delete orphaned sids

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of John Spencer John Spencer 2 years, 4 months ago.

  • Author
    Posts
  • #17838
    Profile photo of John Spencer
    John Spencer
    Participant

    I have a small script that shows the members of local administrators group of a remote server, and then you can remove the accounts that do not belong there. It also shows orphaned sids, but when trying to remove them, nothing happens. Some help would sure be appreciated!.

    $strDomain = Read-Host "Enter Domain"
    $strComputer = Read-Host "Enter System Name"

    do
    {
    $computer = [ADSI]("WinNT://" + $strComputer + ",computer")
    $group = $computer.psbase.children.find("Administrators")
    $group.Name

    function ListAdministrators
    {$members = $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name",'GetProperty',$null,$_,$null)}
    $members}

    ListAdministrators
    $strUser = Read-Host "Enter Username to remove"
    $group.Remove("WinNT://" + $strDomain + "/" + $strUser)
    cls
    Write-Host These are the Current members of the local administrators group.
    ListAdministrators

    } while ($strUser -ne "")

  • #17842
    Profile photo of Sam Boutros
    Sam Boutros
    Participant

    tested, working..

  • #17844
    Profile photo of John Spencer
    John Spencer
    Participant

    Thanks for the reply, I know it works great for removing accounts that are 'fine' but if it's a an orphaned sid, it doesn't do anything to it.
    What I mean is I run the script and it shows me a list of users like this:

    Administrators
    Baduser
    olduser
    service-account
    Domain administrators
    S-1-5-12-1234567890-1234567890-1234567890–123456
    Enter Username to remove

    I can put in Baduser and olduser, and they will remove quite nicely. When I put in S-1-5-12-1234567890-1234567890-1234567890–123456, this does not remove.
    That's what I am hoping for some help with.

  • #17845
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    It's most likely to do with this line, a hard-coded assumption that the domain is part of the ADsPath for the orphaned SIDs:

    $group.Remove("WinNT://" + $strDomain + "/" + $strUser)
    

    Try outputting the full ADsPath of your members instead of just the name, to see what these SIDs really look like:

    function ListAdministrators
    {
        $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADsPath",'GetProperty',$null,$_,$null)}
    }
    

    With that information, you should be able to update the script.

  • #17846
    Profile photo of John Spencer
    John Spencer
    Participant

    Thanks for the reply.
    They now look like this: WinNT://S-1-5-12-1234567890-1234567890-1234567890–123456
    They won't delete with or without the WinNT://

  • #17849
    Profile photo of John Spencer
    John Spencer
    Participant

    Ok, I got it! Thank you Dave, that got me on the path.

    $strDomain = Read-Host "Enter Domain"
    $strComputer = Read-Host "Enter System Name"

    do
    {
    $computer = [ADSI]("WinNT://" + $strComputer + ",computer")
    $group = $computer.psbase.children.find("Administrators")
    $group.Name

    function ListAdministrators
    {
    $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("ADsPath",'GetProperty',$null,$_,$null)}
    }
    $members}

    ListAdministrators
    $strUser = Read-Host "Enter Username to remove"
    $group.Remove($strUser)
    cls
    Write-Host These are the Current members of the local administrators group.
    ListAdministrators

    } while ($strUser -ne "")

  • #17850
    Profile photo of John Spencer
    John Spencer
    Participant

    Part two: How can I get the group to include both administrators and backup operators? I tried adding them together, with commas, and semi-colons, space, none worked.
    $group = $computer.psbase.children.find("Administrators")

You must be logged in to reply to this topic.