I try to find the SID of a computer account in Active Directory.
Why? Well, a service from one computer is calling a service on the other one and the files that are returned should be accessible only by the correct computer. That's why I want to set the security descriptor of this file and to do that, I need the SID of those accounts that are allowed to access it... which in this case is the SID of the calling computer. ... just as an info (maybe someone has a better idea or it answers the "why do you want to do that?" question).
What I do is this:
First I get the computers account name using
GetComputerObjectName with NameSamCompatible and then I use the LsaLookupNames2 to query the SID... this works.
But... my question is this: Why should I use the legacy account name? That's pre-Windows 2000... that's why I tryed to call GetComputerObjectName with NameUserPrincipal ... but... I get an error which is ERROR_NONE_MAPPED.
... can someone explain me why? Or ... what's wrong here?
When I take the FQDN of the computer, then replace the first . I find with $@ and form something like "firstname.lastname@example.org", LsaLookupNames2 works and delivers the correct SID... but... how can I get this name? ... some say, that I should build it like I did, because this is "most likely" the account name... but... :-) ... most likely... yeah... that's how we should program, right? ... is there a "correct" way to do this??