Remove SID with ICACLS

Question

I am trying to remove an obsolete SID (the account was apparently deleted).

I've tried to run the following on the server (win2003) and a client (win7):

icacls c:\path /remove *S-1-5-21-1883347182-1220252494-433279356-1095 /T

But I always get the output

Successfully processed 0 files; Failed processing 0 files

without it doing anything. How can I get it to work?

Update:

I've used AccessEnum to get the SID because icacls only says "No mapping between account names and security IDs was done." but doesn't show the sid.

The output from AccessEnum is:

"Path"  "Read"  "Write" "Deny"  
"c:\path"   "Administrators, S-1-5-21-1883347182-1220252494-433279356-1095, ..."    "Administrators, S-1-5-21-1883347182-1220252494-433279356-1095, ..."    ""

Could you post a relevant snip of the output of icacls "C:\path"? Are you positive that SID is correct? — jscott, Jul 30 '10 at 13:05
Does this SID have an entry in the ACL of the parent folder, C:\ in your question? If not, you may be able to use the `/reset` switch of `icalcs` -- *e.g.* `icacls C:\path /reset /T` — jscott, Aug 05 '10 at 21:22
I also have this problem, and I see exactly the same behaviour from `icacls`... still looking for an answer. — Thanatos, Oct 07 '10 at 23:55

score 1 · Answer 1 · answered Jan 14 '11 at 08:58

1

You can easily do that with SetACL:

SetACL -on C:\Path -ot file -actn trustee -trst 
       "n1:S-1-5-21-1883347182-1220252494-433279356-1095;s1:y;ta:remtrst;w:dacl"

answered Jan 14 '11 at 08:58

Helge Klein

2,031
1
15
22

With the current SetACL 3.0.6 version this goes like this: `SetACL -on C:\path -ot file -actn delorphanedsids -rec cont_obj` – Ciove Dec 20 '16 at 15:02

score 1 · Accepted Answer · edited Apr 13 '17 at 12:13

My suggestion to another similar question

"perhaps you're looking for SUBINACL. Download it here

subinacl.exe /help /cleandeletedsidsfrom provides the following:

/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]

delete all ACEs containing deleted (no valid) Sids from DomainName You can specify which part of the security descriptor will be scanned (default=all) If the owner is deleted, new owner will be the Administrators group. If the primary group is deleted, new primary group will be the Users group. Appears you can use this with /file or /share or /subdirectories as needed

kizzx2 · Answer 3 · 2013-05-19T17:02:50.747

I have found the most portable and actually easiest way to be using the /save and /restore functions of icacls:

icacls C:\ /save D:\creds.txt /T

And then I would use Vim, or some other gred/sed/awk equivalent to manipulate the file. That allows me to remove SID, replace SID, etc. After I'm finished with the file I do

icacls C:\ /restore D:\creds.new.txt /T

That it. No need to download other programs. No need to learn yet another non standard command line syntax. I just create a dummy file and use the GUI or whatever to make the ACL exactly the way I want it, use /save to see how the resultant ACE string looks like, then just copy and paste that ACE string into creds.new.txt.

score -1 · Answer 4 · answered Aug 02 '10 at 13:05

-1

Why not just use the GUI? Bring up the folder properties and remove the unwanted SID from the security settings. That's always worked for me.

answered Aug 02 '10 at 13:05

John Gardeniers

27,262
12
53
108

Yes, but we have thousands of folders! I would prefer to use the AccessEnum output in a script :) – laktak Aug 03 '10 at 04:52
1

You cannot do that for NULL SIDS – John Kloian Nov 10 '16 at 20:53

Remove SID with ICACLS

4 Answers4