4

Given the SID of a user or a group, how can I find a LDAP object that belongs to it?
LDAP Server ist Active Directory (Windows Server 2008).

A LDAP query String would be useful.

mtm
  • 57
  • 1
  • 1
  • 3
  • 1
    This table should help you, i know it helped me alot. http://www.kouti.com/tables/userattributes.htm – Sirex Aug 17 '11 at 09:18
  • Hi Sirex, thanx for your comment. In the table you sent I saw that the attribute objectSid mandatory ist. But I do not see it as attribute in my ldap database. Why? – mtm Aug 17 '11 at 11:33
  • @mtm That's because the `objectSID` attribute is from the Active Directory schema, it is not defined in the LDAP Schema. – jscott Aug 17 '11 at 12:00
  • @jscott, I access my ldap database with "Apache Directory Studio", and see the attribute "objectSID" only by groups, and not by users. What could be the reason of it? – mtm Aug 17 '11 at 12:14

4 Answers4

6

Another way would be to forsake LDAP and use WMIC:

H:\>wmic useraccount where (sid = "S-1-5-21-1698188384-1693678267-1543859470-6637") get * /format:list    

AccountType=512
Caption=MYDOMAIN\quux
Description=some guy's account
Disabled=FALSE
Domain=MYDOMAIN
FullName=Some Guy
InstallDate=
LocalAccount=FALSE
Lockout=FALSE
Name=quux
PasswordChangeable=TRUE
PasswordExpires=FALSE
PasswordRequired=TRUE
SID=S-1-5-21-1698188384-1693678267-1543859470-6637
SIDType=1
Status=OK

Now you have several attributes that should be easy to search via LDAP, if you still need to.

quux
  • 5,358
  • 1
  • 23
  • 36
  • Hi quux, thank you! I cannot use command line tools.need a LDAP query for . – mtm Aug 17 '11 at 11:44
  • I cannot use command line tools. I get the SID in a programm and should use the SID-value (in some LDAP query) in order to get DirectoryEntry Object. – mtm Aug 17 '11 at 11:47
4

I wish it was as easy as:

dsget user "objectSID={thesid},CN=Users,DC=domain,DC=com" -samid

But it's not; AD stores the objectSID as hexadecimal.

The folks on serverfault have written a few answers that may help, though:

Retrieve user details from Active Directory using SID

quux
  • 5,358
  • 1
  • 23
  • 36
1

I see this one is old, but you can do this in ADUC by going to Custom Search and clicking on the advanced tab.

LDAP query string is: (objectSID=SID)

Replace "SID" with the SID that you're looking for.

I've had to do translations from SID to name and back to SID (for foreign security principals) in PowerShell using the following code:

function Find_By_SID($SID) {

    //Searches Active Directory by SID
    //Returns NetBios Name 
    // Example output: CONTOSO\User1

    $account = New-Object Security.Principal.SecurityIdentifier("$SID")
    $netbios = $account.Translate([Security.Principal.NTAccount])

    return $netbios.Value

}
Tim Wilde
  • 33
  • 5
1

It is to search by SID using an LDAP query. For example:

dsquery * domainroot -filter "(objectSid=S-1-5-21-blah-blah-blah-500)"

or, in PowerShell,

Get-ADuser -LDAPFilter '(objectSid=S-1-5-21-blah-blah-blah-500)'

will get the domain Administrator account, if you sub in your domain value for blah-blah-blah.

user2871239
  • 175
  • 2
  • 9