/build/static/layout/Breadcrumb_cap_w.png

Getting an AD Object's SID

I have not had formal training with VBScript and it shows! Anyway I can get a script to find the SID of an object but if I want to display or write that SID out to a file I am having data type issues. How do I modify this script to pass the object's SID out in a useful form?

ADGroup = InputBox("I.E. SQLSERVERENTMGR", "Please enter Active Directory group", "SQLSERVERENTMGR")

Set objGroup = GetObject("LDAP://CN=" & ADGroup & ",OU=Applications,OU=Users and Groups,DC=f00,DC=bar")

WScript.Echo objGroup.objectSID <--- Outputs a ?
Set GUID = objGroup.objectSID <--- Outright fails

0 Comments   [ + ] Show comments

Answers (2)

Posted by: kkaminsk 19 years ago
9th Degree Black Belt
1
I found a bone after my third Google expidition for answers but I have not had time to rewrite this for my purposes. In short getting this info out of AD is not simple as it sounds. I have to thank Richard Mueller for posting this on USENET:

Option Explicit
Dim objUser, arrSid, strSidHex, objTrans, strUserDN, strSidDec

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_1779 = 1
Const ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME = 12

' Bind to object.
Set objUser = GetObject("LDAP://cn=Test,ou=Sales,dc=MyDomain,dc=com")

' Retrieve SID and convert to hex string, then to decimal string.
arrSid = objUser.objectSid
strSidHex = OctetToHexStr(arrSid)
Wscript.Echo strSidHex
strSidDec = HexStrToDecStr(strSidHex)
Wscript.Echo strSidDec

' Use the NameTranslate object to convert objectSid to
' Distinguished Name.
Set objTrans = CreateObject("NameTranslate")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
' Use the Set method to specify the SID format of the object name.
objTrans.Set ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME, strSidDec
' Use the Get method to retrieve the Distinguished Name of the user object.
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
Wscript.Echo strUserDN

Wscript.Quit

Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
Next
End Function

Function HexStrToDecStr(strSid)
' Function to convert hex Sid to decimal (SDDL) Sid.
Dim arrbytSid, lngTemp, j

ReDim arrbytSid(Len(strSid)/2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))
Next

HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)

lngTemp = arrbytSid(15)
lngTemp = lngTemp * 256 + arrbytSid(14)
lngTemp = lngTemp * 256 + arrbytSid(13)
lngTemp = lngTemp * 256 + arrbytSid(12)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(19)
lngTemp = lngTemp * 256 + arrbytSid(18)
lngTemp = lngTemp * 256 + arrbytSid(17)
lngTemp = lngTemp * 256 + arrbytSid(16)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(23)
lngTemp = lngTemp * 256 + arrbytSid(22)
lngTemp = lngTemp * 256 + arrbytSid(21)
lngTemp = lngTemp * 256 + arrbytSid(20)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(25)
lngTemp = lngTemp * 256 + arrbytSid(24)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

End Function

Comments:
  • Worked great - just save in Notepad with a .vbs extension, edit the LDAP string at the top of the script (LDAP://cn=Test,ou=Sales,dc=MyDomain,dc=com) to your user and domain.

    For those unfamiliar with LDAP string syntax:

    CN=Test : "Test" would be the account - must replace "Test" with the full Display Name (FirstName MI. LastName) for your user
    OU=Sales : "Sales" is the name of the OU. If you have sub-OUs to go before you get to your user, you have to do them in backwards order, starting at the one where the account is, and heading up until (and not including) your domain level. So say I have a Users OU, then a Europe OU under it. It would be this, instead of OU=Sales:

    OU=Europe, OU=Users

    DC=MyDomain, DC=com : Replace "MyDomain" with the domain that appears in front of your log-in account. It is often in between the "www" and "com" in your company URL, but it doesn't have to be. It should actually be the same as what it shows in Active Directory, but separate each section with ",DC=" instead of periods - except you would only need one comma prior to the first "DC=". Example, if your domain was subdomain.mydomain.com, it would be:

    DC=subdomain,DC=mydomain,DC=com

    HTH,
    Tom - navyjax2 7 years ago
Posted by: brenthunter2005 19 years ago
Fifth Degree Brown Belt
0
Are you trying to run this code internal or external of Windows Installer?

Try the following line:
msgbox cstr(objGroup.objectSID)
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ