NT Domain RIDs extraction ------------------------- Author: Copyright (C) Oskar Klicker 1997 Date: 22 Oct 97 ------------------------- > > hi. > > > > your doc about NT Domain Authentication states that 'mappings of RIDs > > to usernames' is open. > > [it's an open issue, yes, and what i'm doing at present is to take the > unix uid and add 1,000. except for domain administrators or domain > guests, for which i return the appropriate Well-known RID mentioned in > winnt.h] which is wrong ;-( . afaik nt knows a 'user' only by its rid. mapping this to a human friendly name is done in the lsa. the lsa itself uses loadable packages to do its database maintenance. the one currently used in nt 4 is called msv1_0 and is implemented as a service in some dll. this service uses a secured part of the registry, the SAM hive, for storage of data. bypassing this service and accessing the registry directly using a suitably priviledged process is certainly a way to cause synchronisation problems. anyway direct access to the registry is all what we have in our hands today. having said all the above, to map a user name to a rid one can use the following code: DWORD User2Rid(char *pszUser) { char Buf[420]; DWORD rid; HKEY k; sprintf (Buf, "SECURITY\\SAM\\Domains\\Account\\Users\\Names\\%s", pszUser); RegOpenKey(HKEY_LOCAL_MACHINE, Buf, &k); RegQueryValueEx (k, NULL, NULL, &rid, // undocumented and questionable. this is // usually one of REG_DWORD etc values... NULL, NULL); RegCloseKey (k); return rid; } to map a rid to a user, one can read the value SECURITY\SAM\Domains\Account\Users\\V and use the algorithms in pwdump to analyze the returned data block. this code must run under the SYSTEM account (for example in a service) in order to succeed.