|
The {{}} format isn't an LDAP thing, it is a joeware thing.
Combined with -binenc tells adfind to parse the input parameter differently and
replace the nice string name with a binary encoded version. I had the option of
just automatically trying to figure it out if it was needed or having the user
specify that it needed to be done. I preferred to have the user specify it so I
didn't have to ask questions like how come I can use LDIFDE to look up sids in
2K3 but not in 2K, adfind can do it in both.
-binenc will also work with GUIDs like
so:
F:\DEV\cpp\SecTok>adfind -default -f
"objectGUID={{GUID:B07DDAC0-895E-4323-865C-571AB4852449}}" -binenc objectsid
objectguid
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
January 2005
Transformed Filter:
objectGUID=\C0\DA\7D\B0\5E\89\23C\86\5CW\1A\B4\85\24I
Using server: 2k3dc02.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=Administrator,CN=Users,DC=joe,DC=com
>objectGUID: {B07DDAC0-895E-4323-865C-571AB4852449} >objectSid: S-1-5-21-1862701446-4008382571-2198042679-500 1 Objects returned Again that will work against 2k and K3 AD. Lots of
tricks in adfind, I think myself, the guys I trained at my previous employeer,
and maybe Robbie are the only ones using most of the tricks though. Dean would
know the tricks but he is an OS purist and won't use things unless MS ships it
to him on his CD. Personally I think MS should just break down and give me a
couple of million dollars and buy my joeware utilities from me.
On the why does the objectsid thing work, it is because
MS made it work. They made a change in the parsing routine on the DC to
recognize the format of the SID and to convert it to the proper format. Sort of
like allowing multiple versions of logon ID for authentication. I don't recall
ever seeing that documented anywhere, I stumbled upon it on accident once when
working on the -binenc option. I had set the option without specifying the
{{SID}} and it worked still, I was like WTF? I don't believe it will do it for
GUIDs. Also not sure what attributes it will work with, for instance I have
never tried that format against the sidHistory attribute or custom attributes
someone has added that use a SID format.
Oh yeah, the astute will note the version of adfind
above is higher than anything released. I found out that an SP1 fix actually
causes something to be reported incorrectly in adfind so I had to update it even
though I wasn't ever going to update the version 1.x.x series again. Say la vee
(that was for Sir ~Eric), it was a pretty simply fix but I am looking at adding
some other things as well as long as I am going to release a new version. So far
I have added in the ability to exclude the DNs from the output (lots of people
have recently asked for that) as well as adding the ability to not output the
attribute labels. So you can actually do something
like:
F:\DEV\cpp\SecTok>..\adfind\adfind
-default -f objectcategory=computer name -nodn
-nolabel
AdFind
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) January
2005
Using server:
2k3dc02.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com 2K3DC01
2K3DC02 2K3WEB01 2K3EXC01 2K3UTL01 fastmofo HP-ML testComputer 2K3EXC02 9 Objects
returned
The command completed successfully. joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 21, 2005 4:24 PM To: [email protected] Subject: RE: [ActiveDir] Finding User account if know SID objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}} What the hell is
that?!! Is that documented somewhere? What other kinds of goofy
tricks are there to avoid octet string encoding like
\01\05\00…..? And while you are at
it, why does this work in 2K3? objectSID=S-1-5-21-2000478354-411894773-854245398-500 Are there any tricks
for GUIDs too? Also, I can’t get
objectSID={{SID:S-1-5-21-861567501-413027322-18016}} this to work for, though
this objectSID=S-1-5-21-861567501-413027322-1801674531-109764 does on Win2K3.
Are you just making that up? J I love stupid LDAP
tricks! Joe
K. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I think that only works
against 2k3 AD though Dean. sidtoname
will work against NT or 2K or K3 or XP. As an aside, if someone
wants to do it through LDAP, adfind will do it too, even against
W2K... If you know your
directory is 2K3 you can use the same filter as
below adfind -b
dc=mine,dc=local -f
"(&(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))"
objectsid if you know it is
Windows 2000 or you don't know what it is you can
do adfind -b
dc=mine,dc=local -bitenc -f
"(&(objectcategory=person)(objectclass=user)(objectSID={{SID:S-1-5-21-2000478354-411894773-854245398-500}}))"
objectsid
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dean
Wells Joe's tools will work
well ...if you're restricted to tools from the base media, try
- C:\>ldifde -d
dc=mine,dc=local -r
(^&(objectcategory=person)(objectclass=user)(objectSID=S-1-5-21-2000478354-411894773-854245398-500))
-l "objectSID" -f con -- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Chris
Flesher I
thought I could do this with just dsquery, but I'm having trouble doing this. Is
there a way to find the user account that matches a particular SID if I know the
SID? Chris Flesher
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. |
Title: Finding User account if know SID
