开发者

What are the possibilities in which RIDs can be replicated

问答 作者:

I am working on an application in which I identify users nd groups on the basis of their RIDs. Hence there would be a problem if duplicate RIDs exist on the domain. The following link http://support.microsoft.com/kb/315062 says that it is possible if the admin seizes the role of the RID manager and two or more users request for an RID simultaneously. I wanted to know what could be other possibilities which could result in duplicate RIDs.

开发者_C百科

Thanks in advance.

The thing I don't understand in your question is why you are using RIDs to distinguish users and groups. The objects are from different classes so they are naturaly distinguished.

In Win32 programming you can just use :

BOOL WINAPI LookupAccountSid(
  __in_opt   LPCTSTR lpSystemName,
  __in       PSID lpSid,
  __out_opt  LPTSTR lpName,
  __inout    LPDWORD cchName,
  __out_opt  LPTSTR lpReferencedDomainName,
  __inout    LPDWORD cchReferencedDomainName,
  __out      PSID_NAME_USE peUse
);

This API comes from Authorization Functions to retrieve in peUse if the SID is a User or a Group.

Using the .NET Framework (C#) the SecurityIdentifier can be used to determine if the SID represent a valid domain account.

Last thing : the way that is commonly use to distinguish objects in a directory is the objectGUID attribute. This attribute is present in each object. So you can retreive objects from Active Directory Service Interface (ADSI) using SIDs or GUIDs

"LDAP:///<GUID={28c67c50-9778-47a4-a77a-bf56f238a0c4}>"

or

"LDAP:///<SID=S-1-5-21-500000003-1000000000-1000000003-1001>"

(Edited after your comment) As far as I know, duplicated RID inside a domain is considered as an exception explained by the lost of a domain controller that serves the role of Relative ID (RID) Master. Perhaps it exists hack tools that are able to patch the AD database to change SIDs but I don't know them.

Be careful, RIDs may be duplicated in other domains. If you've got subdomains or other trees in you forest, you can find again the same RIDs with different sub-authorities (potentialy in the same ACL)

I found also duplicated in computer SIDs but it was due to bad Ghost usage.

继续阅读:active-directorydomaincontroller

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9