Can't remove ACL entry that refers to orphaned SID

Question

I’m (still) running Win-7 Home Premium. I understand the risks and, for a number of reasons, still DO NOT want to upgrade to Win-10 or to rebuild my win-7 installation to correct this problem. The system was built 8 years ago and, over the years, I have created and deleted numerous user accounts. I currently have three user accounts:

Administrator (SID 500)
AdminUser (SID 1003)
NormalUser (SID 1007)

Somewhere along the way, I deleted the original user account that Windows created during its original install which I believe was assigned SID 1000.

On the current system, things generally work as desired. But I occasionally encounter strange behavior and failures. During troubleshooting, I discovered that many folders retain ACL entries that refer to the now-orphaned SID 1000. For example, the command

icacls c:\ProgramData /save output.txt

produces the following

ProgramData
D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;FA;;;S-1-5-21-xxx-yyy-zzz-1000)

The above indicates that NT AUTHORITY\SYSTEM and BUILTIN\Administrators have Full Control permissions. It also lists the full SID for the now-orphaned 1000 user account. I'd like to remove these references to the bogus SID, but the command:

icacls C:\ProgramData /remove S-1-5-21-xxx-yyy-zzz-1000

does nothing when run from an elevated command prompt, reporting Successfully processed 0 files. When using File Manager, the Remove button is grayed-out on the Advanced Security Settings dialog of the Security tab of the Folder’s Properties. So I cannot remove the permission that way either.

How do I remove the reference to this orphaned SID? Or change it to refer to a legitimate SID?

Alternatively, how do I change the SID associated with the existing 1003 user to 1000 so that references to SID 1000 get properly resolved to an active user account?

Any suggestions would be appreciated.

Answer 1

No sooner did I post my question, than I found an answer:

Right-click a File Explorer shortcut pinned to my TaskBar
Select Run as Administrator
Browse to the desired Folder, right-click and select Properties
Select the Security Tab
Remove the undesired User

Not sure why I didn't think to use an elevated File Explorer earlier. But it successfully updated the ACLs and now the references to the bogus SID are gone. :-)

Answer 2

There was a tool subinacl.exe that was provided by Microsoft until 2004. It is a bit hard to find now (see https://answers.microsoft.com/en-us/windows/forum/all/i-wanted-to-download-subinacl-but-i-cant-find-it/a8bf4c50-1d43-4f03-b6f9-f62deab010fb ). With this tool you can remove all invalid SIDs from a folder and subfolders.

subinacl /subdirectories "C:\folder\*.*" /cleandeletedsidsfrom=<domain>

It was helpful for me, but the output seems to be corrupt. So I bypassed the output to a file by >logfile.txt