hi folks,
when we are examining folders, files, etc that is located on a windows 2003 domain controller, under the permission and details i can only see the SID rather than the user name.
how do we actually using encase to correlate the SID to the individual users to get the user id or name?
any help is deeply appreciated.
About Encase do You have EDS module? if so run Analyze EFS option and after that go to Secure Storage tab. From the content menu choose User list- users with corresponding SIDs.
Was the domain connected to another, you will sometimes see GUIDs fro accounts from other domains when the DC cant enumerate them, and if an account has been deleted but permissions where applied directly to a fodler
p
The commands you want are "dsget user" and "dsquery user"
You can use dsquery user to list all the users on the system, and you should then be able to and pipe the output through dsget user -dn -samid -sid.
You might have to fiddle around a bit to get the syntax right, but I believe it should be something like this
dsquery user | dsget user -dn -samid -sid
-dn will give you their distinguisned names, -samid will give you the users logon names, and -sid will give you their SIDs.
You need to run these commands on the server…
About Encase do You have EDS module? if so run Analyze EFS option and after that go to Secure Storage tab. From the content menu choose User list- users with corresponding SIDs.
hi, tried it, but it does not list the domain users. it shows nothing inside the domain user panel.
it only list the user under the loca user panel.