Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: 1 Sep 2005 14:45:18 -0700,    group: microsoft.public.platformsdk.active.directory        back       


Comparing NT SID with AD SID    
We have an asp script that use to query exchange 5.5 for a user's
email. The query used the logged in user's NT SID to find the email.
Now, all the mailboxes have been migrated from Exchange 5.5 to Windows
Server 2003 Active Directory so basically these users have a disabled
AD account with an active mailbox. Now to my understanding, the
previous Windows NT SID should now be stored in the AD objectSID
attribute. I ran the script but it looks like the SID's don't match.
For example, the Windows NT SID (in binary format) is something like
this :
0105000000000005150000003C6A14238E394010C810386FEB030000
but for the same user, the objectSID is:
S-1-5-21-1717189447-423777393-38629790-23333

Any ideas on why they don't match?

The script to return the windows NT SID is:
	strUser = CurUser
	' Switch the "\" to a "/" in the user name for later parsing.
	for x = 1 to len(strUser)
		if mid(strUser,x,1)="\" then
			strUser = left(strUser,x-1)+"/"+right(strUser,len(strUser)-x)
		end if
	next

    Set oSid = Server.CreateObject("ADSSID") ' From Platform SDK,
adssecurity.dll,
    oSid.SetAs ADS_SID_WINNT_PATH, "WinNT://" + strUser 'get the user
account SID.
    strSid = oSid.GetAs(ADS_SID_HEXSTRING)  'Convert to binary string.
	set oSid = Nothing
date: 1 Sep 2005 14:45:18 -0700   author:   g2ldap

Re: Comparing NT SID with AD SID    
Unless I blew the bit flipping the SID that your binary format represents should be

0105        S-1-			(with 5 subauths)

0000
0000
0005        5-

15000000    21-

3C6A1423    588540476-

8E394010    272644494-

C810386F    1865945288-

EB030000    1003



If you migrated users from NT Domains to K3 domains, then the old NT4 SIDS 
should be in the sIDHistory attribute, not in objectSID. objectSID will contain 
the new SID of the object in the AD domain.

    joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


g2ldap wrote:
> We have an asp script that use to query exchange 5.5 for a user's
> email. The query used the logged in user's NT SID to find the email.
> Now, all the mailboxes have been migrated from Exchange 5.5 to Windows
> Server 2003 Active Directory so basically these users have a disabled
> AD account with an active mailbox. Now to my understanding, the
> previous Windows NT SID should now be stored in the AD objectSID
> attribute. I ran the script but it looks like the SID's don't match.
> For example, the Windows NT SID (in binary format) is something like
> this :
> 0105000000000005150000003C6A14238E394010C810386FEB030000
> but for the same user, the objectSID is:
> S-1-5-21-1717189447-423777393-38629790-23333
> 
> Any ideas on why they don't match?
> 
> The script to return the windows NT SID is:
> 	strUser = CurUser
> 	' Switch the "\" to a "/" in the user name for later parsing.
> 	for x = 1 to len(strUser)
> 		if mid(strUser,x,1)="\" then
> 			strUser = left(strUser,x-1)+"/"+right(strUser,len(strUser)-x)
> 		end if
> 	next
> 
>     Set oSid = Server.CreateObject("ADSSID") ' From Platform SDK,
> adssecurity.dll,
>     oSid.SetAs ADS_SID_WINNT_PATH, "WinNT://" + strUser 'get the user
> account SID.
>     strSid = oSid.GetAs(ADS_SID_HEXSTRING)  'Convert to binary string.
> 	set oSid = Nothing
>
date: Fri, 02 Sep 2005 16:30:36 -0400   author:   Joe Richards [MVP]

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us