Guest Samuel Posted July 1, 2008 Posted July 1, 2008 Hi, I have 4 SID's in AD. Is their any way I can trace around what time they were created? The SID's are The SID's are S-1-5-21-1993962763-1035525444-725345543-2156 S-1-5-21-1993962763-1035525444-725345543-2197 S-1-5-21-1993962763-1035525444-725345543-2251 S-1-5-21-1993962763-1035525444-725345543-2449 Is it safe to assume that 2156 is created first, and then 2197. ie are they created in some sequence or what? Thx
Guest Meinolf Weber Posted July 1, 2008 Posted July 1, 2008 Re: SID question Hello Samuel, If you only see a SID, the account/group can be deleted. To figure out the normal name you can use a small script at the end of this page. Maybe it helps: http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1203.mspx Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Hi, > > I have 4 SID's in AD. Is their any way I can trace around what time > they were created? > > The SID's are > > The SID's are > > S-1-5-21-1993962763-1035525444-725345543-2156 > > S-1-5-21-1993962763-1035525444-725345543-2197 > > S-1-5-21-1993962763-1035525444-725345543-2251 > > S-1-5-21-1993962763-1035525444-725345543-2449 > > Is it safe to assume that 2156 is created first, and then 2197. ie > are they created in some sequence or what? > > Thx >
Guest Syed Khairuddin Posted July 1, 2008 Posted July 1, 2008 RE: SID question Yes you can trace them but before that you have to convert the SID to object name using a some freeware tools like sidtoname, which can be downloaded from here. http://www.joeware.net/freetools/tools/sidtoname/index.htm After that You can get the creation date for each account from Active Directory. Every AD object has a WhenCreated and WhenChanged attribute. You can dump these attributes into a flat file using the LDIFDE utility, or you can dump them into a comma-delimited file using CSVDE (both utilities come with Windows Support tools). Here's the syntax to dump the two attributes for the user objects in an OU called Phoenix in a domain called Company.com to the console for viewing (the entire entry should typed as a single line): ldifde -d ou=phoenix,dc=company,dc=com -l whencreated, whenchanged -p onelevel -r "(ObjectCategory=user)" -f con If you wanted to save the dump to a file, change the -f switch from con to a file name. The last logon timestamp uses this format: YYYYMMDDHHMMSS, with the hour shown in Universal Coordinated Time. A time stamp of 20040115182937.0Z corresponds to Jan 15 2004 18:29:37 UCT. USRSTAT is slow, and the report you get has to be merged with the LDIFDE dump. So, I put together a script that searches for user objects at each domain controller, then lists the local logon time and the creation time. The user logon timestamp requires conversion from a long integer. http://www.mcpmag.com/columns/article.asp?EditorialsID=660 Thanks for Understanding -- We Dont want to be average We Want to be Great "Samuel" wrote: > Hi, > > I have 4 SID's in AD. Is their any way I can trace around what time they > were created? > > > > The SID's are > > The SID's are > > S-1-5-21-1993962763-1035525444-725345543-2156 > > S-1-5-21-1993962763-1035525444-725345543-2197 > > S-1-5-21-1993962763-1035525444-725345543-2251 > > S-1-5-21-1993962763-1035525444-725345543-2449 > > > > Is it safe to assume that 2156 is created first, and then 2197. ie are > they created in some sequence or what? > > Thx > >
Guest Richard Mueller [MVP] Posted July 1, 2008 Posted July 1, 2008 Re: SID question "Samuel" <Samuel@discussions.microsoft.com> wrote in message news:83A52A96-2D8E-4DDB-B101-BB72BB71349E@microsoft.com... > Hi, > > I have 4 SID's in AD. Is their any way I can trace around what time they > were created? > > > > The SID's are > > The SID's are > > S-1-5-21-1993962763-1035525444-725345543-2156 > > S-1-5-21-1993962763-1035525444-725345543-2197 > > S-1-5-21-1993962763-1035525444-725345543-2251 > > S-1-5-21-1993962763-1035525444-725345543-2449 > > > > Is it safe to assume that 2156 is created first, and then 2197. ie are > they created in some sequence or what? > > Thx > > To answer your last question, no you cannot assume that 2156 was created before 2449. Each DC is assigned a pool of RID values by the RID Master (the DC with this role). I believe if all of the objects were created on one DC, then the RID's would be used sequentially, but if the objects were created on different DC's you never know. They each have their own pool. Also, there is no way to tell which DC was used when the object was created. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
Guest Samuel Posted July 1, 2008 Posted July 1, 2008 Re: SID question Thanks for everyone for your comments. To Syed 1) can I get the creation date for each account even if the account has been deleted. to Meinolf 2) If I run the inverse from SID to name script as per the link - Can I get the account name even if it has been deleted for a long time?
Guest Syed Khairuddin Posted July 2, 2008 Posted July 2, 2008 Re: SID question Hello, Please refer this KB article. http://support.microsoft.com/kb/891995 -- We Dont want to be average We Want to be Great "Samuel" wrote: > Thanks for everyone for your comments. > > To Syed 1) can I get the creation date for each account even if the account > has been deleted. > > to Meinolf 2) > > If I run the inverse from SID to name script as per the link - Can I get the > account name even if it has been deleted for a long time? > > >
Recommended Posts