|
|
|
date: Mon, 7 Apr 2008 18:06:03 -0700,
group: microsoft.public.dotnet.security
back
Re: how can I find the domain name if I have the domain sid?
Hi Joe,
Is there any way to convert the NTAccount type to a DirectoryEntry so I can
extract the user's property of its path in .net 2?
IADsNameTranslate requires domain name so that won't work. I don't know how
to call DsCrackNames from my C# windows application. PInvoke?
Thank you.
--
Thanks.
"Joe Kaplan" wrote:
> I think you need to call DsCrackNames for this. You could also use
> IADsNameTranslate as a wrapper.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Pucca" wrote in message
> news:08291BDB-82EB-4CB5-BDDC-81E1AE95CA1B@microsoft.com...
> > On the 2nd thought, actually, I don't think I can the DirectorySearcher
> > becuase this domain could be from another forest.
> >
> > Besides the Domain sid, I also have the user sid. When I convert the user
> > sid to NTAccount and get the name, it only provide the 1st part of the
> > domain
> > name /user name. It doens't give me the full domain name. For example,
> > xxx.yyy.zzz and userA is the user name it would give me "xxx/userA.
> >
> > Is there any way for me to get the full domain name of a domain from any
> > forest using either the domain sid or user sid? Thank you.
> > --
> > Thanks.
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> Can you create a SecurityIdentifier and then call Translate on it to get
> >> an
> >> NTAccount? I haven't tried that with a domain SID.
> >>
> >> Otherwise, you might have to search for the object by its SID with an
> >> LDAP
> >> query (which should be pretty easy too).
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "Pucca" wrote in message
> >> news:2CC18153-7BC1-4DE8-8068-E3700E279BD5@microsoft.com...
> >> > This domain could be in my current forest or in a foreign forst. The
> >> > DirectoryContext requires domain name but I only have the domain side.
> >> > How
> >> > can I do this in .net 2, vs2005, using C# for a windows applicaiton?
> >> > Thank
> >> > you.
> >> > --
> >> > Thanks.
> >>
> >>
> >>
>
>
>
date: Wed, 2 Jul 2008 14:11:01 -0700
author: Pucca
Re: how can I find the domain name if I have the domain sid?
P/Invoke, yes. Note that you still need to bind to something to be able to
resolve the name, so if the SID is from a trusted forest, you would bind to
a DC in the current forest and then DsCrackNames would use the trust to do
the translation. If the SID is from some random forest with no trust path,
I don't think you can determine this.
You can convert from SecurityIdentifier to DirectoryEntry by using the SID
DN syntax to build the ADsPath for the DirectoryEntry. You can't go
straight from NTAccount.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Pucca" wrote in message
news:A6F84194-09D4-4176-8F2C-C41441B141F5@microsoft.com...
> Hi Joe,
> Is there any way to convert the NTAccount type to a DirectoryEntry so I
> can
> extract the user's property of its path in .net 2?
> IADsNameTranslate requires domain name so that won't work. I don't know
> how
> to call DsCrackNames from my C# windows application. PInvoke?
> Thank you.
> --
> Thanks.
>
>
> "Joe Kaplan" wrote:
>
>> I think you need to call DsCrackNames for this. You could also use
>> IADsNameTranslate as a wrapper.
>>
>> Joe K.
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Pucca" wrote in message
>> news:08291BDB-82EB-4CB5-BDDC-81E1AE95CA1B@microsoft.com...
>> > On the 2nd thought, actually, I don't think I can the DirectorySearcher
>> > becuase this domain could be from another forest.
>> >
>> > Besides the Domain sid, I also have the user sid. When I convert the
>> > user
>> > sid to NTAccount and get the name, it only provide the 1st part of the
>> > domain
>> > name /user name. It doens't give me the full domain name. For
>> > example,
>> > xxx.yyy.zzz and userA is the user name it would give me "xxx/userA.
>> >
>> > Is there any way for me to get the full domain name of a domain from
>> > any
>> > forest using either the domain sid or user sid? Thank you.
>> > --
>> > Thanks.
>> >
>> >
>> > "Joe Kaplan" wrote:
>> >
>> >> Can you create a SecurityIdentifier and then call Translate on it to
>> >> get
>> >> an
>> >> NTAccount? I haven't tried that with a domain SID.
>> >>
>> >> Otherwise, you might have to search for the object by its SID with an
>> >> LDAP
>> >> query (which should be pretty easy too).
>> >>
>> >> Joe K.
>> >> --
>> >> Joe Kaplan-MS MVP Directory Services Programming
>> >> Co-author of "The .NET Developer's Guide to Directory Services
>> >> Programming"
>> >> http://www.directoryprogramming.net
>> >> --
>> >> "Pucca" wrote in message
>> >> news:2CC18153-7BC1-4DE8-8068-E3700E279BD5@microsoft.com...
>> >> > This domain could be in my current forest or in a foreign forst.
>> >> > The
>> >> > DirectoryContext requires domain name but I only have the domain
>> >> > side.
>> >> > How
>> >> > can I do this in .net 2, vs2005, using C# for a windows applicaiton?
>> >> > Thank
>> >> > you.
>> >> > --
>> >> > Thanks.
>> >>
>> >>
>> >>
>>
>>
>>
date: Wed, 2 Jul 2008 18:00:08 -0500
author: Joe Kaplan
Re: how can I find the domain name if I have the domain sid?
Ok, very cool if I can get the user DirectoryEntry using its sid and
translate into NTAccount first. But, I'm not following you on the part about
"using the SID
DN syntax to build the ADsPath for the DirectoryEntry".
Where and how do I get the SID DN syntax so I can build the ADsPath? Can
you point me to an example on how this is done?
If I can get a DirectoryEntry object with the user's sid or user's domain
sid then I will be able to extract its path information and get my domain
name.
Thank you.
--
Thanks.
"Joe Kaplan" wrote:
> P/Invoke, yes. Note that you still need to bind to something to be able to
> resolve the name, so if the SID is from a trusted forest, you would bind to
> a DC in the current forest and then DsCrackNames would use the trust to do
> the translation. If the SID is from some random forest with no trust path,
> I don't think you can determine this.
>
> You can convert from SecurityIdentifier to DirectoryEntry by using the SID
> DN syntax to build the ADsPath for the DirectoryEntry. You can't go
> straight from NTAccount.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Pucca" wrote in message
> news:A6F84194-09D4-4176-8F2C-C41441B141F5@microsoft.com...
> > Hi Joe,
> > Is there any way to convert the NTAccount type to a DirectoryEntry so I
> > can
> > extract the user's property of its path in .net 2?
> > IADsNameTranslate requires domain name so that won't work. I don't know
> > how
> > to call DsCrackNames from my C# windows application. PInvoke?
> > Thank you.
> > --
> > Thanks.
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> I think you need to call DsCrackNames for this. You could also use
> >> IADsNameTranslate as a wrapper.
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "Pucca" wrote in message
> >> news:08291BDB-82EB-4CB5-BDDC-81E1AE95CA1B@microsoft.com...
> >> > On the 2nd thought, actually, I don't think I can the DirectorySearcher
> >> > becuase this domain could be from another forest.
> >> >
> >> > Besides the Domain sid, I also have the user sid. When I convert the
> >> > user
> >> > sid to NTAccount and get the name, it only provide the 1st part of the
> >> > domain
> >> > name /user name. It doens't give me the full domain name. For
> >> > example,
> >> > xxx.yyy.zzz and userA is the user name it would give me "xxx/userA.
> >> >
> >> > Is there any way for me to get the full domain name of a domain from
> >> > any
> >> > forest using either the domain sid or user sid? Thank you.
> >> > --
> >> > Thanks.
> >> >
> >> >
> >> > "Joe Kaplan" wrote:
> >> >
> >> >> Can you create a SecurityIdentifier and then call Translate on it to
> >> >> get
> >> >> an
> >> >> NTAccount? I haven't tried that with a domain SID.
> >> >>
> >> >> Otherwise, you might have to search for the object by its SID with an
> >> >> LDAP
> >> >> query (which should be pretty easy too).
> >> >>
> >> >> Joe K.
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >> http://www.directoryprogramming.net
> >> >> --
> >> >> "Pucca" wrote in message
> >> >> news:2CC18153-7BC1-4DE8-8068-E3700E279BD5@microsoft.com...
> >> >> > This domain could be in my current forest or in a foreign forst.
> >> >> > The
> >> >> > DirectoryContext requires domain name but I only have the domain
> >> >> > side.
> >> >> > How
> >> >> > can I do this in .net 2, vs2005, using C# for a windows applicaiton?
> >> >> > Thank
> >> >> > you.
> >> >> > --
> >> >> > Thanks.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
date: Wed, 2 Jul 2008 17:00:00 -0700
author: Pucca
Re: how can I find the domain name if I have the domain sid?
The following code is what I have so far for trying to get the domain name
from passing in a user's objectSid. Can you elaborate on how to use the sid
DN to build the path so I can get the DirectoryEntry object for the user sid
that is passed in, from the code I have so far? Is that possible? Thank you.
public static string GetDominName(string sid)
{
string childSidKey = null;
childSidKey = sid;
SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey);
SecurityIdentifier domainSid = sdSID.AccountDomainSid;
Domain domain;
NTAccount account = (NTAccount)sdSID.Translate(typeof(NTAccount));
string name = account.Value.ToString();
if (name != null)
return name;
else
return null;
}
--
Thanks.
"Joe Kaplan" wrote:
> P/Invoke, yes. Note that you still need to bind to something to be able to
> resolve the name, so if the SID is from a trusted forest, you would bind to
> a DC in the current forest and then DsCrackNames would use the trust to do
> the translation. If the SID is from some random forest with no trust path,
> I don't think you can determine this.
>
> You can convert from SecurityIdentifier to DirectoryEntry by using the SID
> DN syntax to build the ADsPath for the DirectoryEntry. You can't go
> straight from NTAccount.
>
> Joe K.
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Pucca" wrote in message
> news:A6F84194-09D4-4176-8F2C-C41441B141F5@microsoft.com...
> > Hi Joe,
> > Is there any way to convert the NTAccount type to a DirectoryEntry so I
> > can
> > extract the user's property of its path in .net 2?
> > IADsNameTranslate requires domain name so that won't work. I don't know
> > how
> > to call DsCrackNames from my C# windows application. PInvoke?
> > Thank you.
> > --
> > Thanks.
> >
> >
> > "Joe Kaplan" wrote:
> >
> >> I think you need to call DsCrackNames for this. You could also use
> >> IADsNameTranslate as a wrapper.
> >>
> >> Joe K.
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> --
> >> "Pucca" wrote in message
> >> news:08291BDB-82EB-4CB5-BDDC-81E1AE95CA1B@microsoft.com...
> >> > On the 2nd thought, actually, I don't think I can the DirectorySearcher
> >> > becuase this domain could be from another forest.
> >> >
> >> > Besides the Domain sid, I also have the user sid. When I convert the
> >> > user
> >> > sid to NTAccount and get the name, it only provide the 1st part of the
> >> > domain
> >> > name /user name. It doens't give me the full domain name. For
> >> > example,
> >> > xxx.yyy.zzz and userA is the user name it would give me "xxx/userA.
> >> >
> >> > Is there any way for me to get the full domain name of a domain from
> >> > any
> >> > forest using either the domain sid or user sid? Thank you.
> >> > --
> >> > Thanks.
> >> >
> >> >
> >> > "Joe Kaplan" wrote:
> >> >
> >> >> Can you create a SecurityIdentifier and then call Translate on it to
> >> >> get
> >> >> an
> >> >> NTAccount? I haven't tried that with a domain SID.
> >> >>
> >> >> Otherwise, you might have to search for the object by its SID with an
> >> >> LDAP
> >> >> query (which should be pretty easy too).
> >> >>
> >> >> Joe K.
> >> >> --
> >> >> Joe Kaplan-MS MVP Directory Services Programming
> >> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> >> Programming"
> >> >> http://www.directoryprogramming.net
> >> >> --
> >> >> "Pucca" wrote in message
> >> >> news:2CC18153-7BC1-4DE8-8068-E3700E279BD5@microsoft.com...
> >> >> > This domain could be in my current forest or in a foreign forst.
> >> >> > The
> >> >> > DirectoryContext requires domain name but I only have the domain
> >> >> > side.
> >> >> > How
> >> >> > can I do this in .net 2, vs2005, using C# for a windows applicaiton?
> >> >> > Thank
> >> >> > you.
> >> >> > --
> >> >> > Thanks.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
date: Wed, 2 Jul 2008 17:58:00 -0700
author: Pucca
|
|
