As a follow up to my question Do backlinks clear in AD for deleted users I have another related but different question.
Since I am informed in the answers there that a deleted object's SID (Group or User, so assigning rights to group only minimizes the issue, and does not fix it) will remain within ACEs they have been assigned, leaving them orphaned.
Lotus Domino, which has similar issues with back references, has an adminp process to clean up such orphaned references.
Is there a similar process in AD that would allow you to clean up such orphaned SIDs floating around your domain?
I haven't tested this so forgive my preemptive post (but I don't have a test domain and don't plan on testing this in production) but perhaps you're looking for SUBINACL. Download it here
subinacl.exe /help /cleandeletedsidsfrom provides the following:
Appears you can use this with /samobject switch to apply to Users or Groups.
how about just using a tool like Security Explorer? It's like Windows Explorer on steroids, and can centrally locate and delete Orphaned SIDs to clean them up. www.securityexplorer.com.
It's one aspect of the tool, but DatAdvantage does this and a bunch of other systemic file/directory management and cleanup.
i recently ran across this issue when working with a client and instead of going through all the powershell and other stuff that i was having issues with i wrote a quick program with a GUI to remove all the ghost accounts. this is much simpler. Please check it out at http://chstechsolutions.com/articles/2017/3/1/j8knqicyixvon3byelairoub47mvv6
I think it is much simpler and it is free.