Thursday, September 1, 2011

ObjectSID and Active Directory

What is an objectSID in Active Directory?

When a new object is created in Active Directory, Domain Controller assigns a unique value used to identify the object as a security principal.  This value is unique inside the domain.  An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID

How do I get ObjectSID information from Active Directory?

You can see the ObjectSID information using ADSI Edit or Attribute Editor or you can use DSQUERY commands.   I will explain these details with the a few screenshots:

Domain SID – I am using the following DSQUERY command with a name filter to get the SID of my domain. 

image

image

User SID – As you can see from the following screenshot, the objectSID of the user (TestABC1) is consist of Domain SID of the domain (santhosh) + Relative ID(RID) of the user account. 

image

image

RID Allocation

RID number will assigned from the RID pool (rIDAAllocationPool) of the Domain Controller.  Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master FSMO role.  You can get the RID pool allocation table details using the dcdiag /test:ridmanager /v command. 

image

Keep in mind that the RID pool will be different in each domain controller.  RID will be allocated to an object in Active Directory based on the Domain Controller that you are using.  Here is an example from my second domain controller in my domain:

image

As you can see in the above screenshot, if I create a new object using this domain controller, the new object will be assigned with 1601 (rIDNextRID) as the RID.

You can also use DQUERY command to get the properties of the RID Set.  However, you need to convert some of the values.

image

By default, RID pools will be allocated in increments of 500 (rIDAllocationPool).

image


Other Related Blogs and Articles:

Verify sIDHistory and Identify the Source User Account - http://portal.sivarajan.com/2011/03/verify-sidhistory-and-identify-source.html

ObjectSID Vs sIDHistory - http://sivarajan.com/forum/viewthread.php?tid=8

Identify SID Using DSQUEY Command - http://portal.sivarajan.com/2010/06/identify-sid-using-dsquey-command.html

PowerShell Script - Search Active Directory and Generate SIDHistory Report - http://portal.sivarajan.com/2010/12/powershell-script-search-active.html

SID Filtering – Access is denied - http://portal.sivarajan.com/2009/06/sid-filtering-access-is-denied.html

ADMT SID Mapping File Generation Using DSQUERY Command - http://portal.sivarajan.com/2011/04/admt-sid-mapping-file-generation-using.html

siDHistory Report - with Multi Value Support - http://portal.sivarajan.com/2011/04/sidhistory-report-with-multi-value.html


2 comments:

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More