Re: ObjectSID Ldap Search

's Computer Specifications

The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).

For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
so the LDAP search filter would be:

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

Thanks,
Matthew Rimer [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"CobolExpert" <(E-Mail Removed)> wrote in message
news:CE0BD837-F3E2-4406-B717-(E-Mail Removed)...
> Hi,
> I am having a bit of trouble finding a SID in AD.
>
> In AD, I go to Find, Custom Search and enter this in as my LDAP query -
>
> (&(ObjectSid=S-1-2-3-4-5-6-7-8))
>
> I get nothing back even though I know the sid exists. Could someone tell
> me
> what I am doing incorrectly?
>
> Thanks.

's Computer Specifications

Is there a tool I can use to do the conversion? I need to track down a few
rogue sids that are plaguing my PF store.

Thanks,
JB

"Matthew Rimer [MSFT]" wrote:

> The objectSid attribute is binary-valued, so to search on it, you have to
> use the binary value of the SID. Binary values are represented in LDAP
> search filters as \xx, where "xx" are two hexadecimal digits. The details
> of LDAP search filters are covered in RFC 2254 (available at
> http://www.ietf.org/rfc/rfc2254.txt).
>
> For example, suppose your SID in string form was
> S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
> {01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
> so the LDAP search filter would be:
>
> (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
>
> Thanks,
> Matthew Rimer [MSFT]
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "CobolExpert" <(E-Mail Removed)> wrote in message
> news:CE0BD837-F3E2-4406-B717-(E-Mail Removed)...
> > Hi,
> > I am having a bit of trouble finding a SID in AD.
> >
> > In AD, I go to Find, Custom Search and enter this in as my LDAP query -
> >
> > (&(ObjectSid=S-1-2-3-4-5-6-7-8))
> >
> > I get nothing back even though I know the sid exists. Could someone tell
> > me
> > what I am doing incorrectly?
> >
> > Thanks.
>
>
>

's Computer Specifications

Take al ook at adfind on the free win32 tools page off www.joeware.net. It will
allow you to specify the SID in a friendly format and do the conversion and
lookup for you...

adfind -binenc -gc -b "" -f "objectsid={{SID:S-1-5-blah-blah-blah}}" -dn

Note you could also use sidtoname on the same website.

sidtoname s-1-5-blah-blah.

Sidtoname doesn't directly query AD, it does a sid lookup through the normal sid
resolution channels.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

CobolExpert wrote:
> Is there a tool I can use to do the conversion? I need to track down a few
> rogue sids that are plaguing my PF store.
>
> Thanks,
> JB
>
> "Matthew Rimer [MSFT]" wrote:
>
>
>>The objectSid attribute is binary-valued, so to search on it, you have to
>>use the binary value of the SID. Binary values are represented in LDAP
>>search filters as \xx, where "xx" are two hexadecimal digits. The details
>>of LDAP search filters are covered in RFC 2254 (available at
>>http://www.ietf.org/rfc/rfc2254.txt).
>>
>>For example, suppose your SID in string form was
>>S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
>>{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
>>so the LDAP search filter would be:
>>
>>(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
>>
>>Thanks,
>>Matthew Rimer [MSFT]
>>--
>>This posting is provided "AS IS" with no warranties, and confers no rights.
>>Use of included script samples are subject to the terms specified at
>>http://www.microsoft.com/info/cpyright.htm
>>
>>
>>"CobolExpert" <(E-Mail Removed)> wrote in message
>>news:CE0BD837-F3E2-4406-B717-(E-Mail Removed)...
>>
>>>Hi,
>>>I am having a bit of trouble finding a SID in AD.
>>>
>>>In AD, I go to Find, Custom Search and enter this in as my LDAP query -
>>>
>>>(&(ObjectSid=S-1-2-3-4-5-6-7-8))
>>>
>>>I get nothing back even though I know the sid exists. Could someone tell
>>>me
>>>what I am doing incorrectly?
>>>
>>>Thanks.
>>
>>
>>

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
objectSID format dumped by LDIFDE	MLi	Microsoft Windows 2000 Active Directory	15	15th Jun 2005 08:55 PM
cannot find users using ldap://ldap.domain.com	=?Utf-8?B?Q2hldGFu?=	Microsoft Windows 2000 Active Directory	2	22nd Sep 2004 12:05 AM
Does Outlook support LDAP and IMAP, and why is there only one of many LDAP questions even answered here???	Mike Matheny	Microsoft Outlook Discussion	5	27th Aug 2004 08:57 PM
SAM and objectSID	pacho baratta	Microsoft Windows 2000 Security	0	30th Apr 2004 12:25 PM
Moving From Novell LDAP (NLDAP) To Active Directory LDAP	=?Utf-8?B?U3RlcGhlbiBNb29yZQ==?=	Microsoft Windows 2000 Active Directory	1	27th Apr 2004 12:44 AM