How to clean up orphaned SID's in ACEs in AD?
I haven't tested this so forgive my preemptive post (but I don't have a test domain and don't plan on testing this in production) but perhaps you're looking for SUBINACL. Download it here
subinacl.exe /help /cleandeletedsidsfrom provides the following:
/cleandeletedsidsfrom=domain[=dacl|sacl|owner|primarygroup|all]
delete all ACEs containing deleted (no valid) Sids from DomainName
You can specify which part of the security descriptor will be scanned
(default=all)
If the owner is deleted, new owner will be the Administrators group.
If the primary group is deleted, new primary group will be the Users group.
Appears you can use this with /samobject switch to apply to Users or Groups.
how about just using a tool like Security Explorer? It's like Windows Explorer on steroids, and can centrally locate and delete Orphaned SIDs to clean them up. www.securityexplorer.com.