Bad actors can exploit orphaned SIDs (Security Identifiers) in several ways, primarily targeting vulnerabilities in access control lists (ACLs). Here’s how:

1. Unauthorized Access: Orphaned SIDs often remain in ACLs even after the associated user, group, or computer account is deleted. Attackers can create accounts with the same SID to gain unauthorized access to resources.
2. Privilege Escalation: If an orphaned SID has elevated permissions, attackers can exploit it to escalate their privileges within a system or network.
3. Persistence: By leveraging orphaned SIDs, attackers can maintain access to a system even after their primary accounts are removed.
4. Confusion and Mismanagement: Orphaned SIDs can clutter ACLs, making it harder for administrators to identify legitimate permissions. This confusion can be exploited to hide malicious activities.

To mitigate these risks, regular audits of ACLs and the removal of orphaned SIDs are essential. However, searching for orphaned SIDS turns good hardworking IT Administrators into single focus soulless creatures like Lensor from the Chronicles of Riddick.