Is it safe to delete "Account Unknown" entries from Windows ACLs in a domain environment?

Posted by Graeme Donaldson on Server Fault See other posts from Server Fault or by Graeme Donaldson
Published on 2010-05-31T14:14:44Z Indexed on 2010/05/31 14:23 UTC
Read the original article Hit count: 324

It's not uncommon to see entries in Windows ACLs (NTFS files/folders, registry, AD objects, etc.) with the name "Account Unknown (SID)". Obviously these are because of old AD users or groups which at some point had permissions manually configured on the relevant object and have since been deleted.

Does anyone know if it is safe to remove these "Account Unknown" ACEs?

My gut feeling is that it should be just fine, but I'm wondering if anyone has any past experiences where doing this has caused trouble?

Normally I just ignore these, but the company I'm working at now seems to have an abnormal number of these, most likely due to past admins' inexperience with AD/Windows and assigning permissions to user accounts rather than groups in all sorts of weird places.

FWIW, our environment is not complex, a single domain forest, 4 DCs in 3 sites, with all network connectivity and replication healthy, so I'm certain that these "Account Unknown" entries are really old accounts, and not just because of some failure to resolve the SID to a human-readable name.

© Server Fault or respective owner

Related posts about Windows

Related posts about active-directory