stale SIDs found in user rights assigments

  • 502 Views
  • Last Post 27 April 2016
vluu posted this 23 April 2016

Hi,

 

We had an AD raas done and one of the issues reported is "Stale SIDs found in User rights assignments may impact Group Policy getting applied."

I would like to know best approach to "inventory and clean stale SIDs in GPOs" automatically with a recurring job to check weekly.

 

Thanks

Order By: Standard | Newest | Votes
daemonr00t posted this 24 April 2016

While that is one of many AD RaaS findings there’s no proposed automated solution like you mention… I would start tinkering with SIDtoName and some ACL dump.Now, how often are groups eliminated in your environment? ~d 

show

PARRIS posted this 24 April 2016

What I do, is everyone of those user rights I add an equivalent AD group (AD-GPO-log on as a service, AD-GPO-Deny logon locally etc.), then leave the policy alone. Every time someone then needs permission I add them to the group and not the policy, it

avoids this problem.





Regards,



 



Mark Parris



 



Active Directory & Cloud Security Consultancy.



 



MVP Enterprise Mobility | MCM Directory Services



Mobile: +44 7801

690596




E-mail: mark@xxxxxxxxxxxxxxxx 



 

Twitter | Blog | LinkedIn | Skype | About.me

show

g4ugm posted this 24 April 2016

I would be more worried about how this is happening. If the groups are being used to deny rights then folks are getting rights they shouldn’t have, if they are being use to assign rights then some one may not be able to perform their allocated tasks. Fix the root cause not the symptoms. Dave   

show

vluu posted this 24 April 2016

Thanks all for the feedback.
@Danny, I would say groups aren't eliminated at all, they are just left there even if it does not serve a purpose unfortunately. Our AD is very old with many hands in it (another point we have to clean) and improper documentation.
@Mark, thanks for that interesting suggestion.

show

darren posted this 25 April 2016

Interesting scenario. So, users rights assignment policy, like much of security policy, is stored in gpttmpl.inf in SYSVOL. You could probably write a PowerShell script that

parses those SIDs and tries to resolve against AD. I’m going to play around with this using our GP Automation Engine and also natively and see what I can come up with .


Darren

 

show

chriss3 posted this 25 April 2016

I don’t think you can do a better job resolving those SIDs than LsaLookupSIDs API. This is what the OS uses and LsaAddAccountRights when adding SIDs to user rights. If there is a doubt to which domain the SID belongs to  you can use GetWindowsAccountDomainSid and lookup that against trusts. Enfo ZipperChristoffer Andersson – Principal Advisor

show

PARRIS posted this 25 April 2016

I think the point here is that they are orphaned and the objects are deleted and hence the error.





Regards,



 



Mark Parris



 



Active Directory & Cloud Security Consultancy.



 



MVP Enterprise Mobility | MCM Directory Services



Mobile: +44 7801

690596




E-mail: mark@xxxxxxxxxxxxxxxx 



 

Twitter | Blog | LinkedIn | Skype |About.me

 

show

chriss3 posted this 26 April 2016

Sorry, that’s my bad and you’re right, if they are still in a DO container as tombstone/deleted or recycled then a search with proper controls could yield results. Lsa* do not take that into account. Enfo ZipperChristoffer Andersson – Principal Advisor

show

vluu posted this 27 April 2016

Hi
Found MS Script searchgpoforsettings.ps1 and wondering If you hâve success with it? Im able to find some settings but ôther settings i search for turns up blank when it should return something 
Thx again

show

Close