I need to generate custom SIDs for users in my web application for use with Microsoft AzMan. What is the best way to do this? What do I need to know before doing this?
This is what I'm thinking, but I'm not sure if I'm missing something:
S-1-9-1234-{user_id + 1000}
S-{first revision}-{resource manager authority}-{domain (unique number for the specific app)}-{unique id for user}
UPDATE: Changed to resource manager authority because of David Crawford's blog entry: http://blogs.msdn.com/dc995/archive/2006/08/23/715021.aspx
Note that just changing the computer name or adding the computer to a different domain does not change the computer SID. Changing the name or domain only changes the domain SID if the computer was previously associated with a domain.
It is not possible to change the SID by standard means, but the software adsiedit will allow you to make changes. The SID will also change if the related object is created in one domain (and the domain identifier becomes part of the object's SID) and is then migrated to another domain.
SID is a string with a maximum length of 256 characters. For information on how to determine the security identifier for an Active Directory user account using PowerShell, see this Microsoft Web site.
To change a SID, you must use the Windows utility Sysprep (System Preparation Tool). This is the only method that is supported by Microsoft. For more information on using Sysprep, see this Microsoft article: How to Use Sysprep: An Introduction.
As I found from the MSDN's Developing Applications Using Windows Authorization Manager article:
When creating custom SIDs you must establish a SID design for your application. For example, you might have S-1-9-AppInstanceGUID-UserGuid, where 9 is the resource manager sub-authority and AppInstanceGUID and UserGUID are each broken into four sub-authorities. You can also use S-1-9-AppInstanceGuid-UserRID, where UserRID is a unique number for the user in the scope of the application instance. If you want to use custom groups you can create a SID for each group using either of these techniques. For sample code that generates a GUID, see the Microsoft Windows Software Development Kit (SDK).
So it looks like the AzMan allows you generate SID in the way it fits most to your needs. And the only thing you need is to make sure that SIDs generated for semantically different users are unique. (Even if generated on different machines.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With