Re: Inserting Raw SID Into User Group



It's a matter of time. I believe the hacker did his work long ago and
won't be back. The box will be rebuilt when there is time, roughly in two
weeks. In the interim I want to do what I can.

Is there a command line utility that would take the SID as an argument, or
even the winnt://<sid> syntax as input?

--
Will



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OAulGjSMGHA.2416@xxxxxxxxxxxxxxxxxxxxxxx
Note: I have never tried this with a known invalid SID, but I have done
this while the needed trust to verify the SID was inaccessible.

If you script, the normal ways to add a member to a group do accept the
syntax winnt://<sid> instead of the AdsPath for the principal being
added.

(so you are about to rebuld the box but first want to deny all access to
that box to the principal the sid represents ??? ok, I believe :-))
--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:reKdnYQMJKBywWzeRVn-tw@xxxxxxxxxxxxxxx
On a computer that was hacked I have a user who created a raw SID in the
Administrator's group that doesn't appear to correspond to any forest on
our
network. Before I retire the machine and rebuilt it, I would like to
add
the SID in question to a group that is denied access to any resources on
the
computer. But I can't add in raw SID's in the User and Computers AD
administration application. Does anyone know how to put a raw SID into
a
group? The hacker knew how to do it, apparently. :)

--
Will






.



Relevant Pages

  • Re: Inserting Raw SID Into User Group
    ... I have never tried this with a known invalid SID, ... this while the needed trust to verify the SID was inaccessible. ... the SID in question to a group that is denied access to any resources on ... Does anyone know how to put a raw SID into a ...
    (microsoft.public.windows.server.security)
  • Re: Inserting Raw SID Into User Group
    ... raw SID into a group? ... I think the only reason you see a raw SID is because your system is not ... probebly a SID that belongs to the machine or network of the hacker. ...
    (microsoft.public.windows.server.security)
  • Re: Multiple profile migration using ADMT
    ... How To Use Microsoft Visual Basic to Convert a Raw SID into a String SID ... the SID history - voila - the sam names are all matched.... ...
    (microsoft.public.windows.server.migration)
  • Re: Inserting Raw SID Into User Group
    ... Try fileacl although I do not know if it will want to verify the SID ... Google fileacl ... Does anyone know how to put a raw SID ...
    (microsoft.public.windows.server.security)
  • Restricted SID vs Deny Only SID
    ... What exactly is the difference between Restricted SID's and Deny onyl SID ... mean all accesses to resources which contain thta SID in its descriptor is ... denied access. ...
    (microsoft.public.platformsdk.security)