Re: AD Query based on SID

Fortunately I do have 2k3 AD (native mode). The AD is very large (at least
to me...approx. 3500 users, lots of OU's, etc.) and I am working on building
a set of tools for discovery of various items/objects/settings. I am still
formulating that list. I know there are tools out there, but I would prefer
to learn this from the ground up; at least initially, and develop my own set
of tools/program.

I am stuck on which "tool" to use. I am not sure what I want to use. I
know that I would like a tool that has the most potential for reaching into
AD and Exchange and extracting a plethora of data (parsing/reports too). I
would prefer a MS supported/recognized tool though.

Hope that makes sense...
I am open to suggestions,
thx,

Mel

"Joe Kaplan" wrote:

If you need it, the LDAP query syntax for a user based on SID is:

(objectSid=S-1-5-21-xxxxxx)

That works in AD 2003 and ADAM. If you are stuck on AD 2000, you must
specify the SID as an octet string which is a bit of a pain. Let me know if
that's important and I'll show you how.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mel" <Mel@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:754B53EF-2959-497A-9D3E-F79B69BA443E@xxxxxxxxxxxxxxxx
Irwin,
Thanks...I try to always ask the group before deleting anything like
accounts. Also, I saw a post back on 08/16/2006 ("Lookup account based on
SID") with a similar question. I downloaded those tools and performed the
searches and at least discovered the domains and in fact the account had
been
deleted.

thank you for the verification,

Mel

"Irwin, MCSE,MCDBA,MCT" wrote:

Hi Mel,

From my experience, if you only can find SID without user account name,
meaning that account already deleted. So you can remove it safely from
the
security permission list.

"Mel" wrote:

Hi,

I am looking for a an xml query to import in ADUC to query a user based
on
the SID. I have the SID, but I don't know the user. This SID shows up
on
the security tab on some folders but there is no "name
resolution/recognition" (apologize for the possible incorrect jargon)
to the
SID.

I would like to remove the SID from the list of accounts (security),
but
would prefer to know which object it is before removing (or not).

thanks,
Mel



.

Relevant Pages

  • Re: EFS Decryption Problem
    ... Was it only used to match up to the backed up userprofile, ... I thought the account's SID and password was involved in generating the ... a new account is created). ... instance of Windows would have a different SID even after restoring the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Update still failing with 80240020 and 8024000c
    ... There is still indication that the SID ... reporting because I think that ultimately it is going to be their accounts ... with the System account yesterday. ... In your case the System account would be ...
    (microsoft.public.windowsupdate)
  • RE: Error 15401 using sp_grantlogin (not addressed by current KB articles)
    ... argument to get_sid, it returns a sid. ... The sysxlogins.name column stores the NT account ... One way to get SQL Server to agree with the renamed NT ... check "Script all objects", on the Formatting tab UNcheck "Generate the ...
    (microsoft.public.sqlserver.security)
  • Bogus SID hanging around
    ... Looking around at various files' & folders' security ... I can see an SID without an associated user. ... suspect this was left over from when my user profile got ... place with my personal administrator-level account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: is there a simple to get "userid" in a windows domain?
    ... suspect a minor change to the way I access ntSecurityDescriptor would give ... Is it possible to get a User SID from ... >> than the account names when referring to the account. ... >> Eric Fitzgerald ...
    (microsoft.public.security)