Is it safe to delete "Account Unknown" entries from Windows ACLs in a domain environment?

It's not uncommon to see entries in Windows ACLs (NTFS files/folders, registry, AD objects, etc.) with the name "Account Unknown (SID)". Obviously these are because of old AD users or groups which at some point had permissions manually configured on the relevant object and have since been deleted.

Does anyone know if it is safe to remove these "Account Unknown" ACEs?

My gut feeling is that it should be just fine, but I'm wondering if anyone has any past experiences where doing this has caused trouble?

Normally I just ignore these, but the company I'm working at now seems to have an abnormal number of these, most likely due to past admins' inexperience with AD/Windows and assigning permissions to user accounts rather than groups in all sorts of weird places.

FWIW, our environment is not complex, a single domain forest, 4 DCs in 3 sites, with all network connectivity and replication healthy, so I'm certain that these "Account Unknown" entries are really old accounts, and not just because of some failure to resolve the SID to a human-readable name.

Solution 1:

As long as you have no connectivity problems, yes, it's safe to delete them. Do be careful because Windows will show "Account Unknown" if it can't connect to AD, or if you have multiple domains it might take a few moments to cross the domain boundaries, etc.

Solution 2:

take a backup and go ahead.

Assuming you don't have any trusts with other domains, and as earlier pointed out, any network connectivity issues.

you can take backup of ACLs using xcacls.exe or icacls.exe (Vista and above) They can be in format such a way that, you can copy paste and reapply them back.