Re: SIDS - defualt domain polikcy

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Oh, resolve the sid of the domain itself.... You can get it by looking at the objectsid attribute of the Domain NC head object... so something like

adfind -default -s base objectsid

Note that there are a bunch of SIDs that are valid that will not include the domain SID, these are called well known SIDs and are for groups such as Power Users, Administrators, etc. They have no domain/machine affinity and are the same on every single Windows machine in the world. Some can only be resolved on the proper type of machine. For instance Power Users can't be resolved on Domain Controllers but say Server Operators can only be resolved on DCs. For instance, Server Operators is the SID S-1-5-32-549 always...



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Andrew Story wrote:
Apologies, I should have explained my second question a bit better.

How can I find the SID (sid's) associated with the production domain? I
assume there will be a common SID so I can compare to the ones I see in the
GPO's.

Thanks again.



"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%237N1T4aWGHA.4148@xxxxxxxxxxxxxxxxxxxxxxx
Specify a DC when you use sidtoname...

sidtoname sid machine


Ex:

sidtoname S-1-5-21-1275210071-789336058-1957994488-512 DomCon1


Alternately you can do

adfind -sc adsid:SID


adfind -sc adsid:S-1-5-21-1275210071-789336058-1957994488-512



sidtoname will chase trusts, adfind will not because it is a basic LDAP
lookup.
joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Andrew Story wrote:
Cheers Roger - this may sound silly, but how do I find the SID's for
objects
in my domain via the easiest fashion?


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:uINh$RXWGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
If normal resolution is available and no other domains are
unavailable then it is 99+% likely that they are deleted
accounts or groups. To be sure compare with a SID from
your domain to see if all but the last section match.

"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:eTqKqFWWGHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
Hi - Win2k Forest.

In the default domain and domain controller policy there are mutiple
accounts displayed only as sids with rights granted on the domain.

I've used sidtoname from joeware.net, but can't resolve the sid's to
any
names. Is there anyway to find out if they are safe to remove?

Thanks.





.

Relevant Pages

  • Re: Lookup account based on SID
    ... Thanks Joe for the additional help, ... SID, that will resolve the SID to a domain name usually. ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: resolving a sid to username
    ... the SID Win32 functions. ... It can take a SID and resolve it to an account ... I'm not entirely sure how it will behave with a local machine account ...
    (microsoft.public.dotnet.security)
  • Re: SIDS - defualt domain polikcy
    ... adfind -default -s base objectsid ... Joe Richards Microsoft MVP Windows Server Directory Services ... How can I find the SID associated with the production domain? ... but can't resolve the sid's to ...
    (microsoft.public.win2000.active_directory)
  • Re: Lookup account based on SID
    ... If it can't resolve, then chop off the last subauthority and try that SID, that will resolve the SID to a domain name usually. ... If you can resolve the domain SID but not the full SID, ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Matching SIDs with objects
    ... If you connect to the event log of a machine in a different domain that has ... decode the SID when sending the event info back, ... sidtoname lets you specify which machine to use to resolve the sid. ... >> Microsoft MVP Scripting and WMI, ...
    (microsoft.public.win2000.security)