I checked this code (with .NET 4.0 if that matters): the exception does not occur by IdentityReference. The reading of the entries in the foreach loop is ok, if a ACE (access control entry) contains a trustee (user or group) which cannot be resolved, it returns a SID (S-1-5-21-20084454....) as...