Let’s say you found an object SID but need to validate if that object SID is related to a AD component Canonical Name (CN) . Example: Domain users have a object SID attribute like:
Using “ADSI Edit” on your Domain Controller, you can check if the object “Domain Users” have a object SID that matches the attribute above. Note that the “Object SID” and “Object GUID” are not the same thing and don’t have the same numbers, but they are listed next to each other in the attributes table of the object “Domain Users” in the ADSI Edit snap-in console
But in order to use ADSI Edit, you need to register the DLL first by typing on a command prompt:
regsvr32 adsiedit.dll Ideally you want to be on the same folder or the DLL is located. Normally if you download the Support Tools, this is already done for you. But, if not, you need to make sure this command works properly so you can register the DLL and start the ADSI EDIT snap-in) On the Domain controller or on the server where you have access to AD Users and Computers, after registering the DLL you can start: Using the ADSI Edit
ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or just open the Adsiedit.msc file from Windows Explorer. The following figure illustrates the ADSI Edit interface. In the console tree on the left, you can see the major partitions Domain, Configuration, and Schema.
So by typing ADSIEDT.msc on a elevated command prompt you should be able to launch the snap-in
Right click and select Connect to… and take the default value to load the “Default Naming Context”
Something like this: LDAP://DC1.[domain name]/Default naming context where DC1 is the hostname of the Domain controller
In the Advanced button you can specify the Port Number. When using ADSI Edit Type a port number if you do not want to use the default port for the LDAP or the LDAP Global Catalog protocol. The default LDAP port is 389. The default port for the Global Catalog is 3268.
Review this Microsoft Technet article on ADSI Edit for detailed information on the use of the tool
In my case I expanded the Domain Name of my domain and expanded the CN=Users folder and located the “Domain Users” object and right click on it and selected the option “Properties”
One of the attributes listed was the object SID. I was able to validate that the object SID I found earlier matched the object SID of the object “Domain Users”