SID problem

[sn9071]

Dear All,
We had our PDC down few days ago and another replica DC has taken over
it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this ?

many thanks,
Sulis.

 

[Jorge de Almeida Pinto [MVP - DS]]

We had our PDC down few days ago and another replica DC has taken over
it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this

can you be more specific?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[sn9071]

while we go to security access in a folder, it shows S-1-5xxx-xxx.
usually it shows a username or group. how can we put it back ?

thanks,


Jorge de Almeida Pinto [MVP - DS] menuliskan:

 

[Jorge de Almeida Pinto [MVP - DS]]

does it show others like "domain\user or group" and one or more like <SID>?

if yes, then the object with the SID that is shown there has been deleted
from AD (assuming it was a object in AD)

solution:
* authoritative restore of the object <- preferred
* undelete

before even being to do either you need to check in AD what object it is

you can use:
ADFIND -default -showdel -f
"(&(isDeleted=TRUE)(objectSid={{SID:S-1-5-21-3495709831-2249124843-3216744473-1111}}))"
-binenc distinguishedName sAMAccountName lastKnownParent

replace S-1-5-21-3495709831-2249124843-3216744473-1111 with YOUR sid

------------EXAMPLE-----------
D:\TOOLS\MISC>adfind -default -showdel -f
"(&(isDeleted=TRUE)(objectSid={{SID:S-
1-5-21-3495709831-2249124843-3216744473-1111}}))" -binenc distinguishedName
sAMA
ccountName lastKnownParent

AdFind V01.31.00cpp Joe Richards ([email protected]) March 2006

Transformed Filter:
(&(isDeleted=TRUE)(objectSid=\01\05\00\00\00\00\00\05\15\00\
00\00\87L\5C\D0\EB\EB\0E\86\19\A0\BB\BFW\04\00\00))
Using server: RDC01.AD.LAN:389
Directory: Windows Server 2003
Base DN: DC=AD,DC=LAN

dn:CN=UserNo1001\0ADEL:08cc68f5-aaf7-4ca3-94cc-640d21aae859,CN=Deleted
Objects,D
C=AD,DC=LAN

distinguishedName:
CN=UserNo1001\0ADEL:08cc68f5-aaf7-4ca3-94cc-640d21aae859,CN= Deleted Objects,DC=AD,DC=LAN
sAMAccountName: UserNo1001
lastKnownParent: OU=USERS,OU=ORG,DC=AD,DC=LAN

1 Objects returned
------------EXAMPLE-----------

to auth. restore an object follow MS-KBQ840001

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

while we go to security access in a folder, it shows S-1-5xxx-xxx.
usually it shows a username or group. how can we put it back ?

thanks,


Jorge de Almeida Pinto [MVP - DS] menuliskan:

it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this

can you be more specific?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx