SID problem

  • Thread starter Thread starter sn9071
  • Start date Start date
S

sn9071

Dear All,
We had our PDC down few days ago and another replica DC has taken over
it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this ?

many thanks,
Sulis.
 
We had our PDC down few days ago and another replica DC has taken over
it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this

can you be more specific?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
while we go to security access in a folder, it shows S-1-5xxx-xxx.
usually it shows a username or group. how can we put it back ?

thanks,


Jorge de Almeida Pinto [MVP - DS] menuliskan:
 
does it show others like "domain\user or group" and one or more like <SID>?

if yes, then the object with the SID that is shown there has been deleted
from AD (assuming it was a object in AD)

solution:
* authoritative restore of the object <- preferred
* undelete

before even being to do either you need to check in AD what object it is

you can use:
ADFIND -default -showdel -f
"(&(isDeleted=TRUE)(objectSid={{SID:S-1-5-21-3495709831-2249124843-3216744473-1111}}))"
-binenc distinguishedName sAMAccountName lastKnownParent

replace S-1-5-21-3495709831-2249124843-3216744473-1111 with YOUR sid

------------EXAMPLE-----------
D:\TOOLS\MISC>adfind -default -showdel -f
"(&(isDeleted=TRUE)(objectSid={{SID:S-
1-5-21-3495709831-2249124843-3216744473-1111}}))" -binenc distinguishedName
sAMA
ccountName lastKnownParent

AdFind V01.31.00cpp Joe Richards ([email protected]) March 2006

Transformed Filter:
(&(isDeleted=TRUE)(objectSid=\01\05\00\00\00\00\00\05\15\00\
00\00\87L\5C\D0\EB\EB\0E\86\19\A0\BB\BFW\04\00\00))
Using server: RDC01.AD.LAN:389
Directory: Windows Server 2003
Base DN: DC=AD,DC=LAN

dn:CN=UserNo1001\0ADEL:08cc68f5-aaf7-4ca3-94cc-640d21aae859,CN=Deleted
Objects,D
C=AD,DC=LAN
distinguishedName:
CN=UserNo1001\0ADEL:08cc68f5-aaf7-4ca3-94cc-640d21aae859,CN= Deleted Objects,DC=AD,DC=LAN
sAMAccountName: UserNo1001
lastKnownParent: OU=USERS,OU=ORG,DC=AD,DC=LAN
Click to expand...


1 Objects returned
------------EXAMPLE-----------

to auth. restore an object follow MS-KBQ840001

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
while we go to security access in a folder, it shows S-1-5xxx-xxx.
usually it shows a username or group. how can we put it back ?

thanks,


Jorge de Almeida Pinto [MVP - DS] menuliskan:
it. Currently we got SID problem in security access, even it's running
BUT we can't see the name of user. is there any way to fix this

can you be more specific?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
Click to expand...
Click to expand...
 
Back
Top