it may sound stupid but you could see each member computer as a very small domain with its own local users. As domains that trust each other have trusts in between the same applies for the member computer in the form of a computer account in the domain (with the domain sid and a unique RID in the domain) and a secure channel between the actual computer and its computer account
the SID of the actual computer has no relation with the SID of the domain as the SIDs of two domains that trust each other also have no relationship
Does this help?
Cheers,
#JRGE#
From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Hanumara, Rao
Sent: Fri 7/22/2005 2:50 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
Thanks for your response. I have looked at user SIDs and they are no
different than computer SIDs except for the last four digits. What I am
trying to understand is the relationship between computer and AD?
Rao/
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Rick Kingslan
Sent: Thursday, July 21, 2005 4:16 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
joe will undoubtedly reply, but here's a couple of things to consider.
You've looked at the AD SID for a computer object. Did you look at one
for a user or a group? What you SHULD find is that the SID is going to
share some specific similarities. For instance:
will be the same SID prefix for
all security principal objects in your domain. Each domain will have
its own unique SID. RIDs are appended to uniquely identify an object in
the domain.
So, your computer had a Relative Identifier (RID) of 3391 (Remember the
FSM role of RID Master?)
The Administrator BY DEFAULT will be:
Guest WILL BE:
The Domain Admins group WILL BE:
After the default groups ( the Builtin groups have SIDs that are
pre-programmed for Special Purposes), users, etc. are all created, the
RID Master will start handing out RIDs from 1000 on.
So, knowing that each and every workstation joined to a domain must have
a unique object SID - what would the next assumption then be if I have 7
workstations that have the same workstation SID (each of them are an
independtly operating NT system with security principals of their own)
trying to join a functional AD system?
You're not at square one - you have all of the information in front of
you - you just need to put the pieces together. ;-)
Take a swing I'll drop more bread crumbs if needed.
Rick
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Hanumara, Rao
Sent: Thursday, July 21, 2005 2:38 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
Joe,
Undoubtedly your program is of great value for folks like me.
Actually, I tried the program few days ago, but could not set correct
parameters. This shed more light of what I wanted to know. AD assigns a
Unique SID when a workstation or user joins domain. This has no impact
of what workstation SID is. I used your program and captured Computer
and User objects. Then I used psGetSID from psTools on a workstation.
What I found was that the last segment was randomly assigned by AD.
Workstation SID has only 7 segments and AD SID attribute has 8 segments.
AD -
Workstation
This revelation puts me back to my Square 1 question. What makes the
difference if several workstations have same SID generated by Ghost
(Symantec) image in authenticating during login process?
While framing my original question, I thought that AD will store
Workstation SID somewhere in database and use that information to
authenticate.
Thanks,
Rao/
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf joe
Sent: Thursday, July 21, 2005 10:49 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
SIDS of Active Directory objects are stored in the objectSID attribute.
If you have done some form of migrations or move of users or groups from
one domain to another, the sIDHistory attribute will also be populated.
The last sentence you have of something that matches workstation SID
with the workstations objectSID in AD would have to be a script to do
that. There is no attribute in AD that maintains the workstation SID, AD
doesn't care about that SID, it only cares about the objectSID assigned
to the computer object for the workstation which is different.
To tackle that problem, you would have to write a script that enumerated
all of the AD Computer objects and their objectSIDs, then have the
script reach out to each of those computers individually and query for
its SID (just ask for the administrator SID on each of the machines and
chop off the RID at the end) and then produce your mapping.
To easily display SIDs from AD, you could use my adfind utility, to dump
all computer objects in a forest and their SIDs you would do something
like
adfind -gc -b "" -f objectcategory=computer objectSID
If you pipe that output to a file, you could then use the adcsv (in the
adfind zip file) script to take that output and put it into a CSV format
for easier consumption by something else.
joe
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Hanumara, Rao
Sent: Thursday, July 21, 2005 9:58 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] How to identify SIDs in AD?
Hello,
I am new to the list and also new to AD. We are running few problems
with Ghost Images deployment. Is there any utility that can show SID on
the Domain Controller. We have AD and DNS implemented on our DC. MS
Administrative tools just shows me members of AD, DNS Forward and
Reverse lists. What I want to see is SIDs of AD Computers/Users. Where
they are stored and how to see them? I really want a report that
matches Workstation SID with AD SID in computers.
Thanks in Advance,
Rao/
List archive:
%40mail.activedir.org/
List archive:
%40mail.activedir.org/
List archive:
%40mail.activedir.org/
List archive:
%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.