question

RudolfMeier-2283 avatar image
0 Votes"
RudolfMeier-2283 asked cooldadtx answered

find computer name/sid

I try to find the SID of a computer account in Active Directory.

Why? Well, a service from one computer is calling a service on the other one and the files that are returned should be accessible only by the correct computer. That's why I want to set the security descriptor of this file and to do that, I need the SID of those accounts that are allowed to access it... which in this case is the SID of the calling computer. ... just as an info (maybe someone has a better idea or it answers the "why do you want to do that?" question).

What I do is this:

First I get the computers account name using

GetComputerObjectName with NameSamCompatible and then I use the LsaLookupNames2 to query the SID... this works.

But... my question is this: Why should I use the legacy account name? That's pre-Windows 2000... that's why I tryed to call GetComputerObjectName with NameUserPrincipal ... but... I get an error which is ERROR_NONE_MAPPED.

... can someone explain me why? Or ... what's wrong here?

When I take the FQDN of the computer, then replace the first . I find with $@ and form something like "computername$@mydomain.local", LsaLookupNames2 works and delivers the correct SID... but... how can I get this name? ... some say, that I should build it like I did, because this is "most likely" the account name... but... :-) ... most likely... yeah... that's how we should program, right? ... is there a "correct" way to do this??

thanks
Rudolf

windows-api
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Please provide the context of the language/platform you're using. For example: C#, C++, ASP.NET, etc.

0 Votes 0 ·

Only the 2 functions GetComputerObjectName and LsaLookupNames2 are used and those are part of the Windows-API. You can call them from many different languages/systems.

0 Votes 0 ·

Yes but which language are you trying to use? If you're using C++ then we are limited to the WinAPI. If you're using .NET then we have access to the entire WMI, AD and win sec libraries so we can do things a lot easier. The answer to "how?" will depend upon what language you're using.

0 Votes 0 ·
Show more comments

1 Answer

cooldadtx avatar image
0 Votes"
cooldadtx answered

So you're using C++ then. We just want to provide the solution using whatever language you are using. It cuts down on issues. There is no reason to give you a C#/PS answer if you're using C++ since we can provide a C++ solution instead.

As @MotoX80 mentions you should be able to use the machine name directly, no reason to use the SID. Have you tried that approach and it doesn't work for some reason? Machine accounts are generally used to give one machine permissions to another such as in DB calls, etc.

I'm not really sure why you want to avoid the LSA approach as it is still valid but the more modern version would be LookupAccountName. While I haven't tested it on domain accounts, across trusted domains, etc it is documented as working in all those cases. Personally I would just be using the machine name from GetComputerName but if you got the full DNS name then it is supposed to work with that as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.