RE: [ActiveDir] LDAP query on ObjectSID attribute

[Dave Sayers]

Title: Message

Basically you can do searches in LDP using a DN, GUID or SID as the Base DN (GUIDs and SIDs need to be surrounded by <GUID=….> or <SID=…> as in Joe’s example below) – really useful in “Account Unknown” scenarios in the ACL Editor to translate the SID shown to an actual group or user object.  I believe that this works simply by searching first for the object with that specific GUID or SID and then binding to this object, rather than a container as will normally occur in a search – but that could be wrong J  You could also use it to keep track of any renamed or moved security principals (SID) or any object in the directory which may be renamed or moved (GUID)   As Joe alluded to, you can actually bind directly to an object using its SID or GUID using ADSI as well – use GetObject(“LDAP://<SID=….>”) or GetObject(“LDAP://<SID=….>”)     HTH Cheers Dave   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: 26 August 2003 23:30 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute   You know after rereading this thread I realize that they weren't doing a SID BIND... They were doing a Search with a BASEDN of a SID. That isn't something I have seen... I saw the formatting of the string and associated it with a SID Bind and went on my merry way... So I am now wondering all sorts of things... Not that doing a base dn of a SID will be extremely useful or at least I can't see it as such except for maybe for vbscript or other script languages that don't support decent LDAP search calls and you have to muck around in ADO.   So the SID Bind part I was talking about is part of ADSI, the SID BaseDN thing is I don't know what though I wonder if LDP just changes it to a direct Bind. I guess it would take a network trace of it going to see what it really ends up doing. If my lab wasn't in complete disarray right now I would take a swing at that. However it is and I ain't... No research in this lab until I can flop down in the bean bag couch on the floor with my books and connect to the world via High Speed... I hate dialup. (Note Read this slowly so my 26.4k connection doesn't stumble...).     joe   -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute No problem, you wrote the good book, I simply mention it.   SID Bind is like the GUID bind using the LDAP provider of ADSI. Only part of ADSI 2.5+ I believe. I am not the big consumer of ADSI, just recall running into it several times, google for "LDAP://<SID=" for code examples.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, August 25, 2003 1:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Hey Joe,   Wow, thanks for the compliment dude.   Is the SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I haven't seen it before as part of ADSI.   -g Gil Kirkpatrick CTO, NetPro -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 7:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute This is an adsi thing and is called a SID Bind, you can also do a GUID bind in a similar manner. If you are using LDAP API instead of ADSI you need to encode the sid back into an octet string and do the search with it. Check out Gil Kirkpatrick's Programming Active Directory as he has some good info on this type of schtuff. Actually if you are doing any AD programming, get that book. Gil rocks. :op       joe     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute I never heard of using an attribute as your BaseDN.   If this worked for you I really would like to know how you did it.   Thanks   Y   From: Jimmy Andersson Sent: Thu 21/08/2003 7:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP query on ObjectSID attribute Why not use LDP and set it like this:   Base DN <SID=S-1-5-21-709049380-3306950797-3746505139> Filter (&(ObjectCategory=*)(name=*))   (I used a SID from my lab domain)   You might need to load the control for deleted objects, if it's deleted.   Regards, /Jimmy -------------------------------------     Jimmy Andersson, Q Advice AB                CEO & Principal Advisor      Microsoft MVP - Active Directory ---------- www.qadvice.com ----------     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD Sent: Friday, August 22, 2003 12:35 AM To: [EMAIL PROTECTED]   Anyone know how to query AD on the ObjectSID?     My query looks like this:     (&(ObjectCategory=user)(SamAccountName=*)(ObjectSID=S15-2-4-3412341341234124 32412344))     Doesn't return anything. I know the sid must converted but I am not sure what format it should be in.     Thanks     Y     List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/