private/removeOrphanSIDs.ps1

function removeOrphanSIDs {
    Param(
        [Microsoft.ActiveDirectory.Management.ADDirectoryServer]$Server = (get-addomainController -Writable -Discover)
    )
    $domainFacts = get-addomain
    $DOMAINSID = $domainFacts.domainSID.toString()
    $basePath = $domainFacts.DistinguishedName
    $indent = " |--> "

    get-childItem -path "AD:$basePath" -recurse | where-object {$_.objectClass -like "organizationalUnit"} | foreach-object {
        $path = $_
        $ACL = get-acl -path "AD:$path"
        $OrphanList = $ACL.access | where-object {$_.identityReference -like "$DOMAINSID*" -and $_.isInherited -eq $false}
        if ($orphanList) {
            write-host "-> $path"
            $orphanList | foreach-object {
                $identity = $_.identityReference.value.toString()
                #Double-check that this object really does not exist
                $thisObject = get-adobject -server $server -filter "objectSID -eq '$identity' -or samaccountName -eq '$identity'"
                if ( $thisObject) {
                    Write-host ("{0}{1,-10} {2,-48} : {3}" -f  $indent, "Orphan: ", $identity, $_.ActiveDirectoryRights)
                    $ACL.removeAccessRuleSpecific($_)
                }
            }
            #now set the ACL
            set-ACL -path "AD:$Path" -AclObject $ACL
        }
    }
}