Retrive User SID via VBScript

TheMSsForum.com: The Microsoft Software Forum

I have been trying to create a script to do something very tricky which is
delete local user profiles from a workstation using a variable for the
profile name in question. Obviously the correct way from the console is to
go to the System Properties-User Profiles tab because doing it from the Docs
& Settings directory still leaves Reg entries.

So, I can do it manually and know the registry locations to delete the data
however it's done by the SID of the user account. My problem is how to get
the user SID for the account. In the 2k Reskit I have the GETSID command
available however it gives way too much data and calling it from a script
only runs the command but doesn't give me the output back into my script.

Does anyone have a method to get the user SID via VBScripting?

Thanks
Richard
Top

Re: Retrive User SID via VBScript by Richard

Richard
Tue Dec 02 17:57:13 CST 2003

Richard Moreno wrote:

> I have been trying to create a script to do something very tricky which is
> delete local user profiles from a workstation using a variable for the
> profile name in question. Obviously the correct way from the console is to
> go to the System Properties-User Profiles tab because doing it from the
Docs
> & Settings directory still leaves Reg entries.
>
> So, I can do it manually and know the registry locations to delete the
data
> however it's done by the SID of the user account. My problem is how to get
> the user SID for the account. In the 2k Reskit I have the GETSID command
> available however it gives way too much data and calling it from a script
> only runs the command but doesn't give me the output back into my script.
>
> Does anyone have a method to get the user SID via VBScripting?

Hi,

I've used the following functions to convert the objectSid attribute of the
AD user object into the two forms that humans can read:

Option Explicit
Dim objUser, strSidHex, strSidDec

Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")

Wscript.Echo "User name: " & objUser.Name
strSidHex = OctetToHexStr(objUser.objectSid)
Wscript.Echo "User SID, hex: " & strSidHex
strSidDec = HexStrToDecStr(strSidHex)
Wscript.Echo "User SID, decimal: " & strSidDec
Wscript.Echo "User GUID: " & objUser.Guid

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

Function HexStrToDecStr(strSid)
Dim arrbytSid, lngTemp, j

ReDim arrbytSid(Len(strSid)/2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
Next

HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)

lngTemp = arrbytSid(15)
lngTemp = lngTemp * 256 + arrbytSid(14)
lngTemp = lngTemp * 256 + arrbytSid(13)
lngTemp = lngTemp * 256 + arrbytSid(12)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(19)
lngTemp = lngTemp * 256 + arrbytSid(18)
lngTemp = lngTemp * 256 + arrbytSid(17)
lngTemp = lngTemp * 256 + arrbytSid(16)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(23)
lngTemp = lngTemp * 256 + arrbytSid(22)
lngTemp = lngTemp * 256 + arrbytSid(21)
lngTemp = lngTemp * 256 + arrbytSid(20)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(25)
lngTemp = lngTemp * 256 + arrbytSid(24)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

End Function

You can use the hex form to bind to the object. The decimal form I also call
the display form, since the GUI seems to display this. Note in the local
registry that each profile is stored in the ProfileList key with a key name
equal to the decimal (display) form of the SID. Also, each such key includes
the value "CentralProfile", which generally includes the Username
(sAMAccountName) as part of the path. Also, there is the "Guid" value, which
is the GUID of the user object (with some of the bytes transposed from the
form my program above displays). Finally, note that there is a ProfileGuid
key, where the key for each user profile is the Guid of the user object.
Each such key has one value, the "SidString" value, equal to the SID (in the
decimal or display form) of the user.

I've never used these functions to delete profiles, but I think you are on
the right path for a scripting solution. Finally, if you are starting with
the NT name of the user (the sAMAccountName, also called the "pre-Windows
2000 logon name"), you will have to use the NameTranslate object to convert
this to the Distinguished Name. For example, to convert the current user's
NT name:

Set objNetwork = CreateObject("Wscript.Network")
strNTName = objNetwork.UserName

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init 3, strDNSDomain
objTrans.Set 1, strDNSDomain
strNetBIOSDomain = objTrans.Get(3)
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
objTrans.Init 1, strNetBIOSDomain
objTrans.Set 3, strNetBIOSDomain & "\" & strNTName
strUserDN = objTrans.Get(1)

' Bind to the user object in Active Directory with the LDAP provider.
Set objUser = GetObject("LDAP://" & strUserDN)

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--



Top

Re: Retrive User SID via VBScript by Torgeir

Torgeir
Wed Dec 03 01:52:54 CST 2003


Multipost; response in microsoft.public.windows.server.scripting also (WMI
solution)


Multiposting vs Crossposting
http://www.blakjak.demon.co.uk/mul_crss.htm


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter


Top

Re: Retrive User SID via VBScript by Richard

Richard
Wed Dec 03 12:09:27 CST 2003

Thanks Richard.

Btw, your website is great.

Thanks
Richard



"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.net> wrote in message
news:OYXlsATuDHA.2072@TK2MSFTNGP10.phx.gbl...
> Richard Moreno wrote:
>
> > I have been trying to create a script to do something very tricky which
is
> > delete local user profiles from a workstation using a variable for the
> > profile name in question. Obviously the correct way from the console is
to
> > go to the System Properties-User Profiles tab because doing it from the
> Docs
> > & Settings directory still leaves Reg entries.
> >
> > So, I can do it manually and know the registry locations to delete the
> data
> > however it's done by the SID of the user account. My problem is how to
get
> > the user SID for the account. In the 2k Reskit I have the GETSID command
> > available however it gives way too much data and calling it from a
script
> > only runs the command but doesn't give me the output back into my
script.
> >
> > Does anyone have a method to get the user SID via VBScripting?
>
> Hi,
>
> I've used the following functions to convert the objectSid attribute of
the
> AD user object into the two forms that humans can read:
>
> Option Explicit
> Dim objUser, strSidHex, strSidDec
>
> Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")
>
> Wscript.Echo "User name: " & objUser.Name
> strSidHex = OctetToHexStr(objUser.objectSid)
> Wscript.Echo "User SID, hex: " & strSidHex
> strSidDec = HexStrToDecStr(strSidHex)
> Wscript.Echo "User SID, decimal: " & strSidDec
> Wscript.Echo "User GUID: " & objUser.Guid
>
> Function OctetToHexStr(arrbytOctet)
> ' Function to convert OctetString (byte array) to Hex string.
>
> Dim k
> OctetToHexStr = ""
> For k = 1 To Lenb(arrbytOctet)
> OctetToHexStr = OctetToHexStr _
> & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
> Next
> End Function
>
> Function HexStrToDecStr(strSid)
> Dim arrbytSid, lngTemp, j
>
> ReDim arrbytSid(Len(strSid)/2 - 1)
> For j = 0 To UBound(arrbytSid)
> arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
> Next
>
> HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
> & arrbytSid(1) & "-" & arrbytSid(8)
>
> lngTemp = arrbytSid(15)
> lngTemp = lngTemp * 256 + arrbytSid(14)
> lngTemp = lngTemp * 256 + arrbytSid(13)
> lngTemp = lngTemp * 256 + arrbytSid(12)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(19)
> lngTemp = lngTemp * 256 + arrbytSid(18)
> lngTemp = lngTemp * 256 + arrbytSid(17)
> lngTemp = lngTemp * 256 + arrbytSid(16)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(23)
> lngTemp = lngTemp * 256 + arrbytSid(22)
> lngTemp = lngTemp * 256 + arrbytSid(21)
> lngTemp = lngTemp * 256 + arrbytSid(20)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(25)
> lngTemp = lngTemp * 256 + arrbytSid(24)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> End Function
>
> You can use the hex form to bind to the object. The decimal form I also
call
> the display form, since the GUI seems to display this. Note in the local
> registry that each profile is stored in the ProfileList key with a key
name
> equal to the decimal (display) form of the SID. Also, each such key
includes
> the value "CentralProfile", which generally includes the Username
> (sAMAccountName) as part of the path. Also, there is the "Guid" value,
which
> is the GUID of the user object (with some of the bytes transposed from the
> form my program above displays). Finally, note that there is a ProfileGuid
> key, where the key for each user profile is the Guid of the user object.
> Each such key has one value, the "SidString" value, equal to the SID (in
the
> decimal or display form) of the user.
>
> I've never used these functions to delete profiles, but I think you are on
> the right path for a scripting solution. Finally, if you are starting with
> the NT name of the user (the sAMAccountName, also called the "pre-Windows
> 2000 logon name"), you will have to use the NameTranslate object to
convert
> this to the Distinguished Name. For example, to convert the current user's
> NT name:
>
> Set objNetwork = CreateObject("Wscript.Network")
> strNTName = objNetwork.UserName
>
> ' Determine DNS domain name from RootDSE object.
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("defaultNamingContext")
>
> ' Use the NameTranslate object to find the NetBIOS domain name from the
> ' DNS domain name.
> Set objTrans = CreateObject("NameTranslate")
> objTrans.Init 3, strDNSDomain
> objTrans.Set 1, strDNSDomain
> strNetBIOSDomain = objTrans.Get(3)
> strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)
>
> ' Use the NameTranslate object to convert the NT user name to the
> ' Distinguished Name required for the LDAP provider.
> objTrans.Init 1, strNetBIOSDomain
> objTrans.Set 3, strNetBIOSDomain & "\" & strNTName
> strUserDN = objTrans.Get(1)
>
> ' Bind to the user object in Active Directory with the LDAP provider.
> Set objUser = GetObject("LDAP://" & strUserDN)
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> HilltopLab web site - http://www.rlmueller.net
> --
>
>
>


Top

Re: Retrive User SID via VBScript by maxv

maxv
Thu Dec 11 07:50:55 CST 2003

The SDDL form in this example will not work with SIDs generated by an ADAM
instance.

Not all issuing authorities are the last character of the array. This code
will work fine for then NT issuing authority but not all.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support


Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.

Top