I have a script that cleans up A.D. and DNS objects after servers are decommissioned. One function in the overall script (below) would go through all GPOs in all of the domains and remove any orphaned SIDs.
Function Remove-GPOUnknownSIDs { param ([parameter(mandatory = $true)][Microsoft.GroupPolicy.Gpo]$GPO) $name = $GPO.DisplayName $gpoSecurity = $GPO.GetSecurityInfo() $UnknownSIDs = $gpoSecurity.Trustee | Where {$_.SidType -Like "Unknown"} #$UnknownSIDs | Out-GridView -Wait foreach($UnknownSID in $UnknownSIDs) { $SIDToRemove = $UnknownSID.Sid.Value $gpoSecurity.RemoveTrustee($SIDToRemove) $GPO.SetSecurityInfo($gpoSecurity) } }
The thing that I do not understand is that this was working, and suddenly is throwing errors. In the larger script it is called like so:
$aGPOs = Get-GPO -Domain "mydomain.com" -All #$aGPOs | Out-GridView -Wait -Title $aGPOs.Count foreach ($gpo in $aGPOs) { Remove-GPOUnknownSIDs -GPO $gpo }
As you can see in the code above, I tested to confirm that $aGPOs has members (130+ in the one domain), and inside the function I have tested that there are indeed GPOs that have unknown SIDs in them (at least a dozen). I have also confirmed the orphaned SID shows a blank line int $GPOSecurity. But when the code attempts to remove them I get the following error:
Exception calling "SetSecurityInfo" with "1" argument(s): "The request is not supported. (Exception from HRESULT: 0x80070032)" At line:19 char:13 + $GPO.SetSecurityInfo($gpoSecurity) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : COMException
I am hoping I am missing something stupid simple here, but cannot wrap my head around why it has been working but suddenly is not.