Home tenfold Blog Wiki

Orphaned SIDs

Helmut Semmelmayer · 20.08.2019

A SID becomes “orphaned” when it is used in an ACL entry, but the corresponding object (computer, user or group) no longer exists in Windows.

In Windows, these entries can be identified by the text “Unknown account (S-1-5-…)” appearing instead of the object name. This indicates that the specified SID can no longer be translated to a user or group.

Orphaned SID entries are not harmful per se, but they are of no help at all to maintaining an overview of the situation. In fact, they make it really hard to keep track of who has access to what resource.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.