Sign in to follow this  
Followers 0
rudi

a bit OT: How to determine a *DOMAIN's* SID?

3 posts in this topic

Hi.

Who knows, how to read the SID of the AD Domain a Windows User is currently authenticated to?

I need this to assign rights to registry keys and local files for the AD group "Domain Users" = S-1-5-21domain-513, where "domain" has to be replaced by the Domain's SID.

This is how to read the SID for the local PC:

;SID of this PC. (See MS KB243330)


$Real_SID = "S-1-5-21-274021414-1772892037-1891922755" ; newsid.exe presents that one for my PC


$key = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account"
$Val = "V" ; assigning read rights to that key/value may be required (even for local administrators)

$String = RegRead($key, $Val)

$String = StringRight($String, 12 * 2) ; get final 12 Bytes
ConsoleWrite("Final 12 bytes of " & $key & ", " & $Val & " are:" & @CRLF & $String & @CRLF & @CRLF)

$Left = StringLeft($String, 8)
$Mid = StringMid($String, 8 + 1, 8)
$Right = StringRight($String, 8)

$Prefix = "S-1-5-21"
$SID = shuffle2Dec($Left) & "-" & shuffle2Dec($Mid) & "-" & shuffle2Dec($Right)

ConsoleWrite($Real_SID & @CRLF)
ConsoleWrite($Prefix & "-" & $SID & @CRLF)
ConsoleWrite(@CRLF & "This PC's SID = " & $SID & @CRLF)


Func shuffle2Dec($String)
    Local $l = StringLen($String), $foo, $i
    For $i = $l - 1 To 1 Step -2
        $foo &= StringMid($String, $i, 2)
    Next
    $foo = Dec($foo)
    ConsoleWrite($String & " = " & $foo & @CRLF & "----------------" & @CRLF)
    Return $foo
EndFunc   ;==>shuffle2Dec

Regards, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

You could use the Active Directory UDF (for download please see my signature):

#include <AD.au3>
#include <Array.au3>

_AD_Open()
$R = _AD_GetObjectProperties(@UserName,"objectSid")
_ArrayDisplay($R)
_AD_Close()

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Thanks for AD.AU3

This is just an examaple to demonstrate how to add NTFS / Registry rights for "Domain Users":

#include <GUIConstantsEx.au3>
#include <GUIConstants.au3>
#include "AD.au3" ; see signature of "water" above to get AD.au3

FileInstall("setacl.exe", @TempDir & "\setacl.exe", 1) ; use google to get a copy of setacl.exe


; see Microsoft KB for wellknown SIDs: http://support.microsoft.com/kb/243330
; attention: currently there is are errors in that KB for all entries with SID = *domain*:
;            instead of
;            SID: S-1-5-21domain-513  it should tell:
;            SID: S-1-5-21-domain-513.
;            "domain" has to be replaced with the AD-SID

Const $Dom_SID = Get_AD_SID()
Const $SID_Dom_User = $Dom_SID & "-513"


Dim $LabelTxt = "Adding rights for Domain Users:" & @LF & _
        "SID for Domain Users = " & $SID_Dom_User & @LF & @LF
Dim $OK = True

#Region Create some dummy folder and registry value
Dim $TestDir = "C:\temp-123456"
DirCreate($TestDir)

$RegKey = "HKLM\Software\MyTestKey"
$RegVal = "MyTestVal"
$RegType = "REG_SZ"
$RegValue = "I'm just a value, leave me alone!"
RegWrite($RegKey, $RegVal, $RegType, $RegValue)
#EndRegion Create some dummy folder and registry value

Dim $RighsArr[3][2] = [[2], _
        [$TestDir, "file"], _
        [$RegKey, "reg"]]

$w = 450
$h = 250
GUICreate("adding test rights", 400, 250)
$Label = GUICtrlCreateLabel($LabelTxt, 20, 20, $w - 40, $h - 80)
$Exit = GUICtrlCreateButton("Close", $w / 2 - 30, $h - 50, 60, 30)
GUICtrlSetState(-1, $GUI_DISABLE)
GUISetState(@SW_SHOW)

SetRights($RighsArr, $SID_Dom_User)

If $OK Then
    $LabelTxt &= @LF & @LF & "Done."
    GUICtrlSetData($Label, $LabelTxt)
Else
    $LabelTxt &= @LF & "Error:" & @LF & "Not all rights could be added!"
    GUICtrlSetData($Label, $LabelTxt)
EndIf

GUICtrlSetState($Exit, $GUI_ENABLE)
While 1
    $msg = GUIGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            Exit
        Case $msg = $Exit
            Exit
    EndSelect
    Sleep(20)
WEnd

Func SetRights($LocalArr, $SID)
    For $i = 1 To $RighsArr[0][0]
        $LabelTxt &= $RighsArr[$i][0] & " : "
        GUICtrlSetData($Label, $LabelTxt)
        $result = RunWait(@TempDir & '\setacl -on "' & $RighsArr[$i][0] & '" -ot ' & $RighsArr[$i][1] & ' -actn ace -ace "n:' & $SID & ';p:full;s:y"', "", @SW_HIDE)
        If $result = 0 Then
            $LabelTxt &= "OK." & @LF
            GUICtrlSetData($Label, $LabelTxt)
        Else
            $OK = False
            $LabelTxt &= "SetACL.EXE Error: " & $result & @LF
            GUICtrlSetData($Label, $LabelTxt)
        EndIf
    Next
EndFunc   ;==>SetRights

Func Get_AD_SID()
    _AD_Open()
    Local $R = _AD_GetObjectProperties(@UserName, "objectSid")
    Local $Err = @error
    Local $Ext = @extended
    Local $Dom, $S
    _AD_Close()
    If IsArray($R) Then
        $S = $R[1][1]
        $Dom = StringLeft($S, StringInStr($S, "-", 0, -1) - 1)
        Return $Dom
    Else
        MsgBox(48, "Error reading AD-SID for @Username", "@Error = " & $Err & @LF & "@Extended = " & $Ext)
        Return False
    EndIf
EndFunc   ;==>Get_AD_SID

Regards, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0