a mailbox.

What is a SID?

A SID stands for security identifier and is always unique. It is a number used to identify user, group, and computer accounts in Windows. A SID gets created when the account is first created in Windows.

Check orphaned SID mailbox in ADUC

Start Active Directory Users and Computers (ADUC). Make sure to enable Advanced Features in the Action panel. Search for the user object and double-click to open properties. Open Access Control List by clicking on the tab Security. Check if you have Account Unknown (S-1-5-21) showing. These are orphaned SID accounts. You don’t see a name because the user or security group is already deleted. We call them orphaned SIDs.

Remove or keep orphaned SID

A SID becomes orphaned when used in an ACL (Access Control List) entry, but the corresponding object (computer, user, or group) no longer exists in Windows. This indicates that the specified SID can no longer be translated to a user or group.

When doing a security audit, it is always more interesting to report only valid accounts! To keep it organized and clean, we recommend removing the orphaned SID. Also, you can get permission issues when there are orphaned SIDs.

Remove orphaned SID in ADUC

Start Active Directory Users and Computers and enable Advanced Features.

Remove orphaned SID permissions from a mailbox ADUC advanced features

Find the user object and double-click on it to open properties. Click the tab Security. Have a look and find the SID S-1-5-21 accounts. Select the Account Unknown(S-1-5-21). Click Remove. Click OK when finished.

Note: You can only click one user at a time to remove it.

It is also possible that you only see the SID S-1-5-21 without Account Unknown.

Remove orphaned SID permissions from mailbox ADUC

What to do if you have a lot of orphaned SID accounts (S-1-5-21) showing? PowerShell to the rescue.

Remove orphaned SID with PowerShell

Run Exchange Management Shell as administrator. List all the orphaned SID accounts of the mailbox.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Format-Table User

User
----
S-1-5-21-1938637243-4146217999-3199856483-1119
S-1-5-21-1938637243-4146217999-3199856483-1269
S-1-5-21-1938637243-4146217999-3199856483-1121

Delete the orphaned accounts. Confirm with A and press Enter.

[PS] C:\>Get-ADPermission -Identity "Christopher Payne" | ?{$_.user -like "S-1-5-21*"} | Remove-ADPermission

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "exoip.local/Company/Users/HR/Christopher Payne" for user
"S-1-5-21-1938637243-4146217999-3199856483-1119" with access rights "'WriteProperty'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A

Go to ADUC and open the mailbox properties. Go to the tab Security and verify that you no longer see an orphaned SID account.

Remove orphaned SID permissions from mailbox ADUC confirm removed orphaned accounts

You removed the orphaned SID account successfully.

Read more: Remove orphaned SIDs with PowerShell »

Conclusion

You learned what these SID S-1-5-21 accounts are and how to remove orphaned SID permissions from a mailbox. Delete orphaned SID permissions from Active Directory Users and Computer (ADUC) or with PowerShell.

Did you enjoy this article? You may also like List all users in a Security Group through PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. How do I remove a SID if I get an error that we cannot delete due to the object inheriting permissions from its parent… to remove, turn off option for inheriting permissions. This is on an Administrator account

  2. Dear Ali
    How do use the command to delete all orphaned/unknown SIDs from the whole active directory [in a single domain]
    Thanks

Leave a Reply

Your email address will not be published.