When performing the conversion from SID to NTAccount, I use the following code:
DirectorySecurity folder_sec = Directory.GetAccessControl("c:\\test", AccessControlSections.All); AuthorizationRuleCollection rules = folder_sec.GetAccessRules(true, true, typeof(SecurityIdentifier)); foreach (FileSystemAccessRule rule in rules) { SecurityIdentifier sid = new SecurityIdentifier(rule.IdentityReference.Value); IdentityReference name = sid.Translate(typeof(NTAccount)); string output = name + " | " + sid.tostring(); }
Yes, I understand that you can get NTAccount from the folder_sec.GetAccessRules method, but I found that the same routine is used for SecurityIdentifier.Translate and the same error occurs. At the end of the day, ACLs are just SID arrays.
It is an error when you have two active directory objects (group, user, etc.) with the same name, but they are in two separate domains (trusted, not under), the translate method returns an invalid NTAccount. It ends up returning an NTAccount with the same name in the domain on which the computer running the code is running. Getting NTAccount from other domains that do not have a common name of the same name as another object in your domain returns a penalty.
Say that you have a directory on the machine that is in the frank_domain, and this is an ACL:
- domain_frank \ IT Team
- domain_bob \ IT Team
- domain_frank \ Dave
- domain_bob \ Ted
if you run it, although the code above output will look like this:
domain_frank\IT Team | S-1-5-21-4000000000-4000000000-2000000000-28480 domain_frank\IT Team | S-1-5-21-1000000000-8000000000-3000000000-81912 domain_frank\Dave | S-1-5-21-4000000000-4000000000-2000000000-86875 domain_bob\Ted | S-1-5-21-1000000000-8000000000-3000000000-96521
Assuming that an object named Dave is not in the domain_bob, and an object named Ted is not in the domain_frank. But if you look at the SIDs, you can clearly see that the domain partition is completely different, so you know that the correct object is in the ACL, at least in the SID. Something related to the search breaks down.
The result for me - I had to write my own algorithm to look at the SID and make an active directory in the domain to which the SID belongs. Very very slow and full pain.
Is this a known mistake and is there a satisfactory solution to this?