From SID get user@domain not domain\user

Question

This is a bit of an obscure one: I need to get the user@domain form of a user/group, but I do NOT want the domain\user form. I encountered a problem once with long windows 2003+ names where the two are NOT the same because of the domain\user length limit, because the new form does not have the limit.

I'm under C#, and while I can do the following:

string GetUserName(SecurityIdentifier SID)
{
    NTAccount account = SID.Translate(typeof(NTAccount));
    string [] splits = string.Split("\\", account.Value);
    return splits[1] + @"@" + splits[0];
}

This isn't always right, as I stated in my intro, the username@domain is NOT NECESSARILY the same as the old windows NT form of the username. If you don't believe me, go into AD Users and computers on a 2k3+ box and see how there's different fields for the old NT username versus the new one.

So how do I guarantee I get the right username@domain from a SID? Add to that, I also need this type of thing to work for local users/groups.

score 5 · Answer 1 · answered Sep 22 '11 at 17:10

5

The Windows API to get this is called DsCrackNames - http://msdn.microsoft.com/en-us/library/ms675970. It will give you the output in any number of formats depending on the flags you provide.

answered Sep 22 '11 at 17:10

Brian Desmond

4,473
1
13
11

That's a C++ api. I'm (unfortunately) working in Managed-only. – Kevin Anderson Sep 22 '11 at 19:41
2

You can call it with interop look [here](http://pinvoke.net/search.aspx?search=DsCrackNames&namespace=ntdsapi). – JPBlanc Sep 23 '11 at 04:29

score 3 · Accepted Answer · answered Sep 22 '11 at 16:32

3

Can't you use System.DirectoryServices.AccountManagement.Principal and the UPN (your name@domain.com) to look up the Sid (also a property on the principal)?
http://msdn.microsoft.com/en-us/library/bb340707.aspx

Here is a TechNet snippet that uses a DirectorySearcher to search for a user by UPN
http://gallery.technet.microsoft.com/ScriptCenter/de2cb677-f930-40a5-867d-ea0326ccbcdb/

After fetching the principal you should be able to get the Sid property.

answered Sep 22 '11 at 16:32

Nick Nieslanik

4,388
23
21

I already have the SID (by other means, given this by other parts of code). I need the definitive user@domain. – Kevin Anderson Sep 22 '11 at 16:33
You can do the SID search with a DirectorySearcher as well and look up the UserPrincipal and get the UPN property. http://social.msdn.microsoft.com/Forums/en/netfxbcl/thread/bb0b094b-c4a1-403c-907a-034cb33b0b13 – Nick Nieslanik Sep 22 '11 at 16:37
This is the closest to what I did, and it put me on the right track. See this other SO post for closer to what eventually happened: http://stackoverflow.com/questions/1101938/get-upn-or-email-for-logged-in-user-in-a-net-web-application So basically, once I have the user there, there's just the UPN property of it, which I can then access, and I can get it using the SID. – Kevin Anderson Sep 28 '11 at 19:59
Just to make sure: UPN does not have to be samAccount@domain. You should read both values separately if you need them. – MuhKuh Oct 22 '21 at 10:04

score 0 · Answer 3 · edited May 23 '17 at 11:47

I have post some C# code for retreiving user data from SID, here is the same aapted to your question :

/* Retreiving object from SID 
  */ 
string SidLDAPURLForm = "LDAP://WM2008R2ENT:389/<SID={0}>"; 
System.Security.Principal.SecurityIdentifier sidToFind = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3115856885-816991240-3296679909-1106"); 

DirectoryEntry userEntry = new DirectoryEntry(string.Format(SidLDAPURLForm, sidToFind.Value)); 
string name = userEntry.Properties["userPrincipalName"].Value.ToString();

From SID get user@domain not domain\user

3 Answers3