Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.
Prev Next
You are not authorized to post a reply.

AuthorMessages
RobertBobelUser is Offline

Posts:13

01/04/2007 6:47 AM  
The issue is that there is no
automated service inAD/Windowsthat reconciles the SIDs in AD with
those used to ACL the file system; and AD ACLs are separate and disconnected
from the OS ACLs. Imagine deleting a group or user that had permissions on
hundreds of computers around your network the OS on each box would have to
*know* that the useror group was deleted then scan itself for obsolete
SIDs or alternativly some service on the DC could contact each server to scan it
for obsolete SIDs.

As Deji correctly pointed out this is
another example of why you should use groups to do your permissioning... it is
also one of the reasons why many administrators choose to disable user accounts
rather than just delete them when they become obsolete.

Bob


From:
ActiveDir-owner@mail.activedir.org on behalf of YannSent: Thu
1/4/2007 5:35 AMTo: ActiveDir@mail.activedir.orgSubject:
RE : RE: [ActiveDir] SID Deleted users remains in NTS
permission.

Thanks for replying.

You say that it isnormalthat the sid still remains in file
& directory ACLs after the deletion of the corresponding group ??

Ialways thought thatsids*HAVE TO*disapear
dynamically on all existing ACLs set on file server.
I'm a bit surprise that the system (AD<->file server) leave this
dirty sid and that there is no synchronisation that updates the "link" between
the AD object and the ACE....

What is the reason ? could this behavior be altering ?

I'd likesid disappears after deletion of the corresponding group
inAD in order to not have this dirty SIDs...

Thanks.

Yann
"Akomolafe, Deji" a
écrit:


It's "normal". You should
be permissioning your resources with groups instead of directly with user
accounts. Groups tend to last longer, so you don't have to deal with the
horrible SIDs.



Sincerely,
_____
(, / |
/)
/) /) /---|
(/_ ______ ___// _ // _ )
/ |_/(__(_) //
(_(_)(/_(_(_/(__(/_(_/
/)

(/ Microsoft MVP - Directory
Serviceswww.akomolafe.com- we know
IT-5.75, -3.23Do
you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon


From: YannSent: Thu 1/4/2007 1:52
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
SID Deleted users remains in NTS permission.

Hello all & Happy new year ! :)

AD 2k3 sp1 in FFL mode.

When i delete a user or group from AD, and these objects have
permissionson ntfs permissions, i usually see their sids remaining in
those file & directory ACLs.

Is this normal ? If not,what could be the reason(s) & how to
investigate this issue ?

Thanks,

Yann


__________________________________________________Do You
Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure
protection possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
__________________________________________________Do You Yahoo!?En
finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible
contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:cajoe64
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5291
People OnlinePeople Online:
VisitorsVisitors:41
MembersMembers:0
TotalTotal:41
Online NowOnline Now:

Ads

Copyright 2012 ActiveDir.org
Terms Of Use