Is it safe to delete "Account Unknown" entries from Windows ACLs in a domain environment?
Posted
by Graeme Donaldson
on Server Fault
See other posts from Server Fault
or by Graeme Donaldson
Published on 2010-05-31T14:14:44Z
Indexed on
2010/05/31
14:23 UTC
Read the original article
Hit count: 324
It's not uncommon to see entries in Windows ACLs (NTFS files/folders, registry, AD objects, etc.) with the name "Account Unknown (SID)". Obviously these are because of old AD users or groups which at some point had permissions manually configured on the relevant object and have since been deleted.
Does anyone know if it is safe to remove these "Account Unknown" ACEs?
My gut feeling is that it should be just fine, but I'm wondering if anyone has any past experiences where doing this has caused trouble?
Normally I just ignore these, but the company I'm working at now seems to have an abnormal number of these, most likely due to past admins' inexperience with AD/Windows and assigning permissions to user accounts rather than groups in all sorts of weird places.
FWIW, our environment is not complex, a single domain forest, 4 DCs in 3 sites, with all network connectivity and replication healthy, so I'm certain that these "Account Unknown" entries are really old accounts, and not just because of some failure to resolve the SID to a human-readable name.
© Server Fault or respective owner