Attribute for AD Users : objectSID

The Active Directory attribute objectSid contains the Security ID (SID) of the regarding account. Only so called Security Principals (users and computer accounts as well as security groups) have a SID associated to them. This plays an important role in delegating and granting permissions. Sie spielt eine wichtige Rolle bei der Vergabe und Zuweisung von Berechtigungen.

objectSID

LDAP Name	objectSID
Data type	Octetstring (max 28)
Multivalue (Array)	Nein
System Flags	0x12
Search Flags	0x09
In Global Catalog?	Yes
Attribute ID	1.2.840.113556.1.4.146
AD DB attribute name	Object-Sid
ADSI datatype	8 - Octet String
LDAP syntax	2.5.5.17 - String(Sid)
Used in ...	> W2K
Schema Doku	Microsoft - MSDN

When you grant someone permissions on some object, then it is not the name of the trustee which is included in the regarding access control list (ACL). It is rather the SID which is entered in the list: This applies to object permissions for directory objects as well as for file system rights on a member server in the domain. The approach thus the permissions are maintained even if the accounts are renamed.

Microsoft Security IDs are stored as binary attributes (LDAP syntax is octet string) and have to be decoded first to get them converted in a familiar, readable form, for example like that:

S-1-5-21-2611707862-2219215769-354220275-1137

Dies ist die Schreibweise einer Beispiel-SID in der Notation der Security Descriptor Definition Language (SDDL). Typischerweise setzt sich die SID eines Active Directory Benutzers setzt sich immer aus zwei Bestandteilen zusammen: Dem Domänenanteil (der bei allen SIDs innerhalb einer Domäne konstant bleibt) und dem Realitven SID-Anteil (der so genannten RID). Die RID ist immer der letzte Ziffernblock hinter dem letzten Minuszeichen, in unserem Beispiel also 1137.

Alle weiteren Details zum technischen Aufbau und dem Umgang mit SIDs sind im SelfADSI Artikel "Microsoft SID Attribute" enthalten. Dort können Sie sehen, wie man nach Objekten mit einer bestimmten SID sucht, oder welche anderen wichtigen Attribute ebenfalls SID-Werte enthalten. An dieser Stelle sei nur kurz gezeigt, wie man die SID eines Benutzers ausliest und als SDDL String darstellt:

'you have to use a distinguished name of an object from you own environment here! Set obj = GetObject("LDAP://cn=Foeckeler,cn=Users,dc=cerrotorre,dc=de") pureSidData = OctetToHexStr(obj.objectSid) sDDLSidStr = HexStrToSID(pureSidData) WScript.Echo obj.cn WScript.Echo pureSidData WScript.Echo sDDLSidStr Function HexStrToSID(strSid) 'converts a raw SID hex string to the according SID string (SDDL) ReDim data(Len(strSid)/2 - 1) For i = 0 To UBound(data) data(i) = CInt("&H" & Mid(strSid, 2*i + 1, 2)) Next HexStrToSID = "S-" & data(0) & "-" & Byte6ToLong(data(2), data(3), data(4), data(5), data(6), data(7)) blockCount = data(1) For i = 0 To blockCount - 1 offset = 8 + 4*i HexStrToSID = HexStrToSID & "-" & Byte4ToLong(data(offset+3), data(offset+2), data(offset+1), data(offset)) Next End Function '_________________________________________________________________________________________ helper functions Function OctetToHexStr(var_octet) 'converts pure binary data (byte array) to a string with hexadecimal values OctetToHexStr = "" For n = 1 To lenb(var_octet) OctetToHexStr = OctetToHexStr & Right("0" & hex(ascb(midb(var_octet, n, 1))), 2) Next End Function Function Byte4ToLong(ByVal b1, ByVal b2, ByVal b3, ByVal b4) 'converts 4 bytes to the according long value Byte4ToLong = b1 Byte4ToLong = Byte4ToLong * 256 + b2 Byte4ToLong = Byte4ToLong * 256 + b3 Byte4ToLong = Byte4ToLong * 256 + b4 End Function Function Byte6ToLong(ByVal b1, ByVal b2, ByVal b3, ByVal b4, ByVal b5, ByVal b6) 'converts 6 bytes to the according long value Byte6ToLong = b1 Byte6ToLong = Byte6ToLong * 256 + b2 Byte6ToLong = Byte6ToLong * 256 + b3 Byte6ToLong = Byte6ToLong * 256 + b4 Byte6ToLong = Byte6ToLong * 256 + b5 Byte6ToLong = Byte6ToLong * 256 + b6 End Function

Download Script

< back to attribute list

< back to SelfADSI home