Re: Creating SID Manaully

I'm still confused here. When you say it takes "AD" up to a minute to
create a user, what are you referring to? Are you talking about an AD GUI
tool? Those typically use LDAP under the hood to actually create the user
much like some code that you might write would do.

As we said before, you can't specify the GUID or SID. Those are generated
by the system when the object is created in the directory (through whatever
mechanism was used to generate the object).

Before you can add an object to a group in the directory, the object must
exist in the directory. This has to do with the way group membership works
in LDAP.

I still don't understand why it would be useful for you to set the GUID or
SID manually though. Typically, when you create an object in AD
programmatically via LDAP, you specify the information needed to create the
object and the directory populates the system attributes like the GUID and
SID. Then, if you need to use those, you just read them via an LDAP query
from the newly created object. So, once you have the GUID and SID that will
be used for the object in the directory, you can use it for whatever you
need it for (which I still don't know).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Glen" <DamnBigMan@xxxxxxxxx> wrote in message
news:1188596255.911788.194360@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 31, 3:25 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This statement makes no sense to me:

Everything is working, however when the students request an account
they specify what classes they are taking and are added to
corresponding groups in order to have access to resources on the
server that are specific to that class.

I was hoping I could generate my own SID and GUID so that I wouldn't
have to wait for AD as it is remarkably slow (everything else is done
though LDAP). I guess I'll just have to have it sleep for a while or
move the group membership functionality out into a server side script
that runs every 15 minutes. I'm really just trying to optimize stuff.

------

Can you elaborate? Are you creating a user in AD and then using that
account to ACL local resources like files or folders? Why would
generating
a SID and GUID be helpful?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
--"Glen" <DamnBig...@xxxxxxxxx> wrote in message

news:1188594104.877451.318630@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Aug 31, 1:24 pm, net_admin <netad...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:

As the other friends said, SID is managed by AD internally and it's the
RID
master that manages the distribution for the DCs.

Also, I'm interested in having an automatic process like the one you are
creating. If you could share, I would apprecitate.

--
NetAdmin <São Paulo, BR>
"Das ist nicht mein bier... arschloch."

Background:

What I'm trying to do is have a self contained user request/creation
system. I work for a larger community college and the Applied
Technologies school is on a separate domain from the main campus.
Certain laws have arisen requiring accurate identification of all
users of system resources (basically no generic accounts). The
current account request system works on the honor system.

I am re-building it with two goals in mind, one get it off of Cold
Fusion, and two verify credentials against main campus domain.

Current State:

Everything is working, however when the students request an account
they specify what classes they are taking and are added to
corresponding groups in order to have access to resources on the
server that are specific to that class.

I was hoping I could generate my own SID and GUID so that I wouldn't
have to wait for AD as it is remarkably slow (everything else is done
though LDAP). I guess I'll just have to have it sleep for a while or
move the group membership functionality out into a server side script
that runs every 15 minutes. I'm really just trying to optimize stuff.

The current system is being written in Ruby On Rails.

I am creating the user in AD but I was hoping to do it using LDAP
rather than letting AD create the user.

The problem is that it takes AD up to a minute to process the request
and create the account in the database. I can do it faster with LDAP,
however I don't know how to create SID and GUID entries.

I guess the user doesn't have to exist before they are added to the
group though. I could try that, otherwise I have to wait for the
account to appear in LDAP before I can add them to the appropriate
groups.


.

Relevant Pages

  • Re: Creating SID Manaully
    ... Those typically use LDAP under the hood to actually create the user ... you can't specify the GUID or SID. ... On Aug 31, 3:25 pm, "Joe Kaplan" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Process running under Adminstrator account
    ... I did not realize the SID was all that was needed. ... start with "administrator" and a dictionary or other attack? ... Renaming the account does not change the SID. ... However, anonymous ldap AD searches are blocked by default in 2003, so now ...
    (microsoft.public.windows.server.sbs)
  • RE: AD Migration Windows 2000 to Windows 2003
    ... the GUID should kind of be as "stable" as the NT Account. ... The SID is fine for an AD does not help me here since the Applications around know only the GUID. ...
    (microsoft.public.win2000.active_directory)
  • Re: Search by SID in AD
    ... >How can I search the AD by SID or GUID? ... I want to see if any other account ... >in the AD has the same SID as one particular user. ...
    (microsoft.public.windows.server.active_directory)
  • Search by SID in AD
    ... How can I search the AD by SID or GUID? ... I want to see if any other account ... Prev by Date: ...
    (microsoft.public.windows.server.active_directory)
Loading