开发者

What are the possibilities in which RIDs can be replicated

开发者 https://www.devze.com 2023-03-13 01:18 出处:网络
I am working on an application in which I identify users nd groups on the basis of their RIDs. Hence there would be a problem if duplicate RIDs exist on the domain. The following link http://support.m

I am working on an application in which I identify users nd groups on the basis of their RIDs. Hence there would be a problem if duplicate RIDs exist on the domain. The following link http://support.microsoft.com/kb/315062 says that it is possible if the admin seizes the role of the RID manager and two or more users request for an RID simultaneously. I wanted to know what could be other possibilities which could result in duplicate RIDs.

开发者_C百科

Thanks in advance.


The thing I don't understand in your question is why you are using RIDs to distinguish users and groups. The objects are from different classes so they are naturaly distinguished.

In Win32 programming you can just use :

BOOL WINAPI LookupAccountSid(
  __in_opt   LPCTSTR lpSystemName,
  __in       PSID lpSid,
  __out_opt  LPTSTR lpName,
  __inout    LPDWORD cchName,
  __out_opt  LPTSTR lpReferencedDomainName,
  __inout    LPDWORD cchReferencedDomainName,
  __out      PSID_NAME_USE peUse
);

This API comes from Authorization Functions to retrieve in peUse if the SID is a User or a Group.

Using the .NET Framework (C#) the SecurityIdentifier can be used to determine if the SID represent a valid domain account.

Last thing : the way that is commonly use to distinguish objects in a directory is the objectGUID attribute. This attribute is present in each object. So you can retreive objects from Active Directory Service Interface (ADSI) using SIDs or GUIDs

"LDAP:///<GUID={28c67c50-9778-47a4-a77a-bf56f238a0c4}>"

or

"LDAP:///<SID=S-1-5-21-500000003-1000000000-1000000003-1001>"

(Edited after your comment) As far as I know, duplicated RID inside a domain is considered as an exception explained by the lost of a domain controller that serves the role of Relative ID (RID) Master. Perhaps it exists hack tools that are able to patch the AD database to change SIDs but I don't know them.

Be careful, RIDs may be duplicated in other domains. If you've got subdomains or other trees in you forest, you can find again the same RIDs with different sub-authorities (potentialy in the same ACL)

I found also duplicated in computer SIDs but it was due to bad Ghost usage.

0

精彩评论

暂无评论...
验证码 换一张
取 消