ElcomSoft System Recovery bevat SAM database editor in de Pro versie (betaald).

Create a user with a specific SID

Onderstaande vraag en antwoord tegengekomen on Experts Exchange - Create a user with a specific SID.
Aangezien Experts Exchange steeds meer de antwoorden op vragen gaat afschermen met een betaalde inlog, archiveer ik deze Q&A hier.


01/20/2003 at 05:29PM PST, ID: 20467163 - Create a user with a specific SID
Asked by chrissears in Windows Network Security
Tags: create, sid

Hello Experts,

I'm looking for the Win32 or NT Native API calls to allow me to create a local user account (not in Active Directory) with a specific SID that I built using the AllocateAndInitializeSid() function. I need this functionality for custom system migration tool where I cannot restore the entire SAM database and ADMT (active directory migration tool) will not suffice.

As far as I can tell, there is no way to do this with the Net API. There must be something lower level

I fully understand the implications of using non-random/non-system generated SIDs, so please do not point me to http://support.microsoft.com/default.aspx?scid=KB;EN-US;q289243

Also, this is unrelated to changing the SID of the computer account, so please dot point me to NewSID from SysInternals either. (http://sysinternals.com/ntw2k/source/newsid.shtml)

Equally helpful would be an authoritative answer that such functionality does not exist, although i find it very hard to believe that would be the case considering the existence of tools like ADMT, NTBACKUP, and the ability for domain controllers to sync/restore accounts while maintaining SIDs.

Thanks Much,

Chris Sears


23/01/03 08:02 AM, ID: 7792543
ecims:

Is this what you had in mind?

http://world.std.com/~jimf/papers/nt-security/nt-security.html


23/01/03 09:49 AM, ID: 7793428
chrissears:

No, those are functions that deal with Access Control Lists (ACLs). I'm looking for the low level functions used to add users to the Security Account Manager database.


23/01/03 11:12 AM, ID: 7794022
ecims:

ActiveX NT user accounts; http://www.sam-solutions.net/products/description.php?id=&prdPack=4&prd=4

Windows NT/2000 Native API Reference http://www.walmart.com/catalog/product.gsp?product_id=735480&cat=20228&type=3&dept=3920&path=0%3A3920%3A18674%3A18690%3A20228

I know, *lower* … this may be what you want.

The Security Support Provider Interface http://www.microsoft.com/windows2000/techinfo/howitworks/security/sspi2000.asp

http://www.developer.com/net/net/article.php/11087_629311_2

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b180548


24/01/03 09:09 AM, ID: 7801560
chrissears:

Much closer, but still a bit off.

SSPI has to do with plugable authentication schemes, not the Security Account Manager.

ActiveX NT user accounts - this object just uses the NetAPI.

Windows NT/2000 Native API Reference - this looks good. Is the same info available online anywhere? SysInternals has some, but not a complete reference.

What I really need to know is if NetAddUser() is the lowest level interface available for creating users in the SAM database.

I'll try to find that Native API book locally and if I can find a lower level function, I will award you the answer.

Thanks for the effort.

- Chris


24/01/03 04:31 PM, ID: 7804769
ecims:

Ok, then I'll dump what I have here in case I need it later.

It appears that you are correct. There is a SAM API below the Net API. But it appears to be undocumented. From the web pages I read that book may be your best bet because Microsoft doesn't look to eager to publish them.

“Active Directory APIs The primary API for Active Directory is called the Active Directory Service Interfaces (ADSI). ADSI is an object-oriented interface to Active Directory objects and methods, masking the details of the underlying LDAP communications. The ADSI design abstracts the functionality of multiple types of directory services and integrates directory access and management into a set of unified interfaces.

An Active Directory provider supports a namespace-specific implementation of AD objects. Active Directory includes an ADSI namespace provider for NT 4, NDS, NetWare 3.x, as well as LDAP (versions 2 and 3). Applications written for ADSI have the capability of performing directory operations across disparate namespaces.

In addition to ADSI, Active Directory can be accessed via the following:

LDAP C API: The LDAP C API can be used to access Active Directory services and objects.

MAPI: Active Directory supports the MAPI interface for compatibility with applications based on MAPI; however Microsoft does recommend that new applications use ADSI.

SAM API: The Security Accounts Manager (SAM) interface is a protected subsystem used by Active Directory to administer user and group security account information maintained within the registry. In NT 4, security principals (either local or domain) are stored in the SAM database; therefore, when AD operates in mixed mode (with mixed AD DCs and NT 4 BDCs on the network), down-level NT clients use the SAM APIs to communicate with the SAM server for authentication. The SAM APIs are also used in mixed mode for replicating the SAM database to down-level domain controllers. Security account information for workstations is stored in a registry (of the local computer); however, the DC security account information is stored within Active Directory.

The ADSI interfaces are also accessible to scripts, easing the automation of administrative tasks. ADSI provides application development support for multiple scripting languages including Visual Basic, Java, Perl, as well as the Windows Scripting Host environment.”

http://216.239.37.100/search?q=cache:7t5RGSaQ9hsC:www.informit.com/isapi/product_id~%257B25373488-7C8F-4631-99B3-B1C42566827A%257D/st~%257BDD7941B7-314A-4717-B72F-8C81EF7EF284%257D/content/index.asp+WINDOWS+SAM+API&hl=en&ie=UTF-8

Security SDK Reference. Authentication Functions http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/gina.asp

Possibly of interest; These discussion mention the SAM API as well. http://ma.ph-freiburg.de/tng/tng-technical/2001-10/msg00104.html

samba http://lists.samba.org/pipermail/samba-technical/2002-August/038676.html

Just becaus eit looked good; HOWTO: Use ADsSecurity.dll to Remotely Add Local Account ACEs to an NTFS File http://support.microsoft.com/default.aspx?scid=kb;en-us;285998

Net API Stuff in case you need it; User Functions http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/user_functions.asp

User Modal Functions http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/user_modal_functions.asp Accepted Solution


02/02/03 12:44 AM, ID: 7862063
pbarrette:

Hi Chris,

You may want to look here too: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad/win2k_a_ridnextrid.asp

(Just adding to the pool ecims) pb


04/02/03 02:30 PM, ID: 7878189
chrissears:

The Gina and SAMBA stuff were right on.

Thanks for all your digging!


04/02/03 02:35 PM, ID: 7878227
pbarrette:

Hi Chris,

So how did you do it in the end? It would be pretty nice if admins could re-create accidently (or otherwise) deleted users by specifying the right SID.

Share.

pb