Thursday, September 1, 2011

ObjectSID and Active Directory

What is an objectSID in Active Directory?

When a new object is created in Active Directory, Domain Controller assigns a unique value used to identify the object as a security principal.  This value is unique inside the domain.  An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID

How do I get ObjectSID information from Active Directory?

You can see the ObjectSID information using ADSI Edit or Attribute Editor or you can use DSQUERY commands.   I will explain these details with the a few screenshots:

Domain SID – I am using the following DSQUERY command with a name filter to get the SID of my domain. 



User SID – As you can see from the following screenshot, the objectSID of the user (TestABC1) is consist of Domain SID of the domain (santhosh) + Relative ID(RID) of the user account. 



RID Allocation

RID number will assigned from the RID pool (rIDAAllocationPool) of the Domain Controller.  Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master FSMO role.  You can get the RID pool allocation table details using the dcdiag /test:ridmanager /v command. 


Keep in mind that the RID pool will be different in each domain controller.  RID will be allocated to an object in Active Directory based on the Domain Controller that you are using.  Here is an example from my second domain controller in my domain:


As you can see in the above screenshot, if I create a new object using this domain controller, the new object will be assigned with 1601 (rIDNextRID) as the RID.

You can also use DQUERY command to get the properties of the RID Set.  However, you need to convert some of the values.


By default, RID pools will be allocated in increments of 500 (rIDAllocationPool).


Other Related Blogs and Articles:

Verify sIDHistory and Identify the Source User Account -

ObjectSID Vs sIDHistory -

Identify SID Using DSQUEY Command -

PowerShell Script - Search Active Directory and Generate SIDHistory Report -

SID Filtering – Access is denied -

ADMT SID Mapping File Generation Using DSQUERY Command -

siDHistory Report - with Multi Value Support -


Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More