Unsolved
1 Rookie
•
6 Posts
0
137
February 11th, 2025 13:35
Remove orphaned SIDs from ACL
My AD group has been going through and reorganisation groups and members and have left the ACLS on my SMB shares in a mess with orphaned SIDs. Has anyone found a way to remove the ACLs via a SID instead of a user or group from the command line?
Example:"
XXXXXXX-9# ls -lead . |grep -i SID
9: SID:<SID> allow std_synchronize,list,traverse
XXXXXXX-9# chmod -a SID:<SID> allow std_synchronize,list,traverse .
chmod: ACE must begin with 'user', 'group', 'everyone', 'creator_owner', 'creator_group', or 'owner_rights': Invalid argument
No Events found!
DELL-Sam L
Moderator
•
7.7K Posts
0
February 12th, 2025 14:58
Hello tchstnut,
Here are a couple of links to some kb’s that maybe of assistance.
https://dell.to/41dhUoM
https://dell.to/3QgfbET
tchstnut
1 Rookie
•
6 Posts
0
February 12th, 2025 15:06
@DELL-Sam L Thank you for the information, but that really doesn't help.
Guess I should have mentioned that running ones 9.X so the setfacl has been depreciated with the chmod command. Which is the problem, Chmod will not accept the SID directly.
DELL-Sam L
Moderator
•
7.7K Posts
0
February 13th, 2025 13:53
Hello tchstnut,
I am not seeing any other way to remove them all at the same time unless you open a support ticket and tech support assist you in removing them. There are some elevated commands that support can run and remove the orphaned sids but only support can run those commands.
tchstnut
1 Rookie
•
6 Posts
0
April 8th, 2025 13:28
I ended up writing a python script that walks the directory structure and if the ACL contains "SID:", it removes it via the cmd command. It takes a while to run on large systems, but it looks to work.