Compartilhar via


SDDL form of the SID doesn’t work in Active Directory filter on Windows 2000.

Recently, I was working with a customer who was trying to get the user’s group membership using the TokenGroup attribute. In the VB.Net code, he was using this filter to get the group object back:

Dim sid As String = "S-1-5-21-2146773085-903363285-719344707-606279"

searcher.Filter = String.Format("(&(objectClass=group)(objectSid={0}))", sid)

In his environment, a few domain controllers were running Windows 2000 and his domain’s functional level was Windows Server 2000 native.

By design, Windows 2000 domain controllers do not support SDDL form of SID ("S-1-5-21-2146773085-903363285-719344707-606279") in the search filter. That’s why the application doesn’t return any group values if it is binding to Windows server 2000 DC. <https://connect.microsoft.com/VisualStudio/feedback/details/289470/cannot-search-by-objectsid-in-windows-2000-domain-controller>

To search based on ObjectSid attribute on a Windows Server 2000 domain controller, you will need to provide the binary encoded form of SID in the filter. In our case, this would be: (ObjectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5d\28\f5\7f\d5\3a\d8\35\43\54\e0\2a\47\40\09\00)

An explanation of how to search for octect string ( binary datat ) in the Active Directory is provided at the following MSDN link:

 <msdn2.microsoft.com/en-us/library/ms676930.aspx>

Below is the VB.net method to convert the object SID into the binary encoded form of the SID.

Public Function BinaryEncodeSid(ByVal bSid As Byte()) As String

        Dim sb As System.Text.StringBuilder = New System.Text.StringBuilder()

        For i As Integer = 0 To bSid.Length - 1

            sb.AppendFormat("\{0:x2}", bSid(i))

        Next

        Return sb.ToString()

End Function

Below is an example of how to use the BinaryEncodeSid:

Dim bsid As Byte() = CType(.Properties.Item("tokenGroups").Item(counter), Byte())

Dim str As String = BinaryEncodeSid(bsid)

searcher.Filter = String.Format("(&(objectClass=group)(objectSid={0}))", str)