How to cleanup orphaned computer SID or user SID in Citrix environments

Case

You may have deleted a computer account or user account in a Citrix environment running under Windows Server Domain Services (Active Directory domain). You then re-create the same user account or computer object name and try to use the new objects in the same Citrix AD domain. You receive various types of errors (e.g. AD authentication errors) that the specified computer or user object does not exist. This is expected because the re-created computer or user object may have the same name but have different SID by design. The old SID entries may be cached in Windows registry, in NTFS ACE permissions and in various other places.

One such case is described in the following Citrix discussions post: https://discussions.citrix.com/topic/373378-recreated-user-cant-logincreate-applications/.

Solution

You need to cleanup the stale SID entries belonging to the old/deleted computer or user accounts. Carl Webster has created a Powershell script which does exactly that. You could run the cleanup manually (e.g. by running Citrix Powershell cmdlets such as this https://support.citrix.com/article/CTX239468) but in this case the process is error prone and also you will need to check all possible locations where the old SIDs might be cached.

The Carl Webster script is available for download at: https://carlwebster.com/get-broker-invalid-accounts-v2-00/. There is a detailed readme file included which documents the script execution and associated parameters.

Was this article helpful?

Related Articles