Re: Resolving SIDs to user names

Tech-Archive recommends: Fix windows errors by optimizing your registry

Check out my links and go through the PortQryUI from both sides using the AD
option. It will let you know what is and isn't open and then look at the
link detailing what client ports are needed. You chould be able to cross
reference the two to help with this.

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"CK" <christoph@xxxxxxxxxx> wrote in message
news:1157093213.468654.139480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks a lot Paul!

That's what I thought, too. The funny thing is that the I open the GUI
on the PC in Domain B and although the DC for domain B sits next to it
(no firewall in between), it can't even resolve the SIDs for its own
domain. So it seems like the fileserver in Domain A, which can not talk
to the DC in domain B does it.

Very strange :-)

Paul Williams [MVP] schrieb:

Now my question: which machine converts those SIDs to names? Does the
file
server deliver the SIDs or the names to the client?

Good question. If I remember correctly, the SIDs are resolved by the GUI
you are using. Therefore, if you view the DACL from the member, the
member
must resolve the SID.

I can't remember if the SID to CN is done by the GC or not. I would
imagine
it is. However, for external trusts, you're going to need to be able to
contact the remote DC.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.

Relevant Pages

  • Re: LookupAccountSid fails if lpSystemName is NULL
    ... I don't really want to talk about the NetApp filers, I hate anything that does SMB emulation as they all tend to do it half-assed. ... Windows Explorer can resolve SIDs for the Owner column or for ACEs in the Security tab for Windows-hosted shares in our primary domain, the only case where it fails seems to be for shares on our NetApp file server, which is a member of an old domain that is supposedly "fully trusted" by our new AD domain... ...
    (microsoft.public.platformsdk.security)
  • Re: Resolving SIDs to user names
    ... server deliver the SIDs or the names to the client? ... the SIDs are resolved by the GUI ... Therefore, if you view the DACL from the member, the member ... must resolve the SID. ...
    (microsoft.public.windows.server.active_directory)
  • Re: partial and full SIDs in gpos?
    ... If the tool was written properly it would work, unfortunately what it does is resolve SIDs locally even though it is to change info on a remote system. ... Joe Richards Microsoft MVP Windows Server Directory Services ... viewing the same GPO from a domain controller all the SIDs resolved fine. ...
    (microsoft.public.win2000.active_directory)
  • Re: Resolving Sids to friendly names
    ... > other groups and memberships resolve correctly. ... Lost trust (the objects with SIDS are from a formerly ... forests as well as NetBIOS resolution for all externally ... Trusts will not generally ...
    (microsoft.public.win2000.active_directory)
  • Re: Foreign Security principal
    ... knows how to resolve (i.e. trusts are still in place and accounts still exist). ... You can also write a script that will dump the sids to a file and then loop ... > foreign security principals came from. ...
    (microsoft.public.win2000.active_directory)