0 votes

In our environment we are running Exchange 2010 on a resource forest. Users have accounts on a primary forest and mailbox accounts on the resource forest and the two accounts are linked. Exchange stores the SID of the primary account in an attribute on the mailbox account called msExchMasterAccountSid which viewed in the Adaxes admin console is shown as binary. What we have done is add a new attribute on the primary account called resourceAccountSID that stores the SID of the mailbox account of the SID objectType which also shows in the admin console as binary.

When I retrieve %msExchMasterAccountSID% in powershell I get it in the friendly string format. When I retrieve the value of %resourceAccountSID% I get it in binary format. If I want to take an action on the primary user account based on that SID, I am unable to use it in that binary format. I believe I need a way to convert it to string format in order to be able to use it as the identity value for a command. Adaxes seems to automatically do this for the msExchMasterAccountSID attribute. Does anyone know how I might go about that for our resourceAccountSID attribute? This is in a powershell action being run by a business rule.

by (290 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Take a look at the following code sample. It shows how to read a SID stored in the binary form in the resourceAccountSID property and convert it to the string form. The converted value is assigned to the $result variable.

# Read the SID in binary form
$resourceAccountSidBinary = $Context.TargetObject.Get("resourceAccountSID")
# Create an instance of the SecurityIdentifier class based on the binary value
$resourceAccountSid = New-Object System.Security.Principal.SecurityIdentifier($resourceAccountSidBinary, 0)
# Use the ToString() method of the SecurityIdentifier class to get a string representation of the SID
$result = $resourceAccountSid.ToString()
0

That worked great. Thank you!

0

Now that I know how to handle the SID for existing objects, I'm working on the creation of new objects. I have a script in a business rule that triggers after a user account is created. It provisions the resource account for the mailbox and the GALSync contact. What I'm trying to do is get the SID of the newly created objects, but there seems to be some sort of delay after creating the objects before I can retrieve the SID.

I'm using the following command to create the contact for example.

$newContact = New-AdmObject -Name "%cn%" -Type contact -Path "<OU_DN>" -Server "contact.domain" -PassThru

After this command I get the DistinguishedName, Name, ObjectClass, and ObjectGUID, but the ObjectSID is returned blank. I have tried using the following command, but get an error saying that the object doesn't exist.

$newContact = Get-AdmObject $newContact.distinguishedName -Server "contact.domain" -Properties objectSID

If I add a loop that sleeps until the objectSID is retrieved, it eventually finds the object and returns the value, but I'd like to avoid a long delay if possible.

Perhaps there is a better way to accomplish what I am trying to do. Any suggestions would be greatly appreciated.

0

Hello,

Are you sure that objectSID is eventually retrieved? Contacts cannot be assigned any permissions in Active Directory, and thus they don't have a SID.

0

That was my mistake. I'll switch to using ObjectGUID for contacts instead.

Thank you for the assistance!

Related questions

0 votes
0 answers

Ever since upgrading to 3.16.21906.0 the script here no longer works: https://www.adaxes.com/script-repository/move-mailbox-tofrom-microsoft-365-s579.htm Not sure what the issue is as I can't find any errors in the log.

asked Nov 16, 2023 by curtisa (290 points)
0 votes
1 answer

In our environment we have to manage multiple objects for each user. - Primary Account on domain A/B - Mailbox account on domain C/D - GALSync contact on domain D/C ( ... I just can't seem to get this into string format. Any insight would be appreciated.

asked Jul 30, 2014 by dtb147 (290 points)
0 votes
1 answer

Hi, I'm working on my "account lifecycle" review processes and have a new area that I'm starting to think about. When staff who are also managers (of both users ... use! I appreciate there are some complex questions in here, so don't prioritise! Many Thanks

asked May 30, 2013 by firegoblin (1.6k points)
0 votes
1 answer

Hi, I have this Script to check if a condition is met # The condition is met if $Context.ConditionIsMet is set to $True. $Context.ConditionIsMet = $False $inputString = " ... or issue with this match function using in a "if script returns true" condition?

asked Oct 31 by wintec01 (1.5k points)
3,549 questions
3,240 answers
8,232 comments
547,814 users