What are the possibilities in which RIDs can be replicated
https://stackoverflow.com/questions/6327340
-
27-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I am working on an application in which I identify users nd groups on the basis of their RIDs. Hence there would be a problem if duplicate RIDs exist on the domain. The following link http://support.microsoft.com/kb/315062 says that it is possible if the admin seizes the role of the RID manager and two or more users request for an RID simultaneously. I wanted to know what could be other possibilities which could result in duplicate RIDs.
Thanks in advance.
解决方案
The thing I don't understand in your question is why you are using RIDs to distinguish users and groups. The objects are from different classes so they are naturaly distinguished.
In Win32 programming you can just use :
BOOL WINAPI LookupAccountSid(
__in_opt LPCTSTR lpSystemName,
__in PSID lpSid,
__out_opt LPTSTR lpName,
__inout LPDWORD cchName,
__out_opt LPTSTR lpReferencedDomainName,
__inout LPDWORD cchReferencedDomainName,
__out PSID_NAME_USE peUse
);
This API comes from Authorization Functions to retrieve in peUse if the SID is a User or a Group.
Using the .NET Framework (C#) the SecurityIdentifier can be used to determine if the SID represent a valid domain account.
Last thing : the way that is commonly use to distinguish objects in a directory is the objectGUID attribute. This attribute is present in each object. So you can retreive objects from Active Directory Service Interface (ADSI) using SIDs or GUIDs
"LDAP:///<GUID={28c67c50-9778-47a4-a77a-bf56f238a0c4}>"
or
"LDAP:///<SID=S-1-5-21-500000003-1000000000-1000000003-1001>"
(Edited after your comment) As far as I know, duplicated RID inside a domain is considered as an exception explained by the lost of a domain controller that serves the role of Relative ID (RID) Master. Perhaps it exists hack tools that are able to patch the AD database to change SIDs but I don't know them.
Be careful, RIDs may be duplicated in other domains. If you've got subdomains or other trees in you forest, you can find again the same RIDs with different sub-authorities (potentialy in the same ACL)
I found also duplicated in computer SIDs but it was due to bad Ghost usage.
