PC Review


Reply
Thread Tools Rate Thread

Re: ObjectSID Ldap Search

 
 
Matthew Rimer [MSFT]
Guest
Posts: n/a
 
      27th Aug 2004
The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).

For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
so the LDAP search filter would be:

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

Thanks,
Matthew Rimer [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"CobolExpert" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
> I am having a bit of trouble finding a SID in AD.
>
> In AD, I go to Find, Custom Search and enter this in as my LDAP query -
>
> (&(ObjectSid=S-1-2-3-4-5-6-7-8))
>
> I get nothing back even though I know the sid exists. Could someone tell
> me
> what I am doing incorrectly?
>
> Thanks.



 
Reply With Quote
 
 
 
 
=?Utf-8?B?Q29ib2xFeHBlcnQ=?=
Guest
Posts: n/a
 
      27th Aug 2004
Is there a tool I can use to do the conversion? I need to track down a few
rogue sids that are plaguing my PF store.

Thanks,
JB

"Matthew Rimer [MSFT]" wrote:

> The objectSid attribute is binary-valued, so to search on it, you have to
> use the binary value of the SID. Binary values are represented in LDAP
> search filters as \xx, where "xx" are two hexadecimal digits. The details
> of LDAP search filters are covered in RFC 2254 (available at
> http://www.ietf.org/rfc/rfc2254.txt).
>
> For example, suppose your SID in string form was
> S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
> {01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
> so the LDAP search filter would be:
>
> (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
>
> Thanks,
> Matthew Rimer [MSFT]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "CobolExpert" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> > I am having a bit of trouble finding a SID in AD.
> >
> > In AD, I go to Find, Custom Search and enter this in as my LDAP query -
> >
> > (&(ObjectSid=S-1-2-3-4-5-6-7-8))
> >
> > I get nothing back even though I know the sid exists. Could someone tell
> > me
> > what I am doing incorrectly?
> >
> > Thanks.

>
>
>

 
Reply With Quote
 
 
 
 
Joe Richards [MVP]
Guest
Posts: n/a
 
      28th Aug 2004
Take al ook at adfind on the free win32 tools page off www.joeware.net. It will
allow you to specify the SID in a friendly format and do the conversion and
lookup for you...

adfind -binenc -gc -b "" -f "objectsid={{SID:S-1-5-blah-blah-blah}}" -dn

Note you could also use sidtoname on the same website.

sidtoname s-1-5-blah-blah.

Sidtoname doesn't directly query AD, it does a sid lookup through the normal sid
resolution channels.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



CobolExpert wrote:
> Is there a tool I can use to do the conversion? I need to track down a few
> rogue sids that are plaguing my PF store.
>
> Thanks,
> JB
>
> "Matthew Rimer [MSFT]" wrote:
>
>
>>The objectSid attribute is binary-valued, so to search on it, you have to
>>use the binary value of the SID. Binary values are represented in LDAP
>>search filters as \xx, where "xx" are two hexadecimal digits. The details
>>of LDAP search filters are covered in RFC 2254 (available at
>>http://www.ietf.org/rfc/rfc2254.txt).
>>
>>For example, suppose your SID in string form was
>>S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
>>{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
>>so the LDAP search filter would be:
>>
>>(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
>>
>>Thanks,
>>Matthew Rimer [MSFT]
>>--
>>This posting is provided "AS IS" with no warranties, and confers no rights.
>>Use of included script samples are subject to the terms specified at
>>http://www.microsoft.com/info/cpyright.htm
>>
>>
>>"CobolExpert" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>
>>>Hi,
>>>I am having a bit of trouble finding a SID in AD.
>>>
>>>In AD, I go to Find, Custom Search and enter this in as my LDAP query -
>>>
>>>(&(ObjectSid=S-1-2-3-4-5-6-7-8))
>>>
>>>I get nothing back even though I know the sid exists. Could someone tell
>>>me
>>>what I am doing incorrectly?
>>>
>>>Thanks.

>>
>>
>>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
objectSID format dumped by LDIFDE MLi Microsoft Windows 2000 Active Directory 15 15th Jun 2005 08:55 PM
cannot find users using ldap://ldap.domain.com =?Utf-8?B?Q2hldGFu?= Microsoft Windows 2000 Active Directory 2 22nd Sep 2004 12:05 AM
Does Outlook support LDAP and IMAP, and why is there only one of many LDAP questions even answered here??? Mike Matheny Microsoft Outlook Discussion 5 27th Aug 2004 08:57 PM
SAM and objectSID pacho baratta Microsoft Windows 2000 Security 0 30th Apr 2004 12:25 PM
Moving From Novell LDAP (NLDAP) To Active Directory LDAP =?Utf-8?B?U3RlcGhlbiBNb29yZQ==?= Microsoft Windows 2000 Active Directory 1 27th Apr 2004 12:44 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 10:42 PM.