Como usar o Microsoft Visual Basic para converter um SID bruto em uma cadeia de caracteres SID

IMPORTANTE: Este artigo foi traduzido por um sistema de tradução automática (também designado por Machine Translation ou MT), não tendo sido portanto traduzido ou revisto por pessoas. A Microsoft possui artigos traduzidos por aplicações (MT) e artigos traduzidos por tradutores profissionais, com o objetivo de oferecer em português a totalidade dos artigos existentes na base de dados de suporte. No entanto, a tradução automática não é sempre perfeita, podendo conter erros de vocabulário, sintaxe ou gramática. A Microsoft não é responsável por incoerências, erros ou prejuízos ocorridos em decorrência da utilização dos artigos MT por parte dos nossos clientes. A Microsoft realiza atualizações freqüentes ao software de tradução automática (MT). Obrigado.

Clique aqui para ver a versão em Inglês deste artigo: 286182
Este artigo foi arquivado. É oferecido "como está" e não será mais atualizado.
Sumário
Este artigo fornece um método para converter um identificador de segurança bruto (SID) em um identificador de seqüência de caracteres segurança (SID) usando o Microsoft Visual Basic no Windows NT 4.0 ou Windows 2000.
Mais Informações

Componentes do SID

Um valor de SID inclui componentes que fornecem informações sobre a estrutura SID e componentes que identificam exclusivamente um objeto de confiança. Um SID consiste nos seguintes componentes:
  • O nível de revisão de estrutura SID.
  • Um valor de autoridade de identificador de 48 bits que identifica a autoridade, como um domínio Windows NT/Windows 2000, que emitiu o SID.
  • Um número variável de subautoridade ou valores de identificador relativo (RID) que identificam exclusivamente o objeto de confiança relativo para a autoridade que emitiu o SID.
A combinação do valor da autoridade de identificador e os valores de subautoridade garante que nenhum dois SIDs será o mesmo, mesmo se dois diferentes autoridades emissão SID emitem a mesma combinação de valores RID. Cada autoridade de emissão SID emite um RID determinado apenas uma vez.

SIDs são armazenados em formato binário em uma estrutura SID. Para exibir um SID, você pode chamar a função ConvertSidToStringSid para converter um SID binário em formato de seqüência de caracteres. Para converter uma seqüência de caracteres SID novamente um SID válido e funcional, chame a função ConvertStringSidToSid .

Essas funções use a notação de seqüência de caracteres padronizada a seguir para SIDs, que torna mais simples visualizar seus componentes:
S-R-I-S-S.
Nessa notação, o caractere literal "S" identifica a seqüência de dígitos como um SID, "R" é o nível de revisão, "I" é o valor de autoridade de identificador e "S...." é um ou mais valores de subautoridade.

O exemplo a seguir usa essa notação para exibir o SID de domínio relativo conhecido do grupo Administradores local:
S-1 a 5-32-544
Neste exemplo, o SID tem os seguintes componentes. As constantes entre parênteses são autoridade de identificador conhecido e RID valores definidos no WINNT.H.
  • Um nível de revisão de "1".
  • Um valor de autoridade de identificador de "5" (SECURITY_NT_AUTHORITY).
  • Um valor de subautoridade primeiro de "32" (SECURITY_BUILTIN_DOMAIN_RID).
  • Um segundo valor de subautoridade de "544" (DOMAIN_ALIAS_RID_ADMINS).
Observe que os valores de subautoridade são inteiros longos. Isso facilita a conversão SID não processado em sua forma de seqüência de caracteres muito simples.

Etapas gerais no processo de conversão

  1. Vincular a um objeto de usuário, criá-la ou usando o ADsPath.
  2. Recupere a propriedade ObjectSID .
  3. Use a função Convert_ObjectSID_To_SDDL fornecida na seção código Visual Basic deste artigo.

    O código é comentado muito bem. Cada etapa do processo é explicada com cuidado. Se o fluxo geral é ainda obscuro, consulte MSDN (http://msdn.microsoft.com) para obter detalhes adicionais.

Como usar o código do Visual Basic fornecido

  1. Crie um novo projeto Visual Basic.
  2. Crie um novo módulo de código do Visual Basic dentro do projeto.
  3. Copie e cole o código a seguir em um novo módulo Visual Basic.

Código do Visual Basic para converter RAW SID em cadeia de caracteres SID

'***********************Constant Declaration*********************' Define the sub SID Authority byte arrays.  These arrays are here for completeness along with' their VC definitions.''#define SECURITY_NULL_SID_AUTHORITY       {0,0,0,0,0,0}'#define SECURITY_WORLD_SID_AUTHORITY      {0,0,0,0,0,1}'#define SECURITY_LOCAL_SID_AUTHORITY      {0,0,0,0,0,2}'#define SECURITY_CREATOR_SID_AUTHORITY    {0,0,0,0,0,3}'#define SECURITY_NON_UNIQUE_AUTHORITY     {0,0,0,0,0,4}'' C Declaration for the SID memory, included for completeness...''typedef struct _SID {'  BYTE  Revision;'  BYTE  SubAuthorityCount;'   SID_IDENTIFIER_AUTHORITY IdentifierAuthority;'  DWORD SubAuthority[ANYSIZE_ARRAY];'} SID;'typedef PVOID PSID;'***************End Constant Declaration******************************'**********************************************************************************'' Declare the APIs needed to manipulate the RAW SID'Public Declare Function InitializeSid Lib "advapi32.dll" (ByVal Sid As Long, _                                                          pIndentifierAuthority As Any, _                                                          ByVal nSubAuthorityCount As Byte) As Long                                                          Public Declare Function GetSidSubAuthority Lib "advapi32.dll" (pSid As Any, _                                                               ByVal nSubAuthority As Long) As Long                                                               Public Declare Function GetSidLengthRequired Lib "advapi32.dll" (ByVal nSubAuthorityCount As Byte) As LongPublic Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" _                                        (ByVal lpSystemName As String, _                                         Sid As Any, _                                         ByVal name As String, _                                         cbName As Long, _                                         ByVal ReferencedDomainName As String, _                                         cbReferencedDomainName As Long, _                                         peUse As Integer) As Long                                         Public Declare Function GetSidSubAuthorityCount Lib "advapi32.dll" (pSid As Any) As LongPublic Declare Function GetSidIdentifierAuthority Lib "advapi32.dll" (pSid As Any) As Long'' Declare the memory managment functions.' Notice there are two definitions for RtlMoveMemory, one takes a value as  Any, the other takes a value ByVal as long' this is necessary so memory can be copied as follows:'  From a variable containing a 32 bit value that represents a memory location'  From a variable that represents a VB alocated memory location'  (ie: Dim bByte(6) as Byte type of declaration).'' LocalAlloc and LocalFree are used to allocate and free memory from the heap,' respectively.'Public Declare Sub CopyByValMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, _                                                                         ByVal Source As Long, _                                                                         ByVal Length As Long)                                                                         Public Declare Sub CopyByRefMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal Destination As Long, _                                                                         Source As Any, _                                                                         ByVal Length As Long)                                                                         Public Declare Function LocalAlloc Lib "kernel32" (ByVal wFlags As Long, _                                                   ByVal wBytes As Long) As Long                                                   Public Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long'************API Function Declarations*************************************'+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'' Declare the necessary Win32 APIs to obtain the SID for the NT user' LookupAccountName -> Does the real work once it is remoted to the appropriated DC' NetGetDcName -> Obtains the DC for the local box, used to obtain a DC name for'                 LookUpAccountName' NetApiBufferFree-> used to cleanup after NetGetDcName.  The Net* APIs manage memory'                    memory for you, this function is used to free the memory allocated'                    NetGetDcName' lstrcpyW -> used to copy the NetGetDcName buffer into a buffer VB can work with' GetLengthSid -> used to help convert the raw SID into a hexstring SID'Public Declare Function LookupAccountName Lib "advapi32.dll" _        Alias "LookupAccountNameA" _        (ByVal IpSystemName As String, _         ByVal IpAccountName As String, _         pSid As Byte, _         cbSid As Long, _         ByVal ReferencedDomainName As String, _         cbReferencedDomainName As Long, _         peUse As Integer) As Long         Public Declare Function NetGetDCName Lib "NETAPI32.DLL" _        (ServerName As Byte, _         DomainName As Byte, _         DCNPtr As Long) As Long                                         Public Declare Function NetApiBufferFree Lib "NETAPI32.DLL" _        (ByVal Ptr As Long) As Long         Public Declare Function PtrToStr Lib "kernel32" _        Alias "lstrcpyW" (RetVal As Byte, ByVal Ptr As Long) As Long       Public Declare Function GetLengthSid Lib "advapi32.dll" _        (pSid As Byte) As Long'************End API Function Declarations**************************Sub main()    Form1.ShowEnd Sub'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' Convert_BIN_To_SDDL takes two arguments: strNTDomain-> The NT domain for the user's account'                                          strNTAccount-> The NT SAM account name for the user' The function returns the SDDL form of the user's SID,'Public Function Convert_BIN_To_SDDL(strNTDomain As String, strNTAccount As String) As String ' pSid As pSid, pszSidText)    Dim SDDL_SID As String    Dim pSia As Long    Dim pSiaByte(5) As Byte    Dim pSid(512) As Byte    Dim pSubAuthorityCount As Long    Dim bSubAuthorityCount As Byte    Dim pAuthority As Long    Dim lAuthority As Long    '    ' Get the SID for the user's account, targetting a local PDC    '    IReturn = LookupAccountName(Get_Primary_DCName("", strNTDomain), strNTAccount, pSid(0), 512, pDomain, 512, 1)    '    ' Convert the raw sid into its SDDL form ( S-?-?-???-?????? )    ' The first item in the S- format is the rivision level.  If we look closely at the    ' SID structure in the WinNT.H C Header, we find that the revision value for the SID is    ' stored in the 0th byte to the raw sid.    '    ' Another interesting fact is that the last byte of the Identifying authority structure contains    ' the second component of the SDDL form, so lets retrieve both of those and    ' place them into the string.    '    pSia = GetSidIdentifierAuthority(pSid(0))    '    ' The GetSidIdentifierAuthority returns a pointer to the Identifying Authority structure    ' The pointer must be copied into some memory that VB knows how to manage, so....    '    CopyByValMemory pSiaByte(0), pSia, 6    SDDL_SID = "S-" + LTrim(str(pSid(0))) + "-" + LTrim(str(pSiaByte(5)))    '    '    ' The rest of the SDDL form contains a list of sub authorities separated by    ' "-"s.  The total number of these authorities can be obtained by    ' calling the GetSidSubAuthorityCount.  The value returned is a pointer into the    ' SID memory that contains the Sub Authority value, once again, this memory    ' must be copied into something that VB knows how to manage.    '    ' Notice that only 1 byte is copied.  This is because the sub authority count    ' is stored in a single byte ( see the SID srtructure definition above )    '    pSubAuthorityCount = GetSidSubAuthorityCount(pSid(0))    CopyByValMemory bSubAuthorityCount, pSubAuthorityCount, 1    '    ' We can loop throught the sub authorities and convert    ' their DWORD values to VB longs, then convert them to a    ' string.    ' The count is 0 based, so we start a 0 and goto the    ' number of sub authorities - 1    '    For AuthCount = 0 To bSubAuthorityCount - 1      pAuthority = GetSidSubAuthority(pSid(0), AuthCount)      CopyByValMemory lAuthority, pAuthority, LenB(lAuthority)    '    ' VB by default assumes its data types to be signed types. The sub authorities should    ' be unsigned and hence the following code has to work around this problem to get the    ' sub authorities as unsigned data types    '    ' Get rid of the most significant bit (the signed bit) if it is set (And &H7FFFFFFF), and then add it    ' back in into the right location in the double variable (+ 2^31)    '      dAuthority = lAuthority      If ((lAuthority And &H80000000) <> 0) Then        dAuthority = lAuthority And &H7FFFFFFF        dAuthority = dAuthority + 2 ^ 31      End If      SDDL_SID = SDDL_SID + "-" + LTrim(Str(dAuthority))    Next AuthCount    '    ' We are done, the SDDL_SID variable contains the SID in    ' SDDL form,    ' Return it...    '    Convert_BIN_To_SDDL = SDDL_SIDEnd Function'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Get_Primary_DCName -- gets the name of the Primary Domain Controller for''                       the NT domain''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Function Get_Primary_DCName(ByVal MName As String, ByVal DName As String) As StringDim Result As LongDim DCName As StringDim DCNPtr As LongDim DNArray() As ByteDim MNArray() As ByteDim DCNArray(100) As Byte    MNArray = MName & vbNullChar    DNArray = DName & vbNullChar    Result = NetGetDCName(MNArray(0), DNArray(0), DCNPtr)    If Result <> 0 Then        Exit Function    End If    Result = PtrToStr(DCNArray(0), DCNPtr)    Result = NetApiBufferFree(DCNPtr)    DCName = DCNArray()    Get_Primary_DCName = DCName    End Function'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Convert_ObjectSID_To_SDDL converts the objectSID property of a user'' into the SDDL form of the SID.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Public Function Convert_ObjectSID_To_SDDL(obj As Variant) As String    Dim SDDL_SID As String    Dim pSia As Long    Dim pSiaByte(5) As Byte    Dim pSid(512) As Byte    Dim pSubAuthorityCount As Long    Dim bSubAuthorityCount As Byte    Dim pAuthority As Long    Dim lAuthority As Long    Dim cbpSid As Long    '    ' Move the obj array into a byte array to work with the raw SID    ' Not sure why we need to do this, but if we use the variant passed    ' as the argument, the GetSidSubAuthorityCount API does not return a valid    ' address... Curious... It might a typing issue, the obj property is    ' defined as a variant array ob bytes were as the pSid array is defined as    ' an array of bytes.    '    cbpSid = 0    For I = LBound(obj) To UBound(obj)       pSid(cbpSid) = obj(I)       cbpSid = cbpSid + 1    Next I    '    ' Convert the raw sid into its SDDL form ( S-?-?-???-?????? )    ' The first item in the S- format is the rivision level.  If we look closely at the    ' SID structure in the WinNT.H C Header, we find that the revision value for the SID is    ' stored in the 0th byte to the raw sid.    '    ' Another interesting fact is that the last byte of the Identifying authority structure contains    ' the second component of the SDDL form, so lets retrieve both of those and    ' place them into the string.    '    pSia = GetSidIdentifierAuthority(pSid(0))    '    ' The GetSidIdentifierAuthority returns a pointer to the Identifying Authority structure    ' The pointer must be copied into some memory that VB knows how to manage, so....    '    CopyByValMemory pSiaByte(0), pSia, 6    SDDL_SID = "S-" + LTrim(str(pSid(0))) + "-" + LTrim(str(pSiaByte(5)))    '    '    ' The rest of the SDDL form contains a list of sub authorities separated by    ' "-"s.  The total number of these authorities can be obtained by    ' calling the GetSidSubAuthorityCount.  The value returned is a pointer into the    ' SID memory that contains the Sub Authority value, once again, this memory    ' must be copied into something that VB knows how to manage.    '    ' Notice that only 1 byte is copied.  This is because the sub authority count    ' is stored in a single byte ( see the SID srtructure definition above )    '    pSubAuthorityCount = GetSidSubAuthorityCount(pSid(0))    CopyByValMemory bSubAuthorityCount, pSubAuthorityCount, 1    '    ' We can loop throught the sub authorities and convert    ' their DWORD values to VB longs, then convert them to a    ' string.    ' The count is 0 based, so we start a 0 and goto the    ' number of sub authorities - 1    '    For AuthCount = 0 To bSubAuthorityCount - 1      pAuthority = GetSidSubAuthority(pSid(0), AuthCount)      CopyByValMemory lAuthority, pAuthority, LenB(lAuthority)    '    ' VB by default assumes its data types to be signed types. The sub authorities should    ' be unsigned and hence the following code has to work around this problem to get the    ' sub authorities as unsigned data types    '    ' Get rid of the most significant bit (the signed bit) if it is set (And &H7FFFFFFF), and then add it    ' back in into the right location in the double variable (+ 2^31)    '      dAuthority = lAuthority      If ((lAuthority And &H80000000) <> 0) Then        dAuthority = lAuthority And &H7FFFFFFF        dAuthority = dAuthority + 2 ^ 31      End If      SDDL_SID = SDDL_SID + "-" + LTrim(Str(dAuthority))    Next AuthCount    '    ' We are done, the SDDL_SID variable contains the SID in    ' SDDL form,    ' Return it...    '    Convert_ObjectSID_To_SDDL = SDDL_SID    'End Function'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' Local_Convert_BIN_To_SDDL takes two arguments: strNTDomain-> Netbios name for the NT machine to '                                                              Request account information from'                                          strNTAccount-> The NT SAM account name for the user' The function returns the SDDL form of the user's SID,'Public Function Local_Convert_BIN_To_SDDL(strNTDomain As String, strNTAccount As String) As String ' pSid As pSid, pszSidText)    Dim SDDL_SID As String    Dim pSia As Long    Dim pSiaByte(5) As Byte    Dim pSid(512) As Byte    Dim pSubAuthorityCount As Long    Dim bSubAuthorityCount As Byte    Dim pAuthority As Long    Dim lAuthority As Long    '    ' Get the SID for the user's account, targetting a local PDC    '    IReturn = LookupAccountName(strNTDomain, strNTAccount, pSid(0), 512, pDomain, 512, 1)    '    ' Convert the raw sid into its SDDL form ( S-?-?-???-?????? )    ' The first item in the S- format is the rivision level.  If we look closely at the    ' SID structure in the WinNT.H C Header, we find that the revision value for the SID is    ' stored in the 0th byte to the raw sid.    '    ' Another interesting fact is that the last byte of the Identifying authority structure contains    ' the second component of the SDDL form, so lets retrieve both of those and    ' place them into the string.    '    pSia = GetSidIdentifierAuthority(pSid(0))    '    ' The GetSidIdentifierAuthority returns a pointer to the Identifying Authority structure    ' The pointer must be copied into some memory that VB knows how to manage, so....    '    CopyByValMemory pSiaByte(0), pSia, 6    SDDL_SID = "S-" + LTrim(str(pSid(0))) + "-" + LTrim(str(pSiaByte(5)))    '    '    ' The rest of the SDDL form contains a list of sub authorities separated by    ' "-"s.  The total number of these authorities can be obtained by    ' calling the GetSidSubAuthorityCount.  The value returned is a pointer into the    ' SID memory that contains the Sub Authority value, once again, this memory    ' must be copied into something that VB knows how to manage.    '    ' Notice that only 1 byte is copied.  This is because the sub authority count    ' is stored in a single byte ( see the SID srtructure definition above )    '    pSubAuthorityCount = GetSidSubAuthorityCount(pSid(0))    CopyByValMemory bSubAuthorityCount, pSubAuthorityCount, 1    '    ' We can loop throught the sub authorities and convert    ' their DWORD values to VB longs, then convert them to a    ' string.    ' The count is 0 based, so we start a 0 and goto the    ' number of sub authorities - 1    '    For AuthCount = 0 To bSubAuthorityCount - 1      pAuthority = GetSidSubAuthority(pSid(0), AuthCount)      CopyByValMemory lAuthority, pAuthority, LenB(lAuthority)    '    ' VB by default assumes its data types to be signed types. The sub authorities should    ' be unsigned and hence the following code has to work around this problem to get the    ' sub authorities as unsigned data types    '    ' Get rid of the most significant bit (the signed bit) if it is set (And &H7FFFFFFF), and then add it    ' back in into the right location in the double variable (+ 2^31)    '      dAuthority = lAuthority      If ((lAuthority And &H80000000) <> 0) Then        dAuthority = lAuthority And &H7FFFFFFF        dAuthority = dAuthority + 2 ^ 31      End If      SDDL_SID = SDDL_SID + "-" + LTrim(Str(dAuthority))    Next AuthCount    '    ' We are done, the SDDL_SID variable contains the SID in    ' SDDL form,    ' Return it...    '    Local_Convert_BIN_To_SDDL = SDDL_SIDEnd Function				

Aviso: este artigo foi traduzido automaticamente

Propriedades

ID do Artigo: 286182 - Última Revisão: 12/06/2015 00:03:38 - Revisão: 2.3

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbmt kb32bitonly kbhowto kbsecurity KB286182 KbMtpt
Comentários