-
Title
HOW TO: Target Dynamic Groups that contain broken Security Identifiers -
Description
It may be necessary to identify what Dynamic Groups contain Security Identifiers (SIDs) for users that have been deleted outside of Active Roles. -
Cause
This is caused by using another Server Directory Editing tool such as Active Directory Users and Computers (ADUC) to delete user accounts. Active Roles does not remove these SIDs, because the user account was removed which causes these orphan SIDs to remain.
NOTE: Dynamic Groups should not leave broken SIDs. When users are removed from the group they should be removed immediately unless the Dynamic Groups Scheduled Task is not set to run.
-
Resolution
If there is a need to target what Dynamic Groups contain orphaned SIDs this can be done by using the following steps.
1) At the Active Directory level use right-click and select Find target Find: Groups
2) Select the Group Type tab, and select the check box Show only groups:
3) Select the Dynamic Group check box
4) Select the Advanced tab
5) Select the Field... button and select the Show all possible properties check box at the bottom of this window, and find accountNameHistory
6) Set the Condition: field to Contains set the Value: field to 000, and select the Add button
7) Select the Find Now button
