Working with SIDs

Question

In our environment we are running Exchange 2010 on a resource forest. Users have accounts on a primary forest and mailbox accounts on the resource forest and the two accounts are linked. Exchange stores the SID of the primary account in an attribute on the mailbox account called msExchMasterAccountSid which viewed in the Adaxes admin console is shown as binary. What we have done is add a new attribute on the primary account called resourceAccountSID that stores the SID of the mailbox account of the SID objectType which also shows in the admin console as binary.

When I retrieve %msExchMasterAccountSID% in powershell I get it in the friendly string format. When I retrieve the value of %resourceAccountSID% I get it in binary format. If I want to take an action on the primary user account based on that SID, I am unable to use it in that binary format. I believe I need a way to convert it to string format in order to be able to use it as the identity value for a command. Adaxes seems to automatically do this for the msExchMasterAccountSID attribute. Does anyone know how I might go about that for our resourceAccountSID attribute? This is in a powershell action being run by a business rule.

Answer 1

Hello,

Take a look at the following code sample. It shows how to read a SID stored in the binary form in the resourceAccountSID property and convert it to the string form. The converted value is assigned to the $result variable.

# Read the SID in binary form
$resourceAccountSidBinary = $Context.TargetObject.Get("resourceAccountSID")
# Create an instance of the SecurityIdentifier class based on the binary value
$resourceAccountSid = New-Object System.Security.Principal.SecurityIdentifier($resourceAccountSidBinary, 0)
# Use the ToString() method of the SecurityIdentifier class to get a string representation of the SID
$result = $resourceAccountSid.ToString()

Comments

That worked great. Thank you!

---

Now that I know how to handle the SID for existing objects, I'm working on the creation of new objects. I have a script in a business rule that triggers after a user account is created. It provisions the resource account for the mailbox and the GALSync contact. What I'm trying to do is get the SID of the newly created objects, but there seems to be some sort of delay after creating the objects before I can retrieve the SID.

I'm using the following command to create the contact for example.

$newContact = New-AdmObject -Name "%cn%" -Type contact -Path "<OU_DN>" -Server "contact.domain" -PassThru

After this command I get the DistinguishedName, Name, ObjectClass, and ObjectGUID, but the ObjectSID is returned blank. I have tried using the following command, but get an error saying that the object doesn't exist.

$newContact = Get-AdmObject $newContact.distinguishedName -Server "contact.domain" -Properties objectSID

If I add a loop that sleeps until the objectSID is retrieved, it eventually finds the object and returns the value, but I'd like to avoid a long delay if possible.

Perhaps there is a better way to accomplish what I am trying to do. Any suggestions would be greatly appreciated.

---

Hello,

Are you sure that objectSID is eventually retrieved? Contacts cannot be assigned any permissions in Active Directory, and thus they don't have a SID.

---

That was my mistake. I'll switch to using ObjectGUID for contacts instead.

Thank you for the assistance!