Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DirectorySearcher.Filter objectSid (dotnet[c#] + adsi)

1,626 views
Skip to first unread message

Aidas Pasilis

unread,
Nov 4, 2004, 2:58:14 AM11/4/04
to
Commonly, when querying ActiveDirectory it's possible to
get SID (objectSid) of any object as System.Byte[] array
with 28 members in it.
But is it possible to make a reverse lookup by querying AD
and defining
DirectorySearcher.Filter = "(objectSid=" + sidValue + ")";

I already know that it doesnt work if you write SID as
string value.
Will it work if i convert my Sid string back to System.Byte
[] array and input it into Filter string like this:

"(objectSid=" + mySystemByteArray + ")"

Gurpreet Singh

unread,
Nov 4, 2004, 9:50:06 AM11/4/04
to
A

Joe Kaplan (MVP - ADSI)

unread,
Nov 4, 2004, 10:20:36 AM11/4/04
to
Sure, you just need to create a proper search filter for an octet string.
That looks something like this:

\1E\95\B9\15\21\60\26\45\B3\E7\5B\21\CE\E5\0C\A3

for a GUID that looks like this:

{15b9951e-6021-4526-b3e7-5b21cee50ca3}

(I'm just using a GUID here as an example as I have a handy tool for
converting these, but the idea is the same)

Essentially, you just create a string that has each byte represented by two
hex digits with a "\" preceding each byte. You can do this easily by
looping over the byte[] and using a StringBuilder and the "X2" format code.
You can do a Google groups search on "ConvertToOctetString" to see a VB.NET
sample of such a function.

However, it is actually much more efficient to either bind directly to the
object by SID or do a base-level search against the object with that SID if
you are only looking for one object. To do that, you using the SID binding
string:

<SID=xxxxx>

as your distinguished name for either the DirectoryEntry object. Here, xxxx
is either that same octet string as above WITHOUT the preceding "\" or if
you are on 2K3 AD or ADAM, it can be the SDDL version of the SID
(S-1-5-21-xxxx) as well.

I hope that helps,

Joe K.

"Aidas Pasilis" <a.pa...@vmi.com> wrote in message
news:1a6d01c4c244$09b6b4f0$a501...@phx.gbl...

Gurpreet Singh

unread,
Nov 4, 2004, 3:48:11 PM11/4/04
to
Yes...its possible to do so .....but we need to BINARY ENCODE the SID Byte
Array for it to work...following is a code snippet displaying the same....

// retrieve the SID
byte[] objSID = (byte[]) objPropertyCollection["objectSID"].Value;

//encode it using APPENDFORMAT method of StringBuilder
StringBuilder hexSID = new StringBuilder();
for (int i=0; i<objSID.Length;i++)
{
hexSID.AppendFormat("\\{0:x2}",objSID[i]);
}


//initiate DirectorySearcher object
DirectorySearcher objDirSearch = new DirectorySearcher("LDAP://<DN Name
here>");
objDirSearch.Filter = "(objectSID=" + hexSID.ToString() + ")";

//display DN
objDirSearch.PropertiesToLoad.Add("distinguishedName");
Console.WriteLine
((string)objDirSearch.FindOne().Properties["distinguishedName"][0]);

Sincerely,
Gurpreet Singh(MSFT)
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.

Aidas Pasilis

unread,
Nov 5, 2004, 1:10:52 AM11/5/04
to
Thank you all very much for your replies. Yesterday, while
searching the net, I have found partial solution that i
have to convert every value in my byte array to octate
string and insert preceding "\" before every value.
Your answers helped me to put everything into one working
piece. Thank you.

Yours faithfully Aidas Pasilis

0 new messages