System.DirectoryServices SID search


  • Hello,

    from a WindowsIdentity we obtain the SID bytes and convert them to their hex string representation.

    We then try to bind AD with the SID information to get the Ad conteiner for the specified user.

    Since we have a AD tree like this:


    if we use serverless binding  the server binds to the ldap server in SERVERS.COMPANY.COM and does not find anything
    (sample: DirectoryEntry de = new DirectoryEntry(">LDAP://<SID=sidHexString>)

    If we namely bind to EMEA.COMPANY.COM server (because we know that the SID is for an EMEA user), it works fine (sample:DirectoryEntry de = new DirectoryEntry(">LDAP://<SID=sidHexString>)

    If we try to bind the global catalog as case 1 (sample: GC://<SID=sidHexString), no result.

    What is the correct process to bind to a user knowing its SID without "cabling" the single LDAP servers in a search?

    Thanks for support

    Giovanni Lanaro

    Thursday, August 25, 2005 2:04 PM


  • 1) In the article about SID binding Microsoft states that the byte[] must be converted to an Hex string representation; the reported example works fine only for direct binding
    i.e. DirectoryEntry de = new DirectoryEntry(">LDAP://<SID=00111a...>)

    This solution has 2 counter effects when you search an object in a tree

    1) Serverless binding connects you to the default ldap server given your "location". If the ldap server is not "owner" of the SID returns an object not found

    2) If you used "named server" binding you need to know wich branch the SID belongs to, and bind to an appropriate server having a catalog for the issue

    To be sure to find an object by SID in a TREE or FOREST not knowing which branch or subtree it belongs to, i suggest:

    DirectoryEntry gCatalog = new DirectoryEntry("GC:",username,password);

    SearchResult sResult = null;

    foreach(DirectoryEntry rootForest in de.Children)
       DirectorySearcher ds = new DirectorySearcher(rootForest,@"(objectSid=\00\11\1a.....")
       sResult = ds.FindOne();
       if (sResult!=null)

    Please note that when performing a sid based search, differently from directly binding, a \ (backslash) must preceed each byte string representation.

    Maybe this is obvious or well know to you, but to me it was not so I got mad trying to have it working based on the string representation in the direct binding sample provided by MS.

    ANy comments welcome

    Thursday, August 25, 2005 6:50 PM