find computer name/sid

Question

find computer name/sid

Rudolf Meier 291

I try to find the SID of a computer account in Active Directory.

Why? Well, a service from one computer is calling a service on the other one and the files that are returned should be accessible only by the correct computer. That's why I want to set the security descriptor of this file and to do that, I need the SID of those accounts that are allowed to access it... which in this case is the SID of the calling computer. ... just as an info (maybe someone has a better idea or it answers the "why do you want to do that?" question).

What I do is this:

First I get the computers account name using

GetComputerObjectName with NameSamCompatible and then I use the LsaLookupNames2 to query the SID... this works.

But... my question is this: Why should I use the legacy account name? That's pre-Windows 2000... that's why I tryed to call GetComputerObjectName with NameUserPrincipal ... but... I get an error which is ERROR_NONE_MAPPED.

... can someone explain me why? Or ... what's wrong here?

When I take the FQDN of the computer, then replace the first . I find with $@ and form something like "computername$@mydomain.local", LsaLookupNames2 works and delivers the correct SID... but... how can I get this name? ... some say, that I should build it like I did, because this is "most likely" the account name... but... :-) ... most likely... yeah... that's how we should program, right? ... is there a "correct" way to do this??

thanks
Rudolf

Michael Taylor 61,226 Reputation points

2021-04-09T15:05:51.177+00:00

Please provide the context of the language/platform you're using. For example: C#, C++, ASP.NET, etc.
Rudolf Meier 291 Reputation points

2021-04-09T15:48:30.397+00:00

Only the 2 functions GetComputerObjectName and LsaLookupNames2 are used and those are part of the Windows-API. You can call them from many different languages/systems.
Michael Taylor 61,226 Reputation points

2021-04-09T15:51:32.407+00:00

Yes but which language are you trying to use? If you're using C++ then we are limited to the WinAPI. If you're using .NET then we have access to the entire WMI, AD and win sec libraries so we can do things a lot easier. The answer to "how?" will depend upon what language you're using.
MotoX80 37,696 Reputation points

2021-04-09T16:01:39.227+00:00

Can't he just use the account name? MyDomain\ServerName$
Rudolf Meier 291 Reputation points

2021-04-09T20:52:17.327+00:00

you can provide whatever solution you have... doesn't matter which library... I can make calls to those libraries from C++, even if it's .NET or PowerShell... and by the way... WMI and AD is something I often use natively from C++

1 answer

Your answer

Michael Taylor 61,226 Reputation points

2021-04-09T15:05:51.177+00:00

Please provide the context of the language/platform you're using. For example: C#, C++, ASP.NET, etc.
Rudolf Meier 291 Reputation points

2021-04-09T15:48:30.397+00:00

Only the 2 functions GetComputerObjectName and LsaLookupNames2 are used and those are part of the Windows-API. You can call them from many different languages/systems.
Michael Taylor 61,226 Reputation points

2021-04-09T15:51:32.407+00:00

Yes but which language are you trying to use? If you're using C++ then we are limited to the WinAPI. If you're using .NET then we have access to the entire WMI, AD and win sec libraries so we can do things a lot easier. The answer to "how?" will depend upon what language you're using.
MotoX80 37,696 Reputation points

2021-04-09T16:01:39.227+00:00

Can't he just use the account name? MyDomain\ServerName$
Rudolf Meier 291 Reputation points

2021-04-09T20:52:17.327+00:00

you can provide whatever solution you have... doesn't matter which library... I can make calls to those libraries from C++, even if it's .NET or PowerShell... and by the way... WMI and AD is something I often use natively from C++

Answer 1

So you're using C++ then. We just want to provide the solution using whatever language you are using. It cuts down on issues. There is no reason to give you a C#/PS answer if you're using C++ since we can provide a C++ solution instead.

As @MotoX80 mentions you should be able to use the machine name directly, no reason to use the SID. Have you tried that approach and it doesn't work for some reason? Machine accounts are generally used to give one machine permissions to another such as in DB calls, etc.

I'm not really sure why you want to avoid the LSA approach as it is still valid but the more modern version would be LookupAccountName. While I haven't tested it on domain accounts, across trusted domains, etc it is documented as working in all those cases. Personally I would just be using the machine name from GetComputerName but if you got the full DNS name then it is supposed to work with that as well.

Share via

find computer name/sid

1 answer

Your answer