SID Converter

The SID Converter option provides the ability to convert Names to SIDs and SIDs to Names, the correct resolution method is selected based on the details provided.  If no server is selected, the local machine will be used to complete the lookup, and any domain membership will also be used to complete the lookup.  If a server is selected, then the lookup request is sent to this server to resolution, this is useful if you are trying to resolve local SID\Names.

These examples shows the output for the group domain admins and the user administrator

There a number of additional formats for the SID which can be used within NetTools or other AD tools.

Multiple names and/or SIDs can be entered, with each entry separated by a comma or semi-colon, all entries will be resolved.  When the Hex option is selected, the input must be entered as per the Hex output shown above. In this mode, multiple entries are not supported.

LDAP Search – Base DN Formats

Active Directory support a number of different formats for the Base DN field, these are Distinguished Name, GUID and SID 

Distinguished Name is based on RFC 4514 e.g. CN=user1,CN=users,DC=domain,DC=com

GUID provides the GUID of an object which will be used as the base for searches, i.e <GUID=01f04883-d68e-4367-8ad1-a2faa79a2e5a>

SID format is the same as GUID but the entry is based on a SID i.e. <SID=S-1-5-21-2816452191-2840564649-4223122534-1000>

The SID and GUID option with the Search Scope set to Base Level can be used as quick search for users or other objects in the AD based on the GUID or SID.  The SIDs and GUIDs are entered in standard readable format.

LDAP Search Substitution

NetTools supports a number of Inline substitution options, that enables different data types to be entered in a user friendly formats, without the need to remember complicated data formats.  These can be used in the filter to simplify filter entry or convert data format for attribute updates with Update Queries.  

There are two types of substitutions available, data converters, and matching rule converters.

Data Converters

Data converters have the following format {<type>:[data]}

-1: int64 const of -1 e.g. (pwdlastset={-1:}) which will be replaced with 9223372036854775807
sid: object sid e.g. (objectsid={sid: S-1-5-21-3499964120-3315823391-1593708255-164234})
guid: object guids e.g. (objectguid={guid:00AD5B16-8E22-49D5-B83A-BFDEA6DFF7DE})
oid: oid identifiers e.g. (omobjectclass={oid:1.3.12.2.1011.28.0.702})
ip: IP address in windows order e.g. (ipaddress={ip:10.12.45.254})
ipn: IP address in network order e.g. (ipaddress={ipn:10.12.45.254})
hex: hexadecimal value e.g. (&(objectclass=group)(grouptype={hex:0x8000002}))
userinput: request user input e.g. {userinput:Date} responses are cached against the label, if the same label is used again the cached response is used
unicode: return the specified string as escape hex string {unicode:new}
idate: 64bit Time e.g. (lastlogontimestamp={idate:31/12/2011})
zdate: Generalized Time Format e.g. (whencreated={zdate:30/12/2011})
sdate: returns the date in dd/mm/yyyy format, when used in conjunction with Now constant
sdatetime: returns the date in dd/mm/yyyy hh:mm:ss format, when used in conjunction with Now constant
anr: Create an ANR filter based on the input string e.g. {anr:john smith}
-1: A static replacement with 9223372036854775807, e.g. (accountexpires={-1:})

zdate, idate, sdate, and sdatetime types also support the 'Now' constant, and can be used with with optional plus and minus days.
e.g. {zdate:now}, {zdate:now-365}, {idate:now+5}, {sdate:now}

Nesting is supported on a number of the substitutions to convert from one format to another or converting a user input e.g  {idate:i{usernput:enter date}}

Matching Rules Converters

Matching rule converters use a single character as a substitute for the matching rule OIDs for LDAP filters, these are |  & % $

|= is the Or bit logic operator e.g. (!useraccountcontrol |= 2)  - expands to (!useraccountcontrol:1.2.840.113556.1.4.802:=2)

&= is the And bit logic operator e.g. (useraccountcontrol &= 2)  - expands to (useraccountcontrol:1.2.840.113556.1.4.803:=2)

%= is the chain operator e.g. (memberof %= (cn=Group1,OU=groupsOU,DC=test,DC=com)) - expands to (memberof:1.2.840.113556.1.4.1941:= (cn=Group1,OU=groupsOU,DC=test,DC=com))

$= is the DN-Binary or DN-String search e.g. (msDS-HasInstantiatedNCs$=B:8:0000000D:CN=Configuration,DC=corp) - expands to (msDS-HasInstantiatedNCs:1.2.840.113556.1.4.2253:=B:8:0000000D:CN=Configuration,DC=corp)