Retrive User SID via VBScript

[Richard Moreno]

I have been trying to create a script to do something very tricky which is
delete local user profiles from a workstation using a variable for the
profile name in question. Obviously the correct way from the console is to
go to the System Properties-User Profiles tab because doing it from the Docs
& Settings directory still leaves Reg entries.

So, I can do it manually and know the registry locations to delete the data
however it's done by the SID of the user account. My problem is how to get
the user SID for the account. In the 2k Reskit I have the GETSID command
available however it gives way too much data and calling it from a script
only runs the command but doesn't give me the output back into my script.

Does anyone have a method to get the user SID via VBScripting?

Thanks
Richard

[Richard Mueller [MVP]]

Richard Moreno wrote:

Hi,

I've used the following functions to convert the objectSid attribute of the
AD user object into the two forms that humans can read:

Option Explicit
Dim objUser, strSidHex, strSidDec

Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")

Wscript.Echo "User name: " & objUser.Name
strSidHex = OctetToHexStr(objUser.objectSid)
Wscript.Echo "User SID, hex: " & strSidHex
strSidDec = HexStrToDecStr(strSidHex)
Wscript.Echo "User SID, decimal: " & strSidDec
Wscript.Echo "User GUID: " & objUser.Guid

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

Function HexStrToDecStr(strSid)
Dim arrbytSid, lngTemp, j

ReDim arrbytSid(Len(strSid)/2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
Next

HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)

lngTemp = arrbytSid(15)
lngTemp = lngTemp * 256 + arrbytSid(14)
lngTemp = lngTemp * 256 + arrbytSid(13)
lngTemp = lngTemp * 256 + arrbytSid(12)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(19)
lngTemp = lngTemp * 256 + arrbytSid(18)
lngTemp = lngTemp * 256 + arrbytSid(17)
lngTemp = lngTemp * 256 + arrbytSid(16)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(23)
lngTemp = lngTemp * 256 + arrbytSid(22)
lngTemp = lngTemp * 256 + arrbytSid(21)
lngTemp = lngTemp * 256 + arrbytSid(20)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(25)
lngTemp = lngTemp * 256 + arrbytSid(24)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

End Function

You can use the hex form to bind to the object. The decimal form I also call
the display form, since the GUI seems to display this. Note in the local
registry that each profile is stored in the ProfileList key with a key name
equal to the decimal (display) form of the SID. Also, each such key includes
the value "CentralProfile", which generally includes the Username
(sAMAccountName) as part of the path. Also, there is the "Guid" value, which
is the GUID of the user object (with some of the bytes transposed from the
form my program above displays). Finally, note that there is a ProfileGuid
key, where the key for each user profile is the Guid of the user object.
Each such key has one value, the "SidString" value, equal to the SID (in the
decimal or display form) of the user.

I've never used these functions to delete profiles, but I think you are on
the right path for a scripting solution. Finally, if you are starting with
the NT name of the user (the sAMAccountName, also called the "pre-Windows
2000 logon name"), you will have to use the NameTranslate object to convert
this to the Distinguished Name. For example, to convert the current user's
NT name:

Set objNetwork = CreateObject("Wscript.Network")
strNTName = objNetwork.UserName

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init 3, strDNSDomain
objTrans.Set 1, strDNSDomain
strNetBIOSDomain = objTrans.Get(3)
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
objTrans.Init 1, strNetBIOSDomain
objTrans.Set 3, strNetBIOSDomain & "\" & strNTName
strUserDN = objTrans.Get(1)

' Bind to the user object in Active Directory with the LDAP provider.
Set objUser = GetObject("LDAP://" & strUserDN)

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

[Torgeir Bakken (MVP)]

Multipost; response in microsoft.public.windows.server.scripting also (WMI
solution)

Multiposting vs Crossposting
http://www.blakjak.demon.co.uk/mul_crss.htm

--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter

[Richard Moreno]

Thanks Richard.

Btw, your website is great.

Thanks
Richard

"Richard Mueller [MVP]" <rlmuelle...@ameritech.net> wrote in message
news:OYXlsATu...@TK2MSFTNGP10.phx.gbl...

[Max L. Vaughn [MSFT]]

The SDDL form in this example will not work with SIDs generated by an ADAM
instance.

Not all issuing authorities are the last character of the array. This code
will work fine for then NT issuing authority but not all.

Sincerely,
Max Vaughn [MS]
Microsoft Developer Support

Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights. You assume all risk for your use.