Re: ObjectSID Ldap Search

[Matthew Rimer [MSFT]]

The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).

For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
so the LDAP search filter would be:

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

Thanks,
Matthew Rimer [MSFT]

 

[Guest]

Is there a tool I can use to do the conversion? I need to track down a few
rogue sids that are plaguing my PF store.

Thanks,
JB

The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).

For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
so the LDAP search filter would be:

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

Thanks,
Matthew Rimer [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi,
I am having a bit of trouble finding a SID in AD.

In AD, I go to Find, Custom Search and enter this in as my LDAP query -

(&(ObjectSid=S-1-2-3-4-5-6-7-8))

I get nothing back even though I know the sid exists. Could someone tell
me
what I am doing incorrectly?

Thanks.

 

[Joe Richards [MVP]]

Take al ook at adfind on the free win32 tools page off www.joeware.net. It will
allow you to specify the SID in a friendly format and do the conversion and
lookup for you...

adfind -binenc -gc -b "" -f "objectsid={{SID:S-1-5-blah-blah-blah}}" -dn

Note you could also use sidtoname on the same website.

sidtoname s-1-5-blah-blah.

Sidtoname doesn't directly query AD, it does a sid lookup through the normal sid
resolution channels.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Is there a tool I can use to do the conversion? I need to track down a few
rogue sids that are plaguing my PF store.

Thanks,
JB

:

The objectSid attribute is binary-valued, so to search on it, you have to
use the binary value of the SID. Binary values are represented in LDAP
search filters as \xx, where "xx" are two hexadecimal digits. The details
of LDAP search filters are covered in RFC 2254 (available at
http://www.ietf.org/rfc/rfc2254.txt).

For example, suppose your SID in string form was
S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
so the LDAP search filter would be:

(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

Thanks,
Matthew Rimer [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Hi,
I am having a bit of trouble finding a SID in AD.

In AD, I go to Find, Custom Search and enter this in as my LDAP query -

(&(ObjectSid=S-1-2-3-4-5-6-7-8))

I get nothing back even though I know the sid exists. Could someone tell
me
what I am doing incorrectly?

Thanks.