Regex for Validating an Active Directory Object SID

Question

I'm looking for a way to validate if an inserted Object SID from Active Directory is valid, is this possible using preg_match() or preg_match_all()? I've looked online for a regex for this validation but I couldn't find anything.

Example:

$sid = 'S-1-5-21-1220945662-1202665555-839525555-5555';

if ($validator->validateSid($sid)) {
    // SID is valid!
}

I'm not skilled in writing regex's, so if anyone has absolutely any input, please let me know, thanks!

EDIT: For anyone looking for the code with the regex below:

preg_match("/^S-1-[0-5]-\d{2}-\d{10}-\d{10}-\d{9}-[1-9]\d{3}/", $search, $matches);

// Returns
array(
    0 => S-1-5-21-1220945662-1202665555-839525555-5555
)

Or for a more lenient pattern:

preg_match("/S-1-5-21-\d+-\d+\-\d+\-\d+/", $sid, $matches);

// Returns
array(
    0 => S-1-5-21-1220945662-1202665555-839525555-5555
)

What are the rules? Is it always `S-something`? Are the digits between `-` constrained to a certain number of digits? — AbraCadaver, Nov 03 '15 at 20:48
I know it's been a lot of years, but your "lenient" pattern worked for me where the accepted answer did not, because several of the SIDs I'm working with end in 4, 5, and even some with 6 digits. — Kevin Buchan, Jul 14 '20 at 16:59

score 3 · Accepted Answer · edited Feb 10 '23 at 08:46

hjpotter92's answer will work for some SID's but not all. Each subauthority is comprised of a 32-bit integer, which can be 10 digits or 8 digits depending. You should edit the regex to be:

/^S-1-[0-59]-\d{2}-\d{8,10}-\d{8,10}-\d{8,10}-[1-9]\d{3}/

Whenever a new issuing authority under Windows is created (for example, a new machine deployed or a domain created), it is assigned a SID with 5 (an arbitrary value) as the identifier authority; a fixed value of 21 is used as a unique value to root this set of subauthorities, and a 96-bit random number is created and parceled out to the three subauthorities with each subauthority that receives a 32-bit chunk.

https://msdn.microsoft.com/en-us/library/cc246018.aspx

How SIDs are created

https://en.wikipedia.org/wiki/Security_Identifier

score 2 · Answer 2 · answered Nov 03 '15 at 20:50

2

Looking at wiki for SID, the following should work:

/^S-1-[0-59]-\d{2}-\d{10}-\d{10}-\d{8}-[1-9]\d{3}/

answered Nov 03 '15 at 20:50

hjpotter92

78,589
36
144
183

score 0 · Answer 3 · answered Jun 07 '23 at 13:16

0

The last section of the SID is the RID which is a 32 bit identifier! It means RID can have 10 digits. So the last section can be even 1 + 9 digits long in theory! ;)

S-1-[0-59]-\d{2}-\d{10}-\d{10}-\d{8}-[1-9]\d{9}

answered Jun 07 '23 at 13:16

Inkogo

1

Regex for Validating an Active Directory Object SID

3 Answers3

Linked