xy15973
asked on
Get user info using SID
I have the user SID and I need to get User info (Domain groups) using vbscript?
ASKER
I am not sure...Are you saying get the username from the SID and then do a lookup for the users group memebership?
Nope. What I am saying is to do an LDAP bind to the domain and seach the domain container for user objects that have the objectSid property equal to the user SID that you have.
something like
set objIADs = GetObject("LDAP://MyDomain ")
'you can use ADO to search the AD. I do not have sample code. You can find it on the net.
' Have the search filter as (&(objectCategory=user)(ob jectSid=Th eSidYouHav e))
Does that answer your query?
Madz
something like
set objIADs = GetObject("LDAP://MyDomain
'you can use ADO to search the AD. I do not have sample code. You can find it on the net.
' Have the search filter as (&(objectCategory=user)(ob
Does that answer your query?
Madz
Hi xy15973
It took a while to work out but I believe the following code does what you require.
It accepts a string sid in the form S-1-5-21.... and then loops through a container extracting the sid of each object, converting the extracted sid to a string and then comparing it to the search sid.
When it finds a match it calls the get_Groups sub passing the current user object. This user object is then used to list the users group memberships.
CreateObject("ADsSID") is need because the active directory stores the sid as a raw binary and CreateObject("ADsSID") can be used to convert this binary value to a string.
The code requires a dll be registered on the computer to use CreateObject("ADsSID"). I hope that is not a problem?
You can get this dll by installing the SDK for Active Directory Services Interfaces which you can get at
http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp
You will also need to change this line
Set oUsers = GetObject("LDAP://OU=CONTA INERNAME,O U=OUNAME,D C=DOMAINNA ME,DC=COM] ")
to match your domain setup.
If you have any more questions just let me know
here is the code:
parse_Container "S-1-5-21-527237240-168252 6488-14170 01333-1971 90"
' Run through all users in the container retreiving their binary sid and converting it to sddl (s-1-5-)
Sub parse_Container(str_SID_To _Find)
Const ADS_SID_RAW = 0
Const ADS_SID_HEXSTRING = 1
Const ADS_SID_SAM = 2
Const ADS_SID_UPN = 3
Const ADS_SID_SDDL = 4
Const ADS_SID_WINNT_PATH = 5
Const ADS_SID_ACTIVE_DIRECTORY_P ATH = 6
Const ADS_SID_SID_BINDING = 7
' This object is used to get the sid
Set oADsSID = CreateObject("ADsSID")
' Connect to the correct container
' you will have to change this to match your domain structure!!
Set oUsers = GetObject("LDAP://OU=CONTA INERNAME,O U=OUNAME,D C=DOMAINNA ME,DC=COM] ")
' For each object in the container
For Each oUser In oUsers
' Get the string SID for the current user
oADsSID.SetAs ADS_SID_ACTIVE_DIRECTORY_P ATH, CStr(oUser.adsPath)
str_Current_SID = oADsSID.GetAs(ADS_SID_SDDL )
' If the current users sid matches the search sid then
If CStr(str_Current_SID) = CStr(str_SID_To_Find) Then
' Get the groups for this user
get_Groups oUser
' Exit the loop
Exit For
End If
Next
' Tidy up
Set oUser = Nothing
Set oADsSID = Nothing
Set oUsers = Nothing
End Sub
' Get the groups for the user
Sub get_Groups(oUser)
' For each group in this users groups
For Each oGroup In oUser.Groups
' add the group name to the output string
str_Groups = str_Groups & oGroup.Name & Chr(10)
Next
' Display the string
MsgBox str_Groups
End Sub
Regards
Scott
It took a while to work out but I believe the following code does what you require.
It accepts a string sid in the form S-1-5-21.... and then loops through a container extracting the sid of each object, converting the extracted sid to a string and then comparing it to the search sid.
When it finds a match it calls the get_Groups sub passing the current user object. This user object is then used to list the users group memberships.
CreateObject("ADsSID") is need because the active directory stores the sid as a raw binary and CreateObject("ADsSID") can be used to convert this binary value to a string.
The code requires a dll be registered on the computer to use CreateObject("ADsSID"). I hope that is not a problem?
You can get this dll by installing the SDK for Active Directory Services Interfaces which you can get at
http://www.microsoft.com/ntserver/nts/downloads/other/ADSI25/default.asp
You will also need to change this line
Set oUsers = GetObject("LDAP://OU=CONTA
to match your domain setup.
If you have any more questions just let me know
here is the code:
parse_Container "S-1-5-21-527237240-168252
' Run through all users in the container retreiving their binary sid and converting it to sddl (s-1-5-)
Sub parse_Container(str_SID_To
Const ADS_SID_RAW = 0
Const ADS_SID_HEXSTRING = 1
Const ADS_SID_SAM = 2
Const ADS_SID_UPN = 3
Const ADS_SID_SDDL = 4
Const ADS_SID_WINNT_PATH = 5
Const ADS_SID_ACTIVE_DIRECTORY_P
Const ADS_SID_SID_BINDING = 7
' This object is used to get the sid
Set oADsSID = CreateObject("ADsSID")
' Connect to the correct container
' you will have to change this to match your domain structure!!
Set oUsers = GetObject("LDAP://OU=CONTA
' For each object in the container
For Each oUser In oUsers
' Get the string SID for the current user
oADsSID.SetAs ADS_SID_ACTIVE_DIRECTORY_P
str_Current_SID = oADsSID.GetAs(ADS_SID_SDDL
' If the current users sid matches the search sid then
If CStr(str_Current_SID) = CStr(str_SID_To_Find) Then
' Get the groups for this user
get_Groups oUser
' Exit the loop
Exit For
End If
Next
' Tidy up
Set oUser = Nothing
Set oADsSID = Nothing
Set oUsers = Nothing
End Sub
' Get the groups for the user
Sub get_Groups(oUser)
' For each group in this users groups
For Each oGroup In oUser.Groups
' add the group name to the output string
str_Groups = str_Groups & oGroup.Name & Chr(10)
Next
' Display the string
MsgBox str_Groups
End Sub
Regards
Scott
ASKER
Thanks...this looks good. How do i get it to work for none AD domain?
What is your network setup?
servers/client types
Scott
servers/client types
Scott
ASKER
NT4 domain
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi xy thanks for the grade.
Did the code work ok?
Cheers
Scott
Did the code work ok?
Cheers
Scott
This is tough job using a script. However if you must, do the following (assuming a Win 2000 domain)
- Bind to the user domain (I guess you should which domain the user belongs to)
- Search the domain for the objectSid property equalling the SID you have
- Using the DN of the user, search the domain for groups whose members property contains the DN you obtained.
Does that help?
Madz