I have not had formal training with VBScript and it shows! Anyway I can get a script to find the SID of an object but if I want to display or write that SID out to a file I am having data type issues. How do I modify this script to pass the object's SID out in a useful form?

ADGroup = InputBox("I.E. SQLSERVERENTMGR", "Please enter Active Directory group", "SQLSERVERENTMGR")

Set objGroup = GetObject("LDAP://CN=" & ADGroup & ",OU=Applications,OU=Users and Groups,DC=f00,DC=bar")

WScript.Echo objGroup.objectSID <--- Outputs a ?
Set GUID = objGroup.objectSID <--- Outright fails
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Are you trying to run this code internal or external of Windows Installer?

Try the following line:
msgbox cstr(objGroup.objectSID)
Answered 07/27/2005 by: brenthunter2005
Fifth Degree Brown Belt

Please log in to comment
I found a bone after my third Google expidition for answers but I have not had time to rewrite this for my purposes. In short getting this info out of AD is not simple as it sounds. I have to thank Richard Mueller for posting this on USENET:

Option Explicit
Dim objUser, arrSid, strSidHex, objTrans, strUserDN, strSidDec

' Constants for the NameTranslate object.
Const ADS_NAME_TYPE_1779 = 1

' Bind to object.
Set objUser = GetObject("LDAP://cn=Test,ou=Sales,dc=MyDomain,dc=com")

' Retrieve SID and convert to hex string, then to decimal string.
arrSid = objUser.objectSid
strSidHex = OctetToHexStr(arrSid)
Wscript.Echo strSidHex
strSidDec = HexStrToDecStr(strSidHex)
Wscript.Echo strSidDec

' Use the NameTranslate object to convert objectSid to
' Distinguished Name.
Set objTrans = CreateObject("NameTranslate")
' Initialize NameTranslate by locating the Global Catalog.
objTrans.Init ADS_NAME_INITTYPE_GC, ""
' Use the Set method to specify the SID format of the object name.
' Use the Get method to retrieve the Distinguished Name of the user object.
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
Wscript.Echo strUserDN


Function OctetToHexStr(arrbytOctet)
' Function to convert OctetString (byte array) to Hex string.

Dim k
OctetToHexStr = ""
For k = 1 To Lenb(arrbytOctet)
OctetToHexStr = OctetToHexStr _
& Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
End Function

Function HexStrToDecStr(strSid)
' Function to convert hex Sid to decimal (SDDL) Sid.
Dim arrbytSid, lngTemp, j

ReDim arrbytSid(Len(strSid)/2 - 1)
For j = 0 To UBound(arrbytSid)
arrbytSid(j) = CInt("&H" & Mid(strSid, 2*j + 1, 2))

HexStrToDecStr = "S-" & arrbytSid(0) & "-" _
& arrbytSid(1) & "-" & arrbytSid(8)

lngTemp = arrbytSid(15)
lngTemp = lngTemp * 256 + arrbytSid(14)
lngTemp = lngTemp * 256 + arrbytSid(13)
lngTemp = lngTemp * 256 + arrbytSid(12)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(19)
lngTemp = lngTemp * 256 + arrbytSid(18)
lngTemp = lngTemp * 256 + arrbytSid(17)
lngTemp = lngTemp * 256 + arrbytSid(16)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(23)
lngTemp = lngTemp * 256 + arrbytSid(22)
lngTemp = lngTemp * 256 + arrbytSid(21)
lngTemp = lngTemp * 256 + arrbytSid(20)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

lngTemp = arrbytSid(25)
lngTemp = lngTemp * 256 + arrbytSid(24)

HexStrToDecStr = HexStrToDecStr & "-" & CStr(lngTemp)

End Function
Answered 07/27/2005 by: kkaminsk
Ninth Degree Black Belt

  • Worked great - just save in Notepad with a .vbs extension, edit the LDAP string at the top of the script (LDAP://cn=Test,ou=Sales,dc=MyDomain,dc=com) to your user and domain.

    For those unfamiliar with LDAP string syntax:

    CN=Test : "Test" would be the account - must replace "Test" with the full Display Name (FirstName MI. LastName) for your user
    OU=Sales : "Sales" is the name of the OU. If you have sub-OUs to go before you get to your user, you have to do them in backwards order, starting at the one where the account is, and heading up until (and not including) your domain level. So say I have a Users OU, then a Europe OU under it. It would be this, instead of OU=Sales:

    OU=Europe, OU=Users

    DC=MyDomain, DC=com : Replace "MyDomain" with the domain that appears in front of your log-in account. It is often in between the "www" and "com" in your company URL, but it doesn't have to be. It should actually be the same as what it shows in Active Directory, but separate each section with ",DC=" instead of periods - except you would only need one comma prior to the first "DC=". Example, if your domain was subdomain.mydomain.com, it would be:


Please log in to comment