Hi, I am currently working on a project to tidy up permissions and data on a multi-domain site. I have come across some folders that have, what look like, deleted\unknown users\groups with permissions still assigned. They are coming up in the "S-I-5-........" format. I believe it is safe to go through and remove these permissions, but before doing so, I was wondering if anyone could tell me whether these could possibly cross domain permissions or whether those should\would display properly? Thanks

it happens when the object is no longer existing in Active Directory that has been explicitly grant permission to a file or folder. Typically, it is recommended that grating a Domain Local Group permissions in the NTFS instead of a specific user account. With that, you can easily grant a user or group the permission on the NTFS by adding them as the membership of the group. Nesting groups http://technet2.microsoft.com/windowsserver/en/library/3fbe961d-1124-4a56-9d95-4be9e0dc59951033.mspx You can also use SIDWalker (a security Management tool) to delete old, unused SIDs (can't map to a account object), or replace them with corresponding new SIDs, such as new security groups.http://www.virmansec.com/blogs/skhairuddin