Hi Rick, Apologies for jumping into the middle of this thread, but I wanted to clarify something.
Security descriptors use SIDs and GUIDs for two entirely different purposes. The ACEs in an ACL _always_ use SIDs to identify the security principal involved; they never use GUIDs to identify a security principal. ACEs use GUIDs to identify either 1) an extended access right, such as "User-Change-Password", or 2) an attribute group to which the ACE applies (as defined by the attributeSecurityGuid in the attributeSchema object). SIDs are a legacy data structure, but they are still the only way that the Windows security system identifies security principals; SIDs are not just for backward compatibility. The SID structure encodes the chain of authority that allocated the identifier; in particular you can determine which domain a SID is part of. GUIDs are unstructured unique identifiers and don't encode any other information. They are used to uniquely identify objects in the directory (among other things), but not particularly security principals. Hope this clarifies this issue a bit. -gil -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 16, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Resolving a GUID Dave, Have you gotten an answer yet that satifies you? In the ACLs, or more appropritately, the Security Description, you can find both SIDs and GUIDs. Some of these may have to do with your recent upgrade. Others may not. This is where caution comes in. Typically, if you give them time to resolve, and they don't - your should be able to remove them. Especially if you use SID2USER and get an invalid on non-existent return. When going from Windows NT 4.0 to Windows 2000, a SID should only reference an object from Windows NT 4.0. A GUID shouldn't, as a GUID doesn't have any meaning in NT 4.0 speak. Like NDS, AD can and does use GUIDs to identify many objects in the ACLs. SIDs, for the greater part, are a legacy throwback - hence the reason that they weill be around in MS products for a while yet. Me, I'd be happy to see them go.... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Kinnamon > Sent: Wednesday, February 12, 2003 9:04 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Resolving a GUID > > > I recently noticed that I have a number of GUIDs listed in my > Default Domain Controllers Policy. Months ago I had upgraded > my NT4 PDC and I'm assuming all of these values came from > that process. I have deleted a number of old accounts since > my upgrade. > > Is there any way to manually check if that GUID references > any current object in AD? Can I safely delete them since > they don't "resolve"? > > > > Dave Kinnamon > Network Administrator > ETC International > > p. 608-662-2314 > m. 608-209-0609 > f. 608-662-8514 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
