Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADAM - String SID to Hex SID

2,281 views
Skip to first unread message

Alan

unread,
Dec 18, 2003, 2:50:16 AM12/18/03
to
I'm trying to get either the CN or userPrincipalName from an objects
Trustee list.

I know if I have the hex version of a SID, I can open a user
container, but I have the string version, like this one:
S-1-217-1474056490-1223235779-1128711312-1816630683-3775420535

When I try to convert it using Richard Muellers (or anyone else's)
String to Hex routines, it bombs out with an overflow error.

Is there a better way to do this, or does someone have a version of
the function which doesn't overflow?

Thanks
Alan

Joe Kaplan (MVP - ADSI)

unread,
Dec 18, 2003, 9:43:15 AM12/18/03
to
What language are you using?

The best way to do this is to use the Windows API ConvertStringSidToSid
function to convert back to a byte array and then convert that to a hex
string, but you could also do this by hand if you need to. I have .NET code
that does this, but no script.

Joe K.

"Alan" <air...@hotmail.com> wrote in message
news:9lm2uv411vcklpkpn...@4ax.com...

Alan

unread,
Dec 18, 2003, 12:42:22 PM12/18/03
to
Currently migrating from VB6 components which worked with AD to making them
work with ADAM. The biggest problem I'm having is security related stuff -
we used to use samAccountName and WinNT provider to set Trustees and other
functions, and I have to replace them with something compatible with ADAM.

We're considering rewriting in .NET, but concerned about how long it will
take to rewrite all of our components.

Any code you have on converting the SIDs and setting Trustees would be most
appreciated.

Why does this SID overflow when converting?

S-1-217-1474056490-1223235779-1128711312-1816630683-3775420535


Thanks.


Joe Kaplan (MVP - ADSI)

unread,
Dec 18, 2003, 4:20:28 PM12/18/03
to
I haven't seen Richard's functions, so I couldn't tell you where the problem
is, except that it sounds like you are simply trying to create an integer
that is too big for the size of the integer. Maybe if you posted the code
you are using, I could advise.

A SID is basically an array of bytes composed of 1 byte of revision, 1 byte
of subauthority count, a 6 byte number with the authority name, and then a
variable number of 4 byte sub-authorities that are 32 bit integers (stored
little endian).

So basically, the SID below as an octet string should be:

01050000000000D82A51DC57C318E94890C446439B95476C778508E1

Just out of curiosity, what do you need the octet string of the SID for?

Joe K.

"Alan" <al...@northwoodsoft.com> wrote in message
news:eg0kL5Yx...@TK2MSFTNGP09.phx.gbl...

Alan

unread,
Dec 19, 2003, 8:00:50 PM12/19/03
to
We have a Content Management System which uses AD to control
permissions on articles. Editing (and other functions) are limited to
certain areas of the web site (Sales can't edit Finance articles).

Our workstation displays the security settings for an article. In AD,
we got the Trustee Name from the DACL (the samAccountName). With
ADAM, we get the SID, not the friendly name. So, I have to use the
SID to find the userPrincipalName, or the container name, which should
be the same in our system.

Given a SDDL formatted SID, I haven't been able to retrieve the
container for that user or group (the trustee). The only way I've
been able to get it has been with the hex representation
(LDAP://<SID=xxxxxx>). So, give a SDDL SID, I have to somehow turn it
back into hex.

If you've got another way to solve this problem PLEASE let me know.
We used to use NameTranslate or a WinNT look up, but neither of those
methods seem to be supported by ADAM.

TIA & Happy Holidays.


Dmitri Gavrilov [MSFT]

unread,
Dec 22, 2003, 5:33:06 PM12/22/03
to
You can query ADAM directly with the S-1-XXX-XXX-XXX style sid, using
<SID=S-1-X-X-X> dn format. You will find the ADAM security principal, as
long as it is actually an ADAM principal, not a windows SID.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:ec77uv0qau603akl1...@4ax.com...

Alan

unread,
Dec 22, 2003, 7:56:51 PM12/22/03
to
Dmitri, I've tried this, but haven't been able to make it work. Do
you have a code snippet for VB?

Dmitri Gavrilov [MSFT]

unread,
Dec 23, 2003, 12:55:46 PM12/23/03
to
Hmm. I don't do VB... I remember some time ago I ran into the same problem
with ADSI, it knew about <GUID=> but not about <SID=> format. I wonder if
this is still the case...

To convert to hex, just take a binary representation of a SID (should be 28
bytes), and just convert to hex byte to byte.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:tk4fuvc0fepiqlas2...@4ax.com...

Alan

unread,
Dec 24, 2003, 12:22:42 PM12/24/03
to
When I try to use dsopenobject or something similar, it will not take
<SID=S-1...>. It only seems to take the hex format. I'm curious why
you mentioned "dn" as part of your previous answer. Is there another
way to format the request? I tried dn=<SID=S-1... but that didn't
work either.

Dmitri Gavrilov [MSFT]

unread,
Dec 25, 2003, 2:18:50 AM12/25/03
to
I mentioned "dn" because you have to supply a dn as the search base. And
<sid=xxx> is a form of dn. AD understands this: w2k only understands hex
format, w2k3 and ADAM also understand S-1-5-xxx format.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:anijuvod6jte2n8hn...@4ax.com...

Alan

unread,
Dec 26, 2003, 11:17:16 PM12/26/03
to
I'm using ADAM, and can't get the S-1 form to work. Do you have any
samples of the proper request? Does it work with GetObject and
OpenDSObject?

I really could use some help with this, it's for a major manufacturing
customer of both Microsoft and my company. I haven't been able to get
help from our local MS office.

Dmitri Gavrilov [MSFT]

unread,
Dec 27, 2003, 11:25:13 AM12/27/03
to
Are you trying to get ADAM user or a bind proxy or foreign security
principal? This method will only work for ADAM users.

I just tried this from my w2k3 machine, and I can get ADAM user by his SID
from ADSIEdit. Make sure you have the latest version of ADSI.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:jp1quv4cn9vhleagi...@4ax.com...

Alan

unread,
Dec 27, 2003, 5:30:39 PM12/27/03
to
Trying to get ADAM user from within code, not ADSI edit. I read an
Ace.Trustee, and I want to see user's CN or UPN, for display.

The only success I've had is taking the String version of SID,
converting it to Hex, and then GetObject or
OpenDSObject("LDAP://cmsADAM:389/<SID=hexstring>" there's gotta be an
easier way.

Thanks for hanging in there Dmitri.

Dmitri Gavrilov [MSFT]

unread,
Dec 27, 2003, 6:14:17 PM12/27/03
to
Hmm. I guess your ADSI is older than mine. Can you check the version of
adsldp.dll and adsldpc.dll?

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:4q1suv0r2rgbuouqq...@4ax.com...

Alan

unread,
Dec 28, 2003, 3:31:59 AM12/28/03
to
On Sat, 27 Dec 2003 16:14:17 -0700, "Dmitri Gavrilov [MSFT]"
<dmi...@online.microsoft.com> wrote:

>adsldp.dll and adsldpc.dll?


Both are version 5.2.3790.0

Dmitri Gavrilov [MSFT]

unread,
Dec 28, 2003, 6:07:41 AM12/28/03
to
I have exactly the same version. There must be some silly misprint
somewhere, please double-check your program. Paste the exact LDAP url that
you are using, and the SID of the ADAM user as it is printed by LDP.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Alan" <air...@hotmail.com> wrote in message

news:175tuvoi9b3lff3a3...@4ax.com...

Alan

unread,
Jan 1, 2004, 11:32:17 PM1/1/04
to
Dmitri - I'm going to give up on this one. I was able to write a
conversion routine to solve my original problem, going from String SID
to Hex.

Thanks for pursuing this along the way.

0 new messages