Re: AD Query based on SID
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Oct 2006 12:13:14 -0500
Hmm, I'm not sure many would consider that AD to be very large, but it is
definitely of a size where you'll start to gain a lot of productivity via
ruthless automation. There are lots of approaches for doing this, including
vendor products all the way down to scripts and command line tools you run
yourself with a lot in between.
If you want to learn from the ground up, get Joe Richards' book (Active
Directory, 3rd Edition). That will take you through the key concepts and
will provide a good into to LDAP, which is the primary way that AD is
managed programmatically (although not the only one). The Active Directory
Cookbook (2nd Ed.) is also good for lots of examples of how to do stuff.
I heartily recommend my book, but only if you are planning to write .NET
applications that will integrate with the directory.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mel" <Mel@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:652E9B8D-D599-493A-952A-647FB16CC453@xxxxxxxxxxxxxxxx
Fortunately I do have 2k3 AD (native mode). The AD is very large (at
least
to me...approx. 3500 users, lots of OU's, etc.) and I am working on
building
a set of tools for discovery of various items/objects/settings. I am
still
formulating that list. I know there are tools out there, but I would
prefer
to learn this from the ground up; at least initially, and develop my own
set
of tools/program.
I am stuck on which "tool" to use. I am not sure what I want to use. I
know that I would like a tool that has the most potential for reaching
into
AD and Exchange and extracting a plethora of data (parsing/reports too).
I
would prefer a MS supported/recognized tool though.
Hope that makes sense...
I am open to suggestions,
thx,
Mel
"Joe Kaplan" wrote:
If you need it, the LDAP query syntax for a user based on SID is:
(objectSid=S-1-5-21-xxxxxx)
That works in AD 2003 and ADAM. If you are stuck on AD 2000, you must
specify the SID as an octet string which is a bit of a pain. Let me know
if
that's important and I'll show you how.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Mel" <Mel@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:754B53EF-2959-497A-9D3E-F79B69BA443E@xxxxxxxxxxxxxxxx
Irwin,
Thanks...I try to always ask the group before deleting anything like
accounts. Also, I saw a post back on 08/16/2006 ("Lookup account based
on
SID") with a similar question. I downloaded those tools and performed
the
searches and at least discovered the domains and in fact the account
had
been
deleted.
thank you for the verification,
Mel
"Irwin, MCSE,MCDBA,MCT" wrote:
Hi Mel,
From my experience, if you only can find SID without user account
name,
meaning that account already deleted. So you can remove it safely
from
the
security permission list.
"Mel" wrote:
Hi,
I am looking for a an xml query to import in ADUC to query a user
based
on
the SID. I have the SID, but I don't know the user. This SID shows
up
on
the security tab on some folders but there is no "name
resolution/recognition" (apologize for the possible incorrect
jargon)
to the
SID.
I would like to remove the SID from the list of accounts (security),
but
would prefer to know which object it is before removing (or not).
thanks,
Mel
.
- Follow-Ups:
- Re: AD Query based on SID
- From: Mel
- Re: AD Query based on SID
- References:
- Re: AD Query based on SID
- From: Joe Kaplan
- Re: AD Query based on SID
- From: Mel
- Re: AD Query based on SID
- Prev by Date: Re: MS VPN Users and Expired Password
- Next by Date: Re: another "attribute conversion operation" error
- Previous by thread: Re: AD Query based on SID
- Next by thread: Re: AD Query based on SID
- Index(es):
Relevant Pages
|
