Covert objectSid to GUID

Discussion:

(too old to reply)

Oleg Ogurok

2004-09-24 16:29:33 UTC

Hi all,

How can I convert the value of objectSid property returned from AD into
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format?
The returned value is a 28 byte array, and GUID is 16-byte (128-bit) value.
Is there a method in already available?
If not, code in C# is preferred, but other languages will do too.

Thanks.

-Oleg.

Joe Richards [MVP]

2004-09-24 16:43:12 UTC

Permalink

GUIDs and SIDs are separate, you don't convert one into the other.

You have to take the SID and look up the matching object in AD and retrieve the
objectGUID.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Post by Oleg Ogurok
Hi all,
How can I convert the value of objectSid property returned from AD into
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format?
The returned value is a 28 byte array, and GUID is 16-byte (128-bit) value.
Is there a method in already available?
If not, code in C# is preferred, but other languages will do too.
Thanks.
-Oleg.

Oleg Ogurok

2004-09-24 16:59:31 UTC

Permalink

Got it. So there are two separate attributes, objectSid and objectGUID.
In my application, I'm creating users and assigning them to Groups. I need
to store the list of Groups to which a newly added user will be assigned. It
wouldn't make sense to store the LDAP Path of those groups because a group
can get renamed or moved to a different OU. Which property should I store in
my application's config, objectSid or objectGUID?

I understand that Active Directory is a database optimized for quick
searching. Are there any performance considerations when deciding on which
property a search is performed? In other words, does searching work faster
when filtering by objectSid vs objectGUID or vice versa?

Thanks,

-OIeg.

Post by Joe Richards [MVP]
GUIDs and SIDs are separate, you don't convert one into the other.
You have to take the SID and look up the matching object in AD and
retrieve the objectGUID.
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Joe Richards [MVP]

2004-09-25 01:22:22 UTC

Permalink

Use the GUID. It is unique in the forest and won't ever change for an object. A
SID can change if the group is moved from one domain to another in the same forest.

You can direct bind to objects by GUID so you don't have to actually search or
enumerate.

When you return the group DN, enable extended names and you will get a string
that contains the GUID which you can direct bind with. Look at my adfind tool
and the extname switch. You can get it on the free win32 tools page of
www.joeware.net

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Post by Oleg Ogurok
Got it. So there are two separate attributes, objectSid and objectGUID.
In my application, I'm creating users and assigning them to Groups. I need
to store the list of Groups to which a newly added user will be assig

ned. It

Post by Oleg Ogurok
wouldn't make sense to store the LDAP Path of those groups because a group
can get renamed or moved to a different OU. Which property should I store in
my application's config, objectSid or objectGUID?
I understand that Active Directory is a database optimized for quick
searching. Are there any performance considerations when deciding on which
property a search is performed? In other words, does searching work faster
when filtering by objectSid vs objectGUID or vice versa?
Thanks,
-OIeg.

Joe Kaplan (MVP - ADSI)

2004-09-27 18:45:19 UTC

Permalink

Also, to answer your C#-specific question, you can pass the byte[] returned
by objectGUID directly to the constructor of the .NET Guid structure to
create a .NET Guid. It has some ToString overrides to get the various
string formats.

Joe K.

Post by Joe Richards [MVP]
Use the GUID. It is unique in the forest and won't ever change for an
object. A SID can change if the group is moved from one domain to another
in the same forest.
You can direct bind to objects by GUID so you don't have to actually
search or enumerate.
When you return the group DN, enable extended names and you will get a
string that contains the GUID which you can direct bind with. Look at my
adfind tool and the extname switch. You can get it on the free win32 tools
page of www.joeware.net
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Post by Oleg Ogurok
Got it. So there are two separate attributes, objectSid and objectGUID.
In my application, I'm creating users and assigning them to Groups. I
need to store the list of Groups to which a newly added user will be
assig

ned. It

Post by Oleg Ogurok
wouldn't make sense to store the LDAP Path of those groups because a
group can get renamed or moved to a different OU. Which property should I
store in my application's config, objectSid or objectGUID?
I understand that Active Directory is a database optimized for quick
searching. Are there any performance considerations when deciding on
which property a search is performed? In other words, does searching work
faster when filtering by objectSid vs objectGUID or vice versa?
Thanks,
-OIeg.