Re: LDAP query...

Tech-Archive recommends: Fix windows errors by optimizing your registry

Well, I've never had a lot of occasion to look for an object via sid, but
what the heck. I'll give it a go.

Cheers Joe.


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eU5AHM5ZHHA.1216@xxxxxxxxxxxxxxxxxxxxxxx
Answering both of you:

The (objectSid=S-1-5-...) syntax is actually accepted by the server
directly. Try it with ldp. It is magic and I think undocumented. :) I
suppose the server's query processor does the conversion like it converts
objectCategory=person to the actual DN value on the fly.

Al is totally correct that when the tombstone is cleaned up, it is gone.
I didn't mean to imply otherwise.

Before that, to search for that you must use the deleted items control AND
you must have permissions to see deleted objects (DA usually).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:OHUxN%23yZHHA.348@xxxxxxxxxxxxxxxxxxxxxxx
Just the ADUC now supports that syntax and changes it for you? Or
something else, Joe?

Regardless of the control being enabled or not, if garbage has been
cleaned up, it's gone.


I still haven't heard from the poster what the point of searching that
way is. What led you to want to search via sid?



"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e94CnvsZHHA.3272@xxxxxxxxxxxxxxxxxxxxxxx
That syntax is actually supported by AD as of 2003 (and ADAM) now, so
you don't have to convert to an octet string. The query processor on
the server seems to do that for you now. It is handy. :)

As to whether you'll be able to see it if it deleted depends on whether
you have the deleted objects control enabled. I doubt you can do that
in ADUC. Ldp.exe can though as can ADFind.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:u6S$88pZHHA.1240@xxxxxxxxxxxxxxxxxxxxxxx
Why do you think it's deleted? Why do you want to search via sid?

Your query isn't going to work that way, at least not with the ADUC
(note, I've never tried to use the aduc to query with that syntax, but
last I checked, sid's were not stored that way for an LDAP search.
Unless, and I highly doubt it does, ADUC does the translation for you,
that syntax won't find anything.)

If it's deleted, why do you think you'd be able to find it? Deleted
items are only kept for the duration of the garbage collection, but if
it's gone, it's gone (yes, it can be re-animated, but it's not going to
help much.)

If you want a way to search deleted items in AD, check out your
favorite search engine and look for reanimate active directory objects.
If you're lucky, you may even find some tools that are easier to use
than what Microsoft has in mind.

This is the search I used:
http://www.google.com/search?hl=en&rls=GGLD,GGLD:2004-38,GGLD:en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=reanimate+active+directory+objects&spell=1

www.joeware.net has some useful tools for this as well.



"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F2E79F33-8BEA-484F-A659-8F5F6DCCFDCC@xxxxxxxxxxxxxxxx
Hey everyone,
I'm trying to use a very simple query from ADUC (saved queries) where
I
give a custom filter of
(objectSID=S-1-5-21-1208884873-28081512-3404142544-1444). This
particular
SID is what I can only assume is a deleted account somewhere but I
don't know
for sure. Is there any way that I can tell ADUC to search old deleted
objects? Is that on by default? Any other easy way to tell what this
SID
might once have been?
Thanks,
Dan










.

Relevant Pages

  • Re: LDAP query...
    ... I've never tried to use the aduc to query with that syntax, ... www.joeware.net has some useful tools for this as well. ... SID is what I can only assume is a deleted account somewhere but I don't ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDAP query...
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The query processor on the ... Your query isn't going to work that way, at least not with the ADUC ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to find out file owner?
    ... get the original SID. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • Re: How to find out file owner?
    ... What is the SID in this case? ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I can see actual value in Windows Explorer. ...
    (microsoft.public.dotnet.security)
  • Re: Creating SID Manaully
    ... SID or GUID manually. ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... interact with LDAP directly to create accounts since AD is horribly ...
    (microsoft.public.windows.server.active_directory)