AD UDF - Object Attributes for Groups?

[stamandster]

Hi All,

Trying to pull the objectSid from a security group and getting nothing, no matter what I try. Is this even possible with the AD UDF? Normal accounts seem to work fine. Any suggestions would be appreciated.

[water]

We need more information!
Which function do you use to extract this information?

[stamandster]

@water Sorry about that! I'm attempting to use _AD_GetObjectAttribute(<SecurityGroup>,"objectSid") and it's not pulling the info (using sAMAccountName). Doesn't seem to work either when using FQDN (for me at least).

Edited March 24, 2021 by stamandster

[water]

If @error = 0 then it grabs the infomation but doesn't translate it to a readable form.
Use _AD_GetObjectProperties.

[stamandster]

Thanks @water That seemed to work for the domain my own account is authenticated to. When I use _AD_Open and choose another domain in the forest, and a server to query, it isn't pulling the same information. Any tips?

[water]

So you expect the "objectSid" for the "SecurityGroup" to be the same for different domains?
The AD UDF just queries the DC using LDAP and displays the returned result. If the function does not return and error then the result you get is the "correct" result.
Or can you link us to a source where we can get more information about how AD handles those SIDs in domains and forests?

[water]

https://docs.microsoft.com/en-us/windows/win32/ad/how-security-groups-are-used-in-access-control

"The security identifier (SID) is the object identifier of the user or security group when the user or group is used for security purposes. The name of the user or group is not used as the unique identifier within the system. The SID is stored in the objectSid attribute of user objects and security group objects. The Active Directory server generates the objectSid when the user or group is created. The system ensures that the SIDs are unique across a forest. Be aware that the objectGuid is the unique identifier of a user, group, or any other directory object. The SID changes if a user or group is moved to another domain; the objectGuid remains the same."

[stamandster]

@water No I'm not expecting anything to be the same. I'm just simply looking to query a specific attribute in another domain in the forest for a group I specify. Just the same as I can lookup an attribute in my current domain for a group.

[water]

2 hours ago, stamandster said:

When I use _AD_Open and choose another domain in the forest, and a server to query, it isn't pulling the same information.

Can you please post the code you use, the result you get and the result you expect?