I need to check, but I believe that eDirectory uses GUIDs to represent trustees (security principals), vs. SIDs in Windows. There are pluses and minuses to both schemes, but none are particularly critical. I see it as more of an implementation detail than anything else.
-gil -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, February 17, 2003 4:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Resolving a GUID Ahh - OK, that does clear up a thing or two on what I've been seeing is SDDL dumps. Now, in a converstation in Redmond last week, it was stated that NDS uses GUIDs. How does Novell utilize them in a more structured manner, or is this just the difference in implementation from Microsoft to Novell, i.e. SIDs vs. GUIDs? Cool - thanks much, Gil! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Gil > Kirkpatrick > Sent: Monday, February 17, 2003 11:47 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Resolving a GUID > > > Hi Rick, > > Apologies for jumping into the middle of this thread, but I > wanted to clarify something. > > Security descriptors use SIDs and GUIDs for two entirely > different purposes. > > The ACEs in an ACL _always_ use SIDs to identify the security > principal involved; they never use GUIDs to identify a > security principal. ACEs use GUIDs to identify either 1) an > extended access right, such as "User-Change-Password", or 2) > an attribute group to which the ACE applies (as defined by > the attributeSecurityGuid in the attributeSchema object). > > SIDs are a legacy data structure, but they are still the only > way that the Windows security system identifies security > principals; SIDs are not just for backward compatibility. > The SID structure encodes the chain of authority that > allocated the identifier; in particular you can determine > which domain a SID is part of. > > GUIDs are unstructured unique identifiers and don't encode > any other information. They are used to uniquely identify > objects in the directory (among other things), but not > particularly security principals. > > Hope this clarifies this issue a bit. > > -gil > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > Sent: Sunday, February 16, 2003 9:00 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Resolving a GUID > > > Dave, > > Have you gotten an answer yet that satifies you? > > In the ACLs, or more appropritately, the Security > Description, you can find both SIDs and GUIDs. Some of these > may have to do with your recent upgrade. Others may not. > This is where caution comes in. Typically, if you give them > time to resolve, and they don't - your should be able to > remove them. Especially if you use SID2USER and get an > invalid on non-existent return. > > When going from Windows NT 4.0 to Windows 2000, a SID should > only reference an object from Windows NT 4.0. A GUID > shouldn't, as a GUID doesn't have any meaning in NT 4.0 speak. > > Like NDS, AD can and does use GUIDs to identify many objects > in the ACLs. SIDs, for the greater part, are a legacy > throwback - hence the reason that they weill be around in MS > products for a while yet. > > Me, I'd be happy to see them go.... > > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Dave Kinnamon > > Sent: Wednesday, February 12, 2003 9:04 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Resolving a GUID > > > > > > I recently noticed that I have a number of GUIDs listed in > my Default > > Domain Controllers Policy. Months ago I had upgraded my > NT4 PDC and > > I'm assuming all of these values came from that process. I have > > deleted a number of old accounts since my upgrade. > > > > Is there any way to manually check if that GUID references > any current > > object in AD? Can I safely delete them since they don't "resolve"? > > > > > > > > Dave Kinnamon > > Network Administrator > > ETC International > > > > p. 608-662-2314 > > m. 608-209-0609 > > f. 608-662-8514 > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
