SIDS - defualt domain polikcy


A

Andrew Story

Hi - Win2k Forest.

In the default domain and domain controller policy there are mutiple
accounts displayed only as sids with rights granted on the domain.

I've used sidtoname from joeware.net, but can't resolve the sid's to any
names. Is there anyway to find out if they are safe to remove?

Thanks.
 
Ad

Advertisements

R

Roger Abell [MVP]

If normal resolution is available and no other domains are
unavailable then it is 99+% likely that they are deleted
accounts or groups. To be sure compare with a SID from
your domain to see if all but the last section match.
 
A

Andrew Story

Cheers Roger - this may sound silly, but how do I find the SID's for objects
in my domain via the easiest fashion?
 
J

Joe Richards [MVP]

Specify a DC when you use sidtoname...

sidtoname sid machine


Ex:

sidtoname S-1-5-21-1275210071-789336058-1957994488-512 DomCon1


Alternately you can do

adfind -sc adsid:SID


adfind -sc adsid:S-1-5-21-1275210071-789336058-1957994488-512



sidtoname will chase trusts, adfind will not because it is a basic LDAP lookup.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
A

Andrew Story

Apologies, I should have explained my second question a bit better.

How can I find the SID (sid's) associated with the production domain? I
assume there will be a common SID so I can compare to the ones I see in the
GPO's.

Thanks again.
 
J

Joe Richards [MVP]

Oh, resolve the sid of the domain itself.... You can get it by looking at the
objectsid attribute of the Domain NC head object... so something like

adfind -default -s base objectsid

Note that there are a bunch of SIDs that are valid that will not include the
domain SID, these are called well known SIDs and are for groups such as Power
Users, Administrators, etc. They have no domain/machine affinity and are the
same on every single Windows machine in the world. Some can only be resolved on
the proper type of machine. For instance Power Users can't be resolved on Domain
Controllers but say Server Operators can only be resolved on DCs. For instance,
Server Operators is the SID S-1-5-32-549 always...



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Ad

Advertisements

A

Andrew Story

Thanks Joe : )

Joe Richards said:
Oh, resolve the sid of the domain itself.... You can get it by looking at the
objectsid attribute of the Domain NC head object... so something like

adfind -default -s base objectsid

Note that there are a bunch of SIDs that are valid that will not include the
domain SID, these are called well known SIDs and are for groups such as Power
Users, Administrators, etc. They have no domain/machine affinity and are the
same on every single Windows machine in the world. Some can only be resolved on
the proper type of machine. For instance Power Users can't be resolved on Domain
Controllers but say Server Operators can only be resolved on DCs. For instance,
Server Operators is the SID S-1-5-32-549 always...



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top