戻る
-
タイトル
Resolving sAMAccountName for a ForeignSecurityPrincipal entry with vastool search. -
説明
How to resolve the sAMAccountName for a ForeignSecurityPrincipal entry with vastool search.
-
対策
The only way One Identity support has been able to find to look up the sAMAccountName for an FSP is to search for the SID in the actual domain it exists in.
The difficult part is finding which domain it exists in. Nothing shows us which domain to search in however as soon as the correct domain is searched we get the sAMAccountName.
For example this search in the correct domain returns the sAMAccountName. If the domain to search is known this is the resolution:
/opt/quest/bin/vastool -u sysadm@test.lab -w 'password' search --binary-string -b "DC=test,DC=lab" -s sub "(ObjectSID=S-1-5-21-4201371813-1141760209-284767-57601)" samaccountname
dn: CN=aaa,CN=Users,DC=test,DC=lab
samaccountname: aaa
Getting the SID is straightforward, then if you search in the right domain you get your result. That creates challenges because NOTHING we can find in the starting domain gives away what domain to look in.
PowerShell seems to move through forests to assemble the bits, this looks like an LDAP shortcoming.
You could potentially script a loop, that searches through known domains, but credentials would be the hurdle there.