Re: SID Filtering vs. SIDhistory

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 02/01/04 

Date: Sat, 31 Jan 2004 20:18:32 -0500

> My tool of choice personally is ldp, but I'm in the minority.

That is because the best tool for VIEWING that info is ADFIND... :op

Get it at www.joeware.net on the free win32 tools page. Used by great admins
the world over, I know I get emails from them. US Military really seems to
like it which I don't know is good or bad.

For viewing the sIDHistory attrib on an object you would simply do

adfind -gc -b -f name=username sidhistory

I actually liked some of the functionality of ADSIEDIT in W2K than in XP
though XP has some nice thing; they changed the display facility for some
things. Also I really wish the darn window was sizeable when looking at an
object. I have some MS friends that have been harping on me to write a GUI
version of ADFIND... 

-- 
www.joeware.net
"Eric Fleischman [MSFT]" <efleis@online.microsoft.com> wrote in message
news:%23CHRbJb5DHA.1428@TK2MSFTNGP12.phx.gbl...
> Both adsiedit and ldp let you dig in to the directory and modify just
about
> anything you want. Although if you tune ad users and computers right you
can
> get a lot more than you do by default as well.
>
> My tool of choice personally is ldp, but I'm in the minority. Most 'folk
who
> get in there a lot are using adsiedit. Also, adsiedit from the xp admin
pack
> or 2003 is a bit better and the UI is a bit nicer for modifying attributes
> on a given object.
>
> ~Eric
>
> -- 
> Eric Fleischman [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no rights
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
> news:egGBKoR5DHA.1936@TK2MSFTNGP12.phx.gbl...
> > > tool, but they're actually pretty easy to use. ADSIEdit would
> > probably
> > > be the simplest. If you want to check to see if there is a SID
> > history
> > > populated, let me know and I'll walk you through how to do it.
> >
> > Yeah, why not... thanks.  I'll try to check this next time I'm
> > on-site.
> >
> > Also, should I assume that ADSIedit is powerful/dangerous ala
> > RegEdit?
> >
> > -Rich
> >
> >
>
>

Relevant Pages

  • Re: SID Filtering vs. SIDhistory
    ... Personally I'm quite loyal to ldp, so I don't use the others a ton. ... > That is because the best tool for VIEWING that info is ADFIND... ... > I actually liked some of the functionality of ADSIEDIT in W2K than in XP ... >> Eric Fleischman ...
    (microsoft.public.windows.server.security)
  • Re: seizing master roles and GC
    ... Have you tried to delete it with Ldp? ... We did try a metadata cleanup and ADSIedit. ... ADSIEdit shows that the entery ... >>> We couldn't transfer domain naming master since general catalog could ...
    (microsoft.public.win2000.active_directory)
  • Re: Cant delete a corrupt user object
    ... The user isn't corrupt, it is an object that experienced a replication conflict. ... ADSIEDIT and LDP both can delete this if you can locate it. ... Only when search on "Entire Directory", then you find the user object like: Clarke,Andrew <square control character> CNF:6a70d5f5- 23d1-9cc2-8e96aff678c2. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID Filtering vs. SIDhistory
    ... don't ever use command line tools. ... > Personally I'm quite loyal to ldp, so I don't use the others a ton. ... >> I actually liked some of the functionality of ADSIEDIT in W2K than in XP ... >>> Use of included script samples are subject to the terms specified at ...
    (microsoft.public.windows.server.security)
  • Re: Link Order of Group Policy Objects
    ... the link order is a property of the OU --> gPLink attribute ... viewing that attribute directly through ADSIEDIT or LDP the order from left ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... I should be able to see them in ADSIEDIT ??? ...
    (microsoft.public.windows.server.active_directory)