Skip to content

Remove orphaned SIDs with PowerShell

There are unknown SIDs in Active Directory (AD), and you like to remove them. However, going through all the AD objects and removing bad SIDs will take you months to accomplish. That’s when you want to use a PowerShell script to remove unknown SIDs in AD. In this article, you will learn how to remove orphaned SIDs with PowerShell.

Introduction

A SID stands for security identifier and is always unique. It is a number used to identify users, groups, and computer accounts in Windows. A SID gets created when the account is first created in Windows.

We already showed how to remove orphaned SID permission from a mailbox. It’s great if you only want to remove one single orphaned SID. But what if you want to remove all orphaned SIDs in AD? The answer is that you need to automate that with PowerShell. Let’s look into the remove unknown SIDs in AD PowerShell script.

Remove or keep orphaned SIDs

A SID becomes orphaned when used in an ACL (Access Control List) entry, but the corresponding object (computer, user, or group) no longer exists in Windows. This indicates that the specified SID can no longer be translated to a user or group.

When doing a security audit, it is always more interesting to report only valid accounts! To keep it organized and clean, I recommend removing the orphaned SIDs. Also, you can get permission issues when there are orphaned SIDs.

How to remove orphaned SIDs with PowerShell

Let’s go through the steps and remove orphaned SIDs with PowerShell.

Remove Orphaned SID in AD PowerShell script

Sign in to the Domain Controller and create two folders on the (C:) drive:

  • Scripts
  • Temp

Download the RemoveOrphanedSID-AD.ps1 PowerShell script and place it in the C:\scripts folder. The script will export the output log file to the C:\temp folder.

Ensure that the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Remove orphaned SIDs PowerShell script

There are a couple of options to use when you run the RemoveOrphanedSID-AD.ps1 PowerShell script:

  1. List all AD objects
  2. List all AD objects in specific OU
  3. Remove orphaned SIDs
  4. Remove orphaned SIDs in specific OU

The one that we will use is option 1 and option 3. This will give us a list of all the AD objects and show if there are orphaned SIDs. After that, remove the orphaned SIDs from the AD objects in the entire domain.

List all AD objects in domain

Run Windows PowerShell as administrator. Change the path to the scripts folder. After that, run the script RemoveOrphanedSID-AD.ps1 with the parameter /LIST.

PS C:\> cd c:\scripts\
PS C:\scripts> .\RemoveOrphanedSID-AD.ps1 /LIST

All the AD objects are scanned, and it will show if there are orphaned SIDs.

Remove orphaned SIDs PowerShell LIST output

Open the RemoveOrphanedSID-AD.txt transcript log in the C:\temp folder. It will show the same as in the PowerShell output.

Remove orphaned SIDs PowerShell LIST log output

In the next step, we will remove the orphaned SIDs.

Remove orphaned SIDs in domain

Run the script RemoveOrphanedSID-AD.ps1 with the parameter /REMOVE.

PS C:\scripts> .\RemoveOrphanedSID-AD.ps1 /REMOVE

All the AD objects are scanned, and it will remove the orphaned SIDs.

Remove unknown SIDs PowerShell REMOVE output

Open the RemoveOrphanedSID-AD.txt transcript log in the C:\temp folder. It will show the same as in the PowerShell output.

Remove unknown SIDs PowerShell REMOVE log output

All the orphaned SIDs are removed successfully from Active Directory.

Orphaned SIDs cleaned

A before and after from the security tab permissions will show that everything looks great.

Remove orphaned SIDs security tab

That’s it!

Keep reading: Bulk move AD users to another OU with PowerShell »

Conclusion

You learned how to remove orphaned SIDs with PowerShell. Keep the Active Directory clean from unknown SIDs and run the RemoveOrphanedSID-AD.ps1 PowerShell script. It will make the AD clutter-free without bad SIDs.

Did you enjoy this article? You may also like Get Active Directory count with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 12 Comments

  1. Hello:
    This is more or less what I am looking for.
    BUT what if I want to just remove one SID at a time.
    For instance if the script found 5 orphaned SIDs but I want to be able to remove just one at a time.
    How is that possible and how?
    Thanks!
    Regards
    Ketto

  2. Hello Ali,
    Excellent script, thank you for all your hard work.
    Question:
    How would I edit the script to search a child domain for orphaned SIDs??

    Thanks,
    John

    1. Hi John, I had this same issue, I was able to add the OU I wanted after the /remove ex.
      .\removeOrphanedSID-AD.ps1 /remove “OU=,DC=,DC=”

  3. Hello ALI,

    Can you please edit the script to allow special characters as well.
    For example = * _

    There are many identities an OU has special characters mentioned and script is stuck while performing List over them.

    1. Hi Rahul,

      I am also facing the same issue. did you find the solution for this ?

      If Yes, can you please let me know. Thanks in advance.

  4. Hi Ali,
    Very usefull script, thanks for sharing !
    I just have a problem when i use /REMOVE switch, nothing happen in my Active Directory -> bad acls are not clean by the script on my computer objects.
    After some research, i change one thing in your original script : in the “RemovePerm” function i replaced :
    $x.RemoveAccessRuleSpecific($i)
    by
    $x.RemoveAccessRule($i)
    and it works fine now but i don’t understand why in my case (AD W2016) RemoveAccessRuleSpecific method do nothing… if you have an idea…

    Thanks

  5. Amigo al momento de ejecutar .\RemoveOrphanedSID-AD.ps1 /LIST recolecta la información, aparecen los SID huérfanos, pero cuando ejecuto .\RemoveOrphanedSID-AD.ps1 /REMOVE aparentemente hace el trabajo pero sigo encontrando los SID en carpetas compartidas, además si vuelve a ejecutar el /LIST vuelve a enumerar el mismo listado, ósea que el problema esta en que no elimina lo que a encontrado, que puede ser? al momento de ejecutar el PowerShell como administrador todo me funciona sin problemas y es un 2012 R2, si no es mucha molestia por favor me puede enviar el RemoveOrphanedSID-AD.ps1 comprimido, quizás tengo una falla al crearlo.

  6. Thanks Ali!!
    I finished yet another SBS 2011 migration,.. this time to W2022.
    After AD cleanup found a large number of orphaned SIDs.. I used to use SubInAcl for this.. Does not work on W2022 though. Started looking for sol’n a week ago.. Lots of dead links (thanks MS!!). Then today I find you’ve posted this.. terrific, works very well!! Nice tidy AD & security profiles now. Thank you Ali!! Very much appreciate you sharing this!!!

    1. Glad that it worked for you, Will.

      It’s always good to keep the infrastructure clean, so the next time you have an audit or create a report, you will not see those orphaned SIDs.

Leave a Reply

Your email address will not be published. Required fields are marked *