locked
"Some or all identity references could not be translated." RRS feed

  • Question

  • Hello guys, i have a problem traslading SID to distinguished domain user names, this is what am triyng:

    $objSID = New-Object System.Security.Principal.SecurityIdentifier ` ("S-1-5-21-1214440339-842925246-1801674531-1453")
    $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
    $objUser.Value

    but i got this error

    Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."
    At line:1 char:1
    + $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : IdentityNotMappedException

    as i know maybe those SIDs could be from other domain or maybe have been deleted how could i know if that is the case and how can i connect to other domain?

    Wednesday, December 3, 2014 5:10 AM

Answers

  • Come to think of it "Translate" does proble the GC.  The issue is that we have alocal account SID or a SID from an old domain or a deleted account.

    In the example the domain SID would be this:

    S-1-5-21-1214440339-842925246-1801674531

    We should be able to get it from the GC with Get-ADObject

    I am pretty sure tha when the last digits are less than 5 that the SID is a local machine SID.  Which can only be found by querying all machines until yuo find it,


    ¯\_(ツ)_/¯

    • Marked as answer by AnnaWY Monday, December 15, 2014 1:00 PM
    Wednesday, December 3, 2014 10:54 AM

All replies

  • Query the Global Catalog for a user with that SID.


    ¯\_(ツ)_/¯

    Wednesday, December 3, 2014 8:01 AM
  • Hello ,

    you try to find SID and Domain name below it is explained well

    http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx

    however if you know the domain name you can connect the same

    http://www.joseph-streeter.com/?p=799

    get-addomain -server 'corp.contoso.com'

    Or with the quest powershell cmdlet

    connect-qadservice 'corp.contoso.com'

    if you have any other query pelase reply.

    • Proposed as answer by STscripter Wednesday, December 3, 2014 10:08 AM
    Wednesday, December 3, 2014 10:08 AM
  • Unfortunately if you know only the SID that won't work.  The GC has all SIDS for alldomians in a forest.

    Sometimes the SID is a local machine SID and you cannot translate it except on that machine. If it is not in the GC thenyou are out of luck.


    ¯\_(ツ)_/¯

    • Proposed as answer by Andre Britz Wednesday, August 29, 2018 3:47 AM
    Wednesday, December 3, 2014 10:45 AM
  • Come to think of it "Translate" does proble the GC.  The issue is that we have alocal account SID or a SID from an old domain or a deleted account.

    In the example the domain SID would be this:

    S-1-5-21-1214440339-842925246-1801674531

    We should be able to get it from the GC with Get-ADObject

    I am pretty sure tha when the last digits are less than 5 that the SID is a local machine SID.  Which can only be found by querying all machines until yuo find it,


    ¯\_(ツ)_/¯

    • Marked as answer by AnnaWY Monday, December 15, 2014 1:00 PM
    Wednesday, December 3, 2014 10:54 AM