Paul
Mon Dec 06 17:12:53 CST 2004
After taking some time to examine your solutions, many thanks to all of you
for your good ideas, and more specifically to Richard Mueller (very
interesting "Hilltop Lab web site" !) who gave me the solution best suited
to my needs (I prefer not to use an external tool and not to have to
enumerate all of the SID's in my domain).
Just 2 remarks about the HexStrToDecStr function:
1. If I understand well, arrbytSid(2-7) and (9-11) are not used.
2. Because I am working in a domain with tens of thousands of users and
groups, 4 hexadecimal digits are not enough for the last part of the SID. I
saw this morning at work that I did not get the same result with
"Getsid.exe". I will test at work tomorrow but I think I just have to take
into account bytes 26 and 27.
Thanks again.
"Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in
message news:uKy7n7x2EHA.1204@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> I also have found that NameTranslate can convert from Sid to DN, but not
the
> reverse. In VBScript I sometimes use functions to convert Octet values
like
> objectSid to hex strings. In order for the NameTranslate conversion to
work
> you need a further conversion to a decimal format, the SDDL format.
However,
> my HexStrToDecStr function is specific to normal AD objects. For example:
>
> Option Explicit
> Dim objUser, arrSid, strSidHex, objTrans, strUserDN, strSidDec
>
> ' Constants for the NameTranslate object.
> Const ADS_NAME_INITTYPE_GC = 3
> Const ADS_NAME_TYPE_1779 = 1
> Const ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME = 12
>
> ' Bind to object.
> Set objUser = GetObject("LDAP://cn=Test,ou=Sales,dc=MyDomain,dc=com")
>
> ' Retrieve SID and convert to hex string, then to decimal string.
> arrSid = objUser.objectSid
> strSidHex = OctetToHexStr(arrSid)
> Wscript.Echo strSidHex
> strSidDec = HexStrToDecStr(strSidHex)
> Wscript.Echo strSidDec
>
> ' Use the NameTranslate object to convert objectSid to
> ' Distinguished Name.
> Set objTrans = CreateObject("NameTranslate")
> ' Initialize NameTranslate by locating the Global Catalog.
> objTrans.Init ADS_NAME_INITTYPE_GC, ""
> ' Use the Set method to specify the SID format of the object name.
> objTrans.Set ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME, strSidDec
> ' Use the Get method to retrieve the Distinguished Name of the user
object.
> strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
> Wscript.Echo strUserDN
>
> Wscript.Quit
>
> Function OctetToHexStr(arrbytOctet)
> ' Function to convert OctetString (byte array) to Hex string.
>
> Dim k
> OctetToHexStr = ""
> For k = 1 To Lenb(arrbytOctet)
> OctetToHexStr = OctetToHexStr _
> & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
> Next
> End Function
>
> Function HexStrToDecStr(strSid)
> ' Function to convert hex Sid to decimal (SDDL) Sid.
> Dim arrbytSid, lngTemp, j
>
> ReDim arrbytSid(Len(strSid)/2 - 1)
> For j = 0 To UBound(arrbytSid)
> arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
> Next
>
> HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
> & arrbytSid(1) & "-" & arrbytSid(8)
>
> lngTemp = arrbytSid(15)
> lngTemp = lngTemp * 256 + arrbytSid(14)
> lngTemp = lngTemp * 256 + arrbytSid(13)
> lngTemp = lngTemp * 256 + arrbytSid(12)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(19)
> lngTemp = lngTemp * 256 + arrbytSid(18)
> lngTemp = lngTemp * 256 + arrbytSid(17)
> lngTemp = lngTemp * 256 + arrbytSid(16)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(23)
> lngTemp = lngTemp * 256 + arrbytSid(22)
> lngTemp = lngTemp * 256 + arrbytSid(21)
> lngTemp = lngTemp * 256 + arrbytSid(20)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> lngTemp = arrbytSid(25)
> lngTemp = lngTemp * 256 + arrbytSid(24)
>
> HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)
>
> End Function
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab web site -
http://www.rlmueller.net
> --
>
> "Steve Seguis [MVP]" <steve_NO_SPAM@scriptmation.com> wrote in message
> news:xmusd.20684$Yh2.7759167@twister.nyc.rr.com...
> > objectSID is a binary number representing the SID. I believe for it to
> > display in a meaningful manner, you'd need to convert the SID to its
> > hexadecimal representation.....OR.....if you want to make it really easy
> for
> > yourself, just use the GETSID.EXE from the Windows 2000 resource kit.
The
> > syntax is:
> >
> > getsid \\server1 account \\server2 account
> >
> > In practice though, just run it like this:
> >
> > getsid \\mydc user1 \\mydc user1
> >
> > where mydc is your domain controller. Don't ask me why this utility
> requires
> > you to enter the servername and account name twice. Hope that helps.
> >
> > --
> > Steve Seguis - MCSE, MS-MVP, SCJP
> > SCRIPTMATION
> > Automating the Enterprise
> >
http://www.scriptmation.com
> >
> >
> > "Paul Gorbitz" <paul.gorbitz@tele2.be> wrote in message
> > news:ualsd.1604$Of5.1177@nntpserver.swip.net...
> > > Does anybody know how to retrieve the SID of a user or group and put
it
> > > in
> > > a string with vbscript ?
> > > From the tests I have done, the name translate object can translate a
> > > name
> > > from SID to distinguished name but not the opposite. And if I connect
to
> > > an
> > > object with the LDAP provider, the "objectSID" property returns
> something
> > > which is not a string and that I cannot correctly interpret.
> > >
> > > Thanks for any idea.
> > >
> > >
> >
> >
>
>