I understand that very well. I'm looking to find the
meaning and perspective behind the request.
Even a transient error could be problematic if you *could*
match it to the tombstoned object because the same issue could still exist.
To prevent the transient errors from occuring, one approach
would be to build the userid to sid mapping table in a separate store outside of
the AD and local to the application. Another would be to run the app on
the DC.
With the off-line version you would be able to input logic
that ensures you either have all relevant information or you don't have
anything.
But again, what is the value of matching a SID to a
tombstoned object?
Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, Ivor Sent: Friday, April 01, 2005 2:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Orphaned SIDs Agreed. It would be
great to be able to confirm which user the SID belonged to before deleting the
SID. Ivor
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
[EMAIL PROTECTED] Al, you know that a
resolution problem will sometimes prevent SID translations. So, the mere fact
that you see SIDs (rather than names) listed in your ACL does not necessarily
indicate that those accounts are dead. So, verification is in order here,
IMO. Deji From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mulnick,
Al I'm trying to figure
out why you wouldn't want to assume that the accont is either gone or
tombstoned? Why the verification step of looking for tombstoned
items? In any event, it takes
different rights and settings to see those tombstoned objects. I wouldn't
guess that Zeffy would care about those since they're tombstoned.
Also, if the object is
listed incorrectly or referenced by something other than the proper dir object,
then what would be the point of keeping it in the ACLs? There's obviously
something wrong at that point right? Help me understand the
logic/business drivers for this... From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Beelders,
Ivor I’ve seen quite a bit of info on
this subject but would like to get a firm grip on the situation. I recently
deleted a bunch of disabled users from my directory. However, I’m left with
quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would
like to clean these up with VERIFICATION, i.e. I would like to know which user
SID I’m deleting before ripping the SID out of the
ACL. I encountered a few tools on the web
but they don’t really help in this situation. http://www.petri.co.il/obj_sid.htm
- This is a cool applet that allows you to do a SID lookup or a reverse SID
lookup. If the object doesn’t exist in the directory, it doesn’t access the
tombstone information for a match. Then there’s tombstone-user.exe.
This util will dump all the tombstone objects from a particular DC. I dumped the
tombstones from a DC (it displays SIDs only) and did a find on a couple of the
SIDs I see tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s
still within 60 days of the objects being deleted. Any help on this issue will be
appreciated. Ivor
|
- [ActiveDir] DNS ? Mulnick, Al
- [ActiveDir] DNS ? Za Vue
- RE: [ActiveDir] Orphaned SIDs joe