Using ADSI Edit to validate an object SID such as an user or a computer


Scenario

Let’s say you found an object SID but need to validate if that object SID is related to a AD component  Canonical Name (CN) . Example: Domain users have a object SID attribute like:

S-1-5-21-3292383464-3806668890-3618075406-513

Using “ADSI Edit” on your Domain Controller, you can check if the object “Domain Users” have a object SID that matches the attribute above. Note that the “Object SID” and “Object GUID” are not the same thing and don’t have the same numbers, but they are listed next to each other in the attributes table of the object “Domain Users” in the ADSI Edit snap-in console

But in order to use ADSI Edit, you need to register the DLL first by typing on a command prompt:

regsvr32 adsiedit.dll 
Ideally you want to be on the same folder or the DLL is located. Normally if you download
the Support Tools, this is already done for you. But, if not, you need to make sure this
command works properly so you can register the DLL and start the ADSI EDIT snap-in)

On the Domain controller or on the server where you have access to AD Users and Computers, 
after registering the DLL you can start:

Using the ADSI Edit

ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or just open the Adsiedit.msc file from Windows Explorer. The following figure illustrates the ADSI Edit interface. In the console tree on the left, you can see the major partitions Domain, Configuration, and Schema.

So by typing ADSIEDT.msc on a elevated command prompt you should be able to launch the snap-in

Right click and select Connect to… and take the default value to load the “Default Naming Context”

Something like this: LDAP://DC1.[domain name]/Default naming context where DC1 is the hostname of  the Domain controller

In the Advanced button you can specify the Port Number. When using ADSI Edit Type a port number if you do not want to use the default port for the LDAP or the LDAP Global Catalog protocol. The default LDAP port is 389. The default port for the Global Catalog is 3268.

Review this Microsoft Technet article on ADSI Edit for detailed information on the use of the tool

In my case I  expanded the Domain Name of my domain and expanded the CN=Users folder and located the “Domain Users” object and right click on it and selected the option “Properties”

One of the attributes listed was the object SID. I was able to validate that the object SID I found earlier matched the object SID of the object “Domain Users”

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: