Binding to an Object Using a SID

In Windows Server 2003, it is possible to bind to an object using the object Security Identifier (SID) as well as a GUID. The object SID is stored in the objectSID attribute. Binding to an SID does not work on Windows 2000.

The LDAP provider for Active Directory Domain Services provides a method to bind to an object using the object SID. The binding string format is:


In this example, "servername" is the name of the directory server and "XXXXX" is the string representation of the hexadecimal value of the SID. The "servername" is optional. The SID string is specified in a form where each character in the string is the hexadecimal representation of each byte of the SID. For example, if the array is:

0xAB 0x14 0xE2

the SID binding string would be "<SID=AB14E2>". The ADsEncodeBinaryData function should not be used to convert the SID array into a string because it precedes each byte character with a backslash, which is not a valid bind string format.

The SID string can also take the form "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXX>", where the "S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXX" portion is the same as the string returned by the ConvertSidToStringSid function.

When binding using the object SID, some IADs and IADsContainer methods and properties are not supported. The following IADs properties are not supported by objects obtained by binding using the object SID:

The following IADsContainer methods are not supported by objects obtained by binding using the object SID:

To use these methods and properties after binding to an object using the object SID, use the IADs.Get method to retrieve the object distinguished name and then use the distinguished name to bind to the object again.

The following code example shows how to convert an objectSid into a bindable string.

HRESULT VariantArrayToBytes(VARIANT Variant, 
    LPBYTE *ppBytes, 
    DWORD *pdwBytes);



    Converts a SID in VARIANT form, such as an objectSid value, and 
    converts it into a bindable string in the form:


    The returned string is allocated with AllocADsMem and must be 
    freed by the caller with FreeADsMem.


LPWSTR GetSIDBindStringFromVariant(VARIANT vSID)
    LPWSTR pwszReturn = NULL;

    if(VT_ARRAY & vSID.vt) 
        HRESULT hr;
        LPBYTE pByte;
        DWORD dwBytes = 0;

        hr = VariantArrayToBytes(vSID, &pByte, &dwBytes);
        if(S_OK == hr)
            // Convert the BYTE array into a string of hex 
            // characters.
            CComBSTR sbstrTemp = "LDAP://<SID=";

            for(DWORD i = 0; i < dwBytes; i++)
                WCHAR wszByte[3];

                swprintf_s(wszByte, L"%02x", pByte[i]);
                sbstrTemp += wszByte;

            sbstrTemp += ">";
            pwszReturn = 
               (LPWSTR)AllocADsMem((sbstrTemp.Length() + 1) * 
                wcscpy_s(pwszReturn, sbstrTemp.m_str);


    return pwszReturn;



    This function converts a VARIANT array into an array of BYTES. 
    This function allocates the buffer using AllocADsMem. The 
    caller must free this memory with FreeADsMem when it is no 
    longer required.


HRESULT VariantArrayToBytes(VARIANT Variant, 
    LPBYTE *ppBytes, 
    DWORD *pdwBytes)
    if(!(Variant.vt & VT_ARRAY) ||
        !Variant.parray ||
        !ppBytes ||
        return E_INVALIDARG;

    *ppBytes = NULL;
    *pdwBytes = 0;

    HRESULT hr = E_FAIL;
    SAFEARRAY *pArrayVal = NULL;
    CHAR HUGEP *pArray = NULL;
    // Retrieve the safe array.
    pArrayVal = Variant.parray;
    DWORD dwBytes = pArrayVal->rgsabound[0].cElements;
    *ppBytes = (LPBYTE)AllocADsMem(dwBytes);
    if(NULL == *ppBytes) 
        return E_OUTOFMEMORY;

    hr = SafeArrayAccessData(pArrayVal, (void HUGEP * FAR *) &pArray);
        // Copy the bytes to the safe array.
        CopyMemory(*ppBytes, pArray, dwBytes);
        SafeArrayUnaccessData( pArrayVal );
        *pdwBytes = dwBytes;
    return hr;