SID question

  • Thread starter Thread starter Samuel
  • Start date Start date
S

Samuel

Guest
Hi,

I have 4 SID's in AD. Is their any way I can trace around what time they
were created?



The SID's are

The SID's are

S-1-5-21-1993962763-1035525444-725345543-2156

S-1-5-21-1993962763-1035525444-725345543-2197

S-1-5-21-1993962763-1035525444-725345543-2251

S-1-5-21-1993962763-1035525444-725345543-2449



Is it safe to assume that 2156 is created first, and then 2197. ie are
they created in some sequence or what?

Thx
 
Re: SID question

Hello Samuel,

If you only see a SID, the account/group can be deleted. To figure out the
normal name you can use a small script at the end of this page. Maybe it
helps:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1203.mspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,
>
> I have 4 SID's in AD. Is their any way I can trace around what time
> they were created?
>
> The SID's are
>
> The SID's are
>
> S-1-5-21-1993962763-1035525444-725345543-2156
>
> S-1-5-21-1993962763-1035525444-725345543-2197
>
> S-1-5-21-1993962763-1035525444-725345543-2251
>
> S-1-5-21-1993962763-1035525444-725345543-2449
>
> Is it safe to assume that 2156 is created first, and then 2197. ie
> are they created in some sequence or what?
>
> Thx
>
 
RE: SID question

Yes you can trace them but before that you have to convert the SID to object
name using a some freeware tools like sidtoname, which can be downloaded from
here.

http://www.joeware.net/freetools/tools/sidtoname/index.htm

After that

You can get the creation date for each account from Active Directory. Every
AD object has a WhenCreated and WhenChanged attribute. You can dump these
attributes into a flat file using the LDIFDE utility, or you can dump them
into a comma-delimited file using CSVDE (both utilities come with Windows
Support tools).

Here's the syntax to dump the two attributes for the user objects in an OU
called Phoenix in a domain called Company.com to the console for viewing (the
entire entry should typed as a single line):



ldifde -d ou=phoenix,dc=company,dc=com -l whencreated, whenchanged -p
onelevel -r "(ObjectCategory=user)"
-f con


If you wanted to save the dump to a file, change the -f switch from con to a
file name.

The last logon timestamp uses this format: YYYYMMDDHHMMSS, with the hour
shown in Universal Coordinated Time. A time stamp of 20040115182937.0Z
corresponds to Jan 15 2004 18:29:37 UCT.

USRSTAT is slow, and the report you get has to be merged with the LDIFDE
dump. So, I put together a script that searches for user objects at each
domain controller, then lists the local logon time and the creation time. The
user logon timestamp requires conversion from a long integer.

http://www.mcpmag.com/columns/article.asp?EditorialsID=660

Thanks for Understanding

--
We Dont want to be average We Want to be Great


"Samuel" wrote:

> Hi,
>
> I have 4 SID's in AD. Is their any way I can trace around what time they
> were created?
>
>
>
> The SID's are
>
> The SID's are
>
> S-1-5-21-1993962763-1035525444-725345543-2156
>
> S-1-5-21-1993962763-1035525444-725345543-2197
>
> S-1-5-21-1993962763-1035525444-725345543-2251
>
> S-1-5-21-1993962763-1035525444-725345543-2449
>
>
>
> Is it safe to assume that 2156 is created first, and then 2197. ie are
> they created in some sequence or what?
>
> Thx
>
>
 
Re: SID question


"Samuel" <Samuel@discussions.microsoft.com> wrote in message
news:83A52A96-2D8E-4DDB-B101-BB72BB71349E@microsoft.com...
> Hi,
>
> I have 4 SID's in AD. Is their any way I can trace around what time they
> were created?
>
>
>
> The SID's are
>
> The SID's are
>
> S-1-5-21-1993962763-1035525444-725345543-2156
>
> S-1-5-21-1993962763-1035525444-725345543-2197
>
> S-1-5-21-1993962763-1035525444-725345543-2251
>
> S-1-5-21-1993962763-1035525444-725345543-2449
>
>
>
> Is it safe to assume that 2156 is created first, and then 2197. ie are
> they created in some sequence or what?
>
> Thx
>
>

To answer your last question, no you cannot assume that 2156 was created
before 2449. Each DC is assigned a pool of RID values by the RID Master (the
DC with this role). I believe if all of the objects were created on one DC,
then the RID's would be used sequentially, but if the objects were created
on different DC's you never know. They each have their own pool. Also, there
is no way to tell which DC was used when the object was created.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
 
Re: SID question

Thanks for everyone for your comments.

To Syed 1) can I get the creation date for each account even if the account
has been deleted.

to Meinolf 2)

If I run the inverse from SID to name script as per the link - Can I get the
account name even if it has been deleted for a long time?
 
Re: SID question

Hello,

Please refer this KB article.

http://support.microsoft.com/kb/891995
--
We Dont want to be average We Want to be Great


"Samuel" wrote:

> Thanks for everyone for your comments.
>
> To Syed 1) can I get the creation date for each account even if the account
> has been deleted.
>
> to Meinolf 2)
>
> If I run the inverse from SID to name script as per the link - Can I get the
> account name even if it has been deleted for a long time?
>
>
>
 
Back
Top