regarding Active Directory for extracting USER (NT Name - Pre-Windows 2000 User Logon name) RRS feed

  • Question

  • Hi there,

    I have a development issue to find out AD user - Pre-Windows 2000 User Logon name. I use the following code to extract the user logon name (pre-windows2000) and the error comes up.

    using (System.DirectoryServices.DirectorySearcher searcher = new System.DirectoryServices.DirectorySearcher()) { searcher.SearchRoot = domain; searcher.PropertiesToLoad.Add("sAMAccountName"); searcher.PropertiesToLoad.Add("userPrincipalName"); searcher.PropertiesToLoad.Add("objectSid"); searcher.Filter = "(userPrincipalName=" + userNameOrEmail + ")"; try { using (System.DirectoryServices.SearchResultCollection results = searcher.FindAll()) { if (results == null || results.Count == 0) { } //continue; else { byte[] SID = null; if (results[0].Properties["objectSid"].Count > 0) { SID = (byte[])results[0].Properties["objectSid"][0]; //string sid = "S-1-5-21-789336058-507921405-854245398-9938"; string sid = GetSidString(SID); //this line error -- >

    string account = new System.Security.Principal.SecurityIdentifier(sid).Translate(typeof(System.Security.Principal.NTAccount)).ToString(); } } } } // End Try catch (System.Exception eX) { } } // End Using searcher

    the error happened at this line --- string account = new System.Security ........

    the error is :

    {"Some or all identity references could not be translated."}

    Does anyone have any idea on it?? Thanks

    ****** I just want to get the User Logon Name(Pre-Windows 2000) *******

    Hi there, if you found my comment very helpful then please | Propose as answer | . Thanks and Regards.

    • Edited by Will .H Tuesday, May 12, 2020 10:18 AM
    Tuesday, May 12, 2020 9:30 AM

All replies

  • I'm going to guess the issue is with your `GetSidString` but I'm guessing here. It could also be an issue with your query. Your query is asking for everything that matches the name, user or otherwise. If you get something that isn't a user then try to convert to `NTAccount` will fail with this message. Here's how you should query for a name, note that I changed to using just `name` because it is more likely to match than the formal principal name.

    var filter = "(&(objectClass=user)(name=" + userNameOrEmail + "))";
    using (var searcher = new DirectorySearcher(domain, filter))

    Then for debugging purposes, dump all the properties so you look for what you need.  We don't have a 2K domain here so I cannot find such a property on our system. It is possible that only the 2K DC would have it in which case you'd need a trust domain or something but you'd need to ask on TechNet about those permissions.

    var properties = from p in results[0].Properties.OfType<DictionaryEntry>()
                        let values = (p.Value as ResultPropertyValueCollection).OfType<object>()
                        orderby p.Key
                        select new { Name = p.Key, Value = String.Join(", ", values) };
    foreach (var prop in properties)
        Console.WriteLine($"{prop.Name} = {prop.Value}");

    Finally, once you've found the user then the conversion should work.

    var prop = (byte[])results[0].Properties["objectSid"][0];
    var sid = new SecurityIdentifier(prop, 0);
    var account = sid.Translate(typeof(NTAccount));
    var accountName = account.ToString();

    Michael Taylor http://www.michaeltaylorp3.net

    Tuesday, May 12, 2020 2:08 PM
  • Hi Michael Taylor,

    I try the method you provide. If I used the code for testing LOCAL AD, it works well on the contrary, if AD is NOT LOCAL but remote AD, the same error "{"Some or all identity references could not be translated."}" comes up, happened at this line


    Some or all identity references could not be translated.
       at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
       at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
       at Cons.Sample.Program.Main(String[] args) in C:\Users\Administrator\source\repos\Cons.Sample\Cons.Sample\Program.cs:line 58

    var account = sid.Translate(typeof(NTAccount));

    so whether or not we just access local ad (my AD is not local ad but remote and windows 2016 version) by using this method, or there are something missing.??


    Hi there, if you found my comment very helpful then please | Propose as answer | . Thanks and Regards.

    • Edited by Will .H Wednesday, May 13, 2020 3:33 AM
    Wednesday, May 13, 2020 3:19 AM
  • This sounds like a domain issue to me and should probably be escalated to your IT team although you might get a partial answer on TechNet. It sounds like your local AD server being contacted is unable to resolve the SID because it cannot get to the AD where the account is at. In my experience it has been because of a trust issue. You can easily verify this by simply trying to create the `NTAccount` object using the user's domain and name information directly. If that call fails then it is a domain issue and nothing to do with your code. No amount of code adjustments is going to resolve this.

    But the more I think about your code the more I wonder why you need the `NTAccount`. All this type is going to do is give you the account name information. But you already have that because you queried AD directly. So everything you might need to know about this user is already available in the query you just ran. At this point there doesn't seem to be any benefit in converting to an NTAccount which would resolve your issue wouldn't it?

    Michael Taylor http://www.michaeltaylorp3.net

    Wednesday, May 13, 2020 1:27 PM