Domain – What does mean domain in SID: S-1-5-21domain-500

domainsid

I found following page with documentation: http://support.microsoft.com/kb/243330. Now there is a mysterious domain string in SID. I understand that when I want to use this sid with this mysterious string I should replace it with a correct domain SID. The question is where can I find this domain SID that I can put into the SID for system administrator (for example) in order to be able to check some rights later.

SID example: S-1-5-21domain-500.

This domain identifier probably should be in xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx format.

Best Answer

You're still not being very clear. What tool are you using? What option are you trying to change and where is it? The S-1-5-21domain-500 opiton you linked is the domain Administrator account. The Domain is the SID identifier of your domain.

Based on what I think you're asking, I think this is what you're looking for.

Start > Run > adsiedit.msc and go to Default naming context > OU > CN=Users. Find your CN=Administrator account, right click and go to properties. Find the objectSid. You can see that it matches what the description says.

That will give you the SID. Now why you would need that, I'm not sure, but I really hope you don't change anything in ADSI.

Related Solutions

Active Directory – Fix Wrong SID for Administrator Account

Hmm... that's decidedly a "not supposed to happen" scenario. The RID 500 Administrator account is stamped with the "isCriticalSystemObject" attribute set to true, and to my knowledge LSASS is supposed to return an ERROR_DS_UNWILLING_TO_PERFORM error (0x80072035) if you were to try and delete it. (I don't have a scratch AD sitting around in any of my VMs right now to give it a shot. Maybe later...)

How are you searching AD, anyway?

From AD Users and Computers, do a "Find" at the root of the domain, choose a "Custom Search" in the "Find" dropdown, go to the "Advanced" tab, and enter the LDAP search filter "(objectSid=S-1-5-21-2025429265-492894223-1708537768-500)". That'll give you a subtree search of the domain from the root of the directory.

If you really have deleted your RID 500 Administrator account somehow I'd stronly consider contacting Microsoft Product Support Services. They can probably have something coded to re-create the account (if they don't already have such a tool). I can't imagine how you managed to delete it anyway, because the only way I could think to do that would be direct interaction with the database through ESE. I really didn't think there was any publicly-exposed API that would let you delete an object marked with "isCriticalSystemObject" set to True, and I don't think you can set it to False on the RID 500 Administrator, either. Hmmm...

You've got an interesting situation there. Let us know what the subtree search above returns.

Windows – User name by SID

ADFind can do this. The list of options is here. For example, you might do something like this to export a list of users with their SID:

adfind -h domaincontroller01:389 -b "CN=Users,DC=domain,DC=com" -f "(objectClass=user)" objectSID displayName

You can run ADFind from any box as long as it can reach a domain controller. Obviously you would replace domaincontroller01 with the name or IP of a domain controller and change the "CN=Users,DC=domain,DC=com" to reflect the path to the users in question.

Best Answer

Related Solutions

Active Directory – Fix Wrong SID for Administrator Account

Windows – User name by SID

Related Topic