Basically you can do searches in LDP using a DN, GUID or SID as the Base DN (GUIDs and SIDs need to be surrounded by <GUID=….> or <SID=…> as in Joe’s example below) – really useful in “Account Unknown” scenarios in the ACL Editor to translate the SID shown to an actual group or user object. I believe that this works simply by searching first for the object with that specific GUID or SID and then binding to this object, rather than a container as will normally occur in a search – but that could be wrong J You could also use it to keep track of any renamed or moved security principals (SID) or any object in the directory which may be renamed or moved (GUID)
As Joe alluded to, you can actually bind directly to an object using its SID or GUID using ADSI as well – use GetObject(“LDAP://<SID=….>”) or GetObject(“LDAP://<SID=….>”)
HTH Cheers Dave
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
You know after rereading this thread I realize that they weren't doing a SID BIND... They were doing a Search with a BASEDN of a SID. That isn't something I have seen... I saw the formatting of the string and associated it with a SID Bind and went on my merry way... So I am now wondering all sorts of things... Not that doing a base dn of a SID will be extremely useful or at least I can't see it as such except for maybe for vbscript or other script languages that don't support decent LDAP search calls and you have to muck around in ADO.
So the SID Bind part I was talking about is part of ADSI, the SID BaseDN thing is I don't know what though I wonder if LDP just changes it to a direct Bind. I guess it would take a network trace of it going to see what it really ends up doing. If my lab wasn't in complete disarray right now I would take a swing at that. However it is and I ain't... No research in this lab until I can flop down in the bean bag couch on the floor with my books and connect to the world via High Speed... I hate dialup. (Note Read this slowly so my 26.4k connection doesn't stumble...).
joe
|
Title: Message
- RE: [ActiveDir] LDAP query on ObjectSID attribute Jimmy Andersson
- RE: [ActiveDir] LDAP query on ObjectSID attribute AD
- RE: [ActiveDir] LDAP query on ObjectSID attribute Tony Murray
- RE: [ActiveDir] LDAP query on ObjectSID attribute Jimmy Andersson
- RE: [ActiveDir] LDAP query on ObjectSID attribute Rick Kingslan
- RE: [ActiveDir] LDAP query on ObjectSID attribute Tony Murray
- RE: [ActiveDir] LDAP query on ObjectSID attribute Rick Kingslan
- RE: [ActiveDir] LDAP query on ObjectSID attribute Joe
- RE: [ActiveDir] LDAP query on ObjectSID attribute Dave Sayers
- RE: [ActiveDir] LDAP query on ObjectSID attribute Gil Kirkpatrick
- RE: [ActiveDir] LDAP query on ObjectSID attribute daniel . gilbert
- RE: [ActiveDir] LDAP query on ObjectSID attribute Carlos Magalhaes