Re: ObjectSID Ldap Search

Discussion in 'Microsoft Windows 2000 Active Directory' started by Matthew Rimer [MSFT], Aug 27, 2004.

  1. The objectSid attribute is binary-valued, so to search on it, you have to
    use the binary value of the SID. Binary values are represented in LDAP
    search filters as \xx, where "xx" are two hexadecimal digits. The details
    of LDAP search filters are covered in RFC 2254 (available at
    http://www.ietf.org/rfc/rfc2254.txt).

    For example, suppose your SID in string form was
    S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
    {01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
    so the LDAP search filter would be:

    (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

    Thanks,
    Matthew Rimer [MSFT]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm


    "CobolExpert" <> wrote in message
    news:...
    > Hi,
    > I am having a bit of trouble finding a SID in AD.
    >
    > In AD, I go to Find, Custom Search and enter this in as my LDAP query -
    >
    > (&(ObjectSid=S-1-2-3-4-5-6-7-8))
    >
    > I get nothing back even though I know the sid exists. Could someone tell
    > me
    > what I am doing incorrectly?
    >
    > Thanks.
     
    Matthew Rimer [MSFT], Aug 27, 2004
    #1
    1. Advertisements

  2. Matthew Rimer [MSFT]

    Guest Guest

    Is there a tool I can use to do the conversion? I need to track down a few
    rogue sids that are plaguing my PF store.

    Thanks,
    JB

    "Matthew Rimer [MSFT]" wrote:

    > The objectSid attribute is binary-valued, so to search on it, you have to
    > use the binary value of the SID. Binary values are represented in LDAP
    > search filters as \xx, where "xx" are two hexadecimal digits. The details
    > of LDAP search filters are covered in RFC 2254 (available at
    > http://www.ietf.org/rfc/rfc2254.txt).
    >
    > For example, suppose your SID in string form was
    > S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
    > {01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
    > so the LDAP search filter would be:
    >
    > (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
    >
    > Thanks,
    > Matthew Rimer [MSFT]
    > --
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    > Use of included script samples are subject to the terms specified at
    > http://www.microsoft.com/info/cpyright.htm
    >
    >
    > "CobolExpert" <> wrote in message
    > news:...
    > > Hi,
    > > I am having a bit of trouble finding a SID in AD.
    > >
    > > In AD, I go to Find, Custom Search and enter this in as my LDAP query -
    > >
    > > (&(ObjectSid=S-1-2-3-4-5-6-7-8))
    > >
    > > I get nothing back even though I know the sid exists. Could someone tell
    > > me
    > > what I am doing incorrectly?
    > >
    > > Thanks.

    >
    >
    >
     
    Guest, Aug 27, 2004
    #2
    1. Advertisements

  3. Take al ook at adfind on the free win32 tools page off www.joeware.net. It will
    allow you to specify the SID in a friendly format and do the conversion and
    lookup for you...

    adfind -binenc -gc -b "" -f "objectsid={{SID:S-1-5-blah-blah-blah}}" -dn

    Note you could also use sidtoname on the same website.

    sidtoname s-1-5-blah-blah.

    Sidtoname doesn't directly query AD, it does a sid lookup through the normal sid
    resolution channels.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net



    CobolExpert wrote:
    > Is there a tool I can use to do the conversion? I need to track down a few
    > rogue sids that are plaguing my PF store.
    >
    > Thanks,
    > JB
    >
    > "Matthew Rimer [MSFT]" wrote:
    >
    >
    >>The objectSid attribute is binary-valued, so to search on it, you have to
    >>use the binary value of the SID. Binary values are represented in LDAP
    >>search filters as \xx, where "xx" are two hexadecimal digits. The details
    >>of LDAP search filters are covered in RFC 2254 (available at
    >>http://www.ietf.org/rfc/rfc2254.txt).
    >>
    >>For example, suppose your SID in string form was
    >>S-1-5-21-2562418665-3218585558-1813906818-1576. In binary form, this is
    >>{01,05,00,00,00,00,00,05,15,00,00,00,e9,67,bb,98,d6,b7,d7,bf,82,05,1e,6c,28,06,00,00},
    >>so the LDAP search filter would be:
    >>
    >>(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)
    >>
    >>Thanks,
    >>Matthew Rimer [MSFT]
    >>--
    >>This posting is provided "AS IS" with no warranties, and confers no rights.
    >>Use of included script samples are subject to the terms specified at
    >>http://www.microsoft.com/info/cpyright.htm
    >>
    >>
    >>"CobolExpert" <> wrote in message
    >>news:...
    >>
    >>>Hi,
    >>>I am having a bit of trouble finding a SID in AD.
    >>>
    >>>In AD, I go to Find, Custom Search and enter this in as my LDAP query -
    >>>
    >>>(&(ObjectSid=S-1-2-3-4-5-6-7-8))
    >>>
    >>>I get nothing back even though I know the sid exists. Could someone tell
    >>>me
    >>>what I am doing incorrectly?
    >>>
    >>>Thanks.

    >>
    >>
    >>
     
    Joe Richards [MVP], Aug 28, 2004
    #3
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. eric sin

    what is the LDAP Search syntax for Disabled User?

    eric sin, Jul 1, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    9,084
    Joe Richards [MVP]
    Jul 4, 2003
  2. Guest

    Moving From Novell LDAP (NLDAP) To Active Directory LDAP

    Guest, Apr 26, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    728
    Chriss3
    Apr 27, 2004
  3. Guest

    cannot find users using ldap://ldap.domain.com

    Guest, Aug 9, 2004, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    2
    Views:
    1,642
    Guest
    Sep 22, 2004
  4. Guest

    Use an LDAP user to create another LDAP user

    Guest, Mar 31, 2005, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    4
    Views:
    602
    Guest
    May 20, 2005
  5. MLi

    objectSID format dumped by LDIFDE

    MLi, Jun 13, 2005, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    15
    Views:
    4,917
    Dean Wells [MVP]
    Jun 15, 2005
Loading...

Share This Page