Joe, Undoubtedly your program is of great value for folks like me. Actually, I tried the program few days ago, but could not set correct parameters. This shed more light of what I wanted to know. AD assigns a Unique SID when a workstation or user joins domain. This has no impact of what workstation SID is. I used your program and captured Computer and User objects. Then I used psGetSID from psTools on a workstation. What I found was that the last segment was randomly assigned by AD. Workstation SID has only 7 segments and AD SID attribute has 8 segments. AD - Sid:S-1-5-21-3779066958-2660189832-1200827-3391 Workstation SID:S-1-5-21-2214242676-972441917-2900879380 This revelation puts me back to my Square 1 question. What makes the difference if several workstations have same SID generated by Ghost (Symantec) image in authenticating during login process? While framing my original question, I thought that AD will store Workstation SID somewhere in database and use that information to authenticate. Thanks, Rao/..
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 21, 2005 10:49 AM To: [email protected] Subject: RE: [ActiveDir] How to identify SIDs in AD? SIDS of Active Directory objects are stored in the objectSID attribute. If you have done some form of migrations or move of users or groups from one domain to another, the sIDHistory attribute will also be populated. The last sentence you have of something that matches workstation SID with the workstations objectSID in AD would have to be a script to do that. There is no attribute in AD that maintains the workstation SID, AD doesn't care about that SID, it only cares about the objectSID assigned to the computer object for the workstation which is different. To tackle that problem, you would have to write a script that enumerated all of the AD Computer objects and their objectSIDs, then have the script reach out to each of those computers individually and query for its SID (just ask for the administrator SID on each of the machines and chop off the RID at the end) and then produce your mapping. To easily display SIDs from AD, you could use my adfind utility, to dump all computer objects in a forest and their SIDs you would do something like adfind -gc -b "" -f objectcategory=computer objectSID If you pipe that output to a file, you could then use the adcsv (in the adfind zip file) script to take that output and put it into a CSV format for easier consumption by something else. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, Rao Sent: Thursday, July 21, 2005 9:58 AM To: [email protected] Subject: [ActiveDir] How to identify SIDs in AD? Hello, I am new to the list and also new to AD. We are running few problems with Ghost Images deployment. Is there any utility that can show SID on the Domain Controller. We have AD and DNS implemented on our DC. MS Administrative tools just shows me members of AD, DNS Forward and Reverse lists. What I want to see is SIDs of AD Computers/Users. Where they are stored and how to see them? I really want a report that matches Workstation SID with AD SID in computers. Thanks in Advance, Rao/.. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
