skip to Main Content

Remove orphaned SIDs with PowerShell

There are unknown SIDs in Active Directory (AD), and you like to remove them. However, going through all the AD objects and removing bad SIDs will take you months to accomplish. That’s when you want to use a PowerShell script to remove unknown SIDs in AD. In this article, you will learn how to remove orphaned SIDs with PowerShell.

Introduction

A SID stands for security identifier and is always unique. It is a number used to identify user, group, and computer accounts in Windows. A SID gets created when the account is first created in Windows.

We already showed how to remove orphaned SID permission from a mailbox. It’s great if you only want to remove one single orphaned SID. But what if you want to remove all orphaned SIDs in AD? The answer is that you need to automate that with PowerShell. Let’s look into the remove unknown SIDs in AD PowerShell script.

Remove or keep orphaned SIDs

A SID becomes orphaned when used in an ACL (Access Control List) entry, but the corresponding object (computer, user, or group) no longer exists in Windows. This indicates that the specified SID can no longer be translated to a user or group.

When doing a security audit, it is always more interesting to report only valid accounts! To keep it organized and clean, I recommend removing the orphaned SIDs. Also, you can get permission issues when there are orphaned SIDs.

How to remove orphaned SIDs with PowerShell

Let’s go through the steps and remove orphaned SIDs with PowerShell.

Remove Orphaned SID in AD PowerShell script

Sign in to the Domain Controller and create two folders on the C:\ drive.

  • Scripts
  • Temp

Download the RemoveOrphanedSID-AD.ps1 PowerShell script and place it in the C:\scripts folder. The script will export the output log file to the C:\temp folder.

If you don’t have a scripts folder, create one. Make sure to check if the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Remove orphaned SIDs PowerShell script

There are a couple of options to use when you run the RemoveOrphanedSID-AD.ps1 PowerShell script:

  1. List all AD objects
  2. List all AD objects in specific OU
  3. Remove orphaned SIDs
  4. Remove orphaned SIDs in specific OU

The one that we will use is option 1 and option 3. This will give us a list of all the AD objects and show if there are orphaned SIDs. After that, remove the orphaned SIDs from the AD objects in the entire domain.

List all AD objects in domain

Run Windows PowerShell as administrator. Change the path to the scripts folder. After that, run the script RemoveOrphanedSID-AD.ps1 with the parameter /LIST.

PS C:\> cd c:\scripts\
PS C:\scripts> .\RemoveOrphanedSID-AD.ps1 /LIST

All the AD objects are scanned, and it will show if there are orphaned SIDs.

Remove orphaned SIDs PowerShell LIST output

Open the RemoveOrphanedSID-AD.txt transcript log in the C:\temp folder. It will show the same as in the PowerShell output.

Remove orphaned SIDs PowerShell LIST log output

In the next step, we will remove the orphaned SIDs.

Remove orphaned SIDs in domain

Run the script RemoveOrphanedSID-AD.ps1 with the parameter /REMOVE.

PS C:\scripts> .\RemoveOrphanedSID-AD.ps1 /REMOVE

All the AD objects are scanned, and it will remove the orphaned SIDs.

Remove unknown SIDs PowerShell REMOVE output

Open the RemoveOrphanedSID-AD.txt transcript log in the C:\temp folder. It will show the same as in the PowerShell output.

Remove unknown SIDs PowerShell REMOVE log output

All the orphaned SIDs are removed successfully from Active Directory.

Orphaned SIDs cleaned

A before and after from the security tab permissions will show that everything looks great.

Remove orphaned SIDs security tab

That’s it!

Keep reading: Bulk move AD users to another OU with PowerShell »

Conclusion

You learned how to remove orphaned SIDs with PowerShell. Keep the Active Directory clean from unknown SIDs and run the RemoveOrphanedSID-AD.ps1 PowerShell script. It will make the AD clutter-free without bad SIDs.

Did you enjoy this article? You may also like Get Active Directory count with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 2 Comments

  1. Thanks Ali!!
    I finished yet another SBS 2011 migration,.. this time to W2022.
    After AD cleanup found a large number of orphaned SIDs.. I used to use SubInAcl for this.. Does not work on W2022 though. Started looking for sol’n a week ago.. Lots of dead links (thanks MS!!). Then today I find you’ve posted this.. terrific, works very well!! Nice tidy AD & security profiles now. Thank you Ali!! Very much appreciate you sharing this!!!

    1. Glad that it worked for you, Will.

      It’s always good to keep the infrastructure clean, so the next time you have an audit or create a report, you will not see those orphaned SIDs.

Leave a Reply

Your email address will not be published. Required fields are marked *