Share via

I am getting the SID in ADSI edit, Could anyone please let me know what is that and how to convert the SID through powershell

Anonymous
Aug 17, 2023, 1:20 PM

Hi Experts,

I wanted to add an existing windows account in ADSI through powershell. but In ADSI edit I am getting the SID.

Could I please let me know what is that SID belongs to and how to convert the SID through PowerShell. I want to add some windows accounts in Roles via powershell. So I cant do when SID is there. I want to do these changes in member server. Not in domain controller. Attached the screenshot below for the reference .

I am waiting for your reply experts.

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    Aug 18, 2023, 2:30 AM

    Hello Leo_0601,

    Thank you for posting in Microsoft Community forum.

    It seems the specific display issue about this object occurs, we can try to troubleshoot it instead of converting the SID to the original display name.

    1.Please confirm how many DCs are there in your domain?
    2.Is this SID occur on all the DCs (if you have more than one DCs in the same domain) or only one DC?

    You can try to check:

    The first thing:
    1.Connect to configuration as below.
    2.Open ADSI Edit and right click it and select "Connect to".

    3.Selcet "Configuration" under "Select a well know Naming Context".

    4.It will display like this.

    The second thing:
    1.You can try to close the ADSI edit windows and reopen it.
    2.Right click this Configuration partition and remove it.

    3.Connect this Configuration partition you want again to see if the SID disappear.

    The third thing:
    1.Connect to other partition (such as Schema partition) to see if it is normal.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    Aug 19, 2023, 6:30 PM

    Hello Leo_0601,

    Thank you for posting in Microsoft Community forum.

    It seems the specific display issue about this object occurs, we can try to troubleshoot it instead of converting the SID to the original display name.

    1.Please confirm how many DCs are there in your domain?
    2.Is this SID occur on all the DCs (if you have more than one DCs in the same domain) or only one DC?

    You can try to check:

    The first thing:
    1.Connect to configuration as below.
    2.Open ADSI Edit and right click it and select "Connect to".
    Image

    3.Selcet "Configuration" under "Select a well know Naming Context".
    Image

    4.It will display like this.
    Image

    The second thing:
    1.You can try to close the ADSI edit windows and reopen it.
    2.Right click this Configuration partition and remove it.
    Image
    3.Connect this Configuration partition you want again to see if the SID disappear.

    The third thing:
    1.Connect to other partition (such as Schema partition) to see if it is normal.

    Best Regards,
    Daisy Zhou

    @Daisy Zhou

    Hi Zhou

    First I would like to thank you for your brief explanation. Means a lot.

    Its an AD LDS instance. We have faced an issue with AD LDS in our setup earlier. Then we raised a case with Microsoft.

    Then they suggested to add one service account (carestream user) to local server (Not in domain) to fix this issue. We tried the same whatever Microsoft suggested. It started working fine. We dont have multiple domain. We dont have any problem with domain. All working fine, Below solution was suggested by microsoft.

    In member server:

    -> ADSI edit
     -> Configuration[localhost 3890]
     -> CN=Roles
     -> CN=Administrators
     -> Right Click -> Properties (CN=Administrators)
    -> Member -> Edit
    -> Add Windows Account
    -> Search the account (Carestream user) & Add it if the account not exists.

    Actually now we have to just add the existing windows account (Carestream user) in ADSI through powershell, since we are getting SID or GUID we dont have any idea how to convert and automate.

    Below the code we are trying out. But no luck. If you help us to do the same via powershell. It means a lot and so much helpful for us.

    Kindly reply me.

    I am looking forward to hear from you.

    Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties member |Set-ADObject -add @{member="$((get-aduser CarestreamUser).distinguishedname)"}

    -

    0 comments
  3. Anonymous
    Aug 21, 2023, 6:25 AM

    Hello Leo_0601,

    Thank you for your so detailed explanation.

    Not sure if the SID or GUID can be convert to the display name, because the service account (Carestream user) in not in the domain, it is only in one member server.

    Is an AD LDS server also domain controller? Or is AD LDS also a member server with a service account (Carestream user)?

    What is the output of this command below?
    Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties memberAnd what is the output of this command? Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties member | Set-ADObject -add @{member="$((get-aduser CarestreamUser).distinguishedname)"}

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    Aug 22, 2023, 6:03 AM

    Hello Leo_0601,

    Thank you for your reply.

    So you have two the same Carestream user account in the same domain, one is in AD (you add it via PS), the other is on one member server within the domain.

    What is the output of this command below? What error message did you receive?
    Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties memberAnd what is the output of this command? What error message did you receive? Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties member | Set-ADObject -add @{member="$((get-aduser CarestreamUser).distinguishedname)"}

    Best Regards,
    Daisy Zhou

    0 comments
  5. Anonymous
    Aug 21, 2023, 11:12 AM

    Hello Leo_0601,

    Thank you for your so detailed explanation.

    Not sure if the SID or GUID can be convert to the display name, because the service account (Carestream user) in not in the domain, it is only in one member server.

    Is an AD LDS server also domain controller? Or is AD LDS also a member server with a service account (Carestream user)?

    What is the output of this command below?
    Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties memberAnd what is the output of this command? Get-ADObject "CN=Administrators,CN=Roles,CN=Configuration" -Properties member | Set-ADObject -add @{member="$((get-aduser CarestreamUser).distinguishedname)"}

    Best Regards,
    Daisy Zhou

    @Daisy Zhou

    Hi Zhou,

    Thanks much for your reply.

    I have tried with the comments which I have mentioned above. I got an error.

    I have tried with the below comment.

    Add-ADGroupMember -Identity Administrators -Members 'Carestream user'

    Then I am able to add the 'Carestream user' in the Administrator group.

    -> ADSI
     -> Configuration[localhost 3890]
     -> CN=Roles
     -> CN=Administrators
     -> Right Click -> Properties (CN=Administrators)
    -> Member -> Edit
    -> Add Windows Account (Carestream user)

    Please help skip adding Carestream user, if this same user already exists via PowerShell with my above working comment.

    I am looking forward to hearing from you.

    Thanks in advance

    0 comments