a·gen·tic a·gil·i·ty

Removing ACL’s for dead AD accounts

Explains how to identify and remove access control entries (ACLs) for deleted Active Directory accounts using .NET, including challenges and code examples for automation.

Published on
2 minute read
Image
https://nkdagility.com/resources/l3dnUvBZV8r
Subscribe

Removing ACL's for dead AD accounts I have run into a very vexing problem with one of my applications. I was asked to provide an application that would fin all of the permissions set against Active Directory accounts that have been since removed. These normally show up in the permissions dialogs for folders as the full SID of the account as there is no longer nay way to look it up in Active Directory.

Removing ACL's for dead AD accounts I have written a nice little threaded application that lets you select a folder and it finds all of the dead accounts. What it actually does is verify all accounts against Active Directory and flags them if they are not found. This will have the side effect of finding groups and local accounts and thinking they are dead as well. To solve this problem I added a “Safe List” of accounts and as way to add them from the GUI. The system then ignores any account names that are in this list.

All is well…

But not really. As I moved on to actually deleting the offending ACL’s on request, I found it was a little more difficult to actually delete them as .NET seams to ignore my code…

 1Private Sub RemoveACL(ByVal DirectoryName As String, _
 2                      ByVal IdentityReference As Security.Principal.IdentityReference)
 3    Dim DS As DirectorySecurity
 4    DS = System.IO.Directory.GetAccessControl(DirectoryName)
 5
 6    DS.PurgeAccessRules(IdentityReference)
 7    DS.PurgeAuditRules(IdentityReference)
 8
 9    System.IO.Directory.SetAccessControl(DirectoryName, DS)
10End Sub

Now, this code is fairly simple. First we get the directory security object, then we change the directory security object, and then we save the directory security object.

The “DirectoryName” object contains a CuteFTP folder:

Removing ACL's for dead AD accounts

The “IdentityReference” object contains the offending SID:

Removing ACL's for dead AD accounts

This code should work, and I have used a similar piece to add permissions, so why on earth can’t I remove them!

UPDATE: I have added a question about this to the MSDN Forums

Technorati Tags: .NET

Subscribe

Related blog

No related videos found.

Connect with Martin Hinshelwood

If you've made it this far, it's worth connecting with our principal consultant and coach, Martin Hinshelwood, for a 30-minute 'ask me anything' call.

Our Happy Clients​

We partner with businesses across diverse industries, including finance, insurance, healthcare, pharmaceuticals, technology, engineering, transportation, hospitality, entertainment, legal, government, and military sectors.​

Big Data for Humans Logo

Big Data for Humans

Flowmaster (a Mentor Graphics Company) Logo

Flowmaster (a Mentor Graphics Company)

Slaughter and May Logo

Slaughter and May

NIT A/S

Xceptor - Process and Data Automation Logo

Xceptor - Process and Data Automation

Boxit Document Solutions Logo

Boxit Document Solutions

Akaditi Logo

Akaditi

Lockheed Martin Logo

Lockheed Martin

Graham & Brown Logo

Graham & Brown

Epic Games Logo

Epic Games

ProgramUtvikling Logo

ProgramUtvikling

MacDonald Humfrey (Automation) Ltd. Logo

MacDonald Humfrey (Automation) Ltd.

Lean SA Logo

Lean SA

New Signature Logo

New Signature

Philips Logo

Philips

Microsoft Logo

Microsoft

Higher Education Statistics Agency Logo

Higher Education Statistics Agency

Deliotte Logo

Deliotte

New Hampshire Supreme Court Logo

New Hampshire Supreme Court

Department of Work and Pensions (UK) Logo

Department of Work and Pensions (UK)

Washington Department of Transport Logo

Washington Department of Transport

Ghana Police Service Logo

Ghana Police Service

Washington Department of Enterprise Services Logo

Washington Department of Enterprise Services

Royal Air Force Logo

Royal Air Force

Slaughter and May Logo

Slaughter and May

Ericson Logo

Ericson

Philips Logo

Philips

YearUp.org Logo

YearUp.org

Xceptor - Process and Data Automation Logo

Xceptor - Process and Data Automation

New Signature Logo

New Signature