Find Users E-Mail via SID using VBScript and Active Directory

Question

Hi,

I am parsing log messages about changes to user accounts on a windows system. I want to notify the user about the changes so I need to retrieve their personal information (First,Last, E-Mail) from Active Directory.

I already found a way to retrieve the username but that is only via WMI and not ADSI:

Function FindUser(Message)
    Dim objWMIService
    Dim strAccountRegex
    Dim objRegex
    Dim objMatch
    Dim strComputer
    Dim objUser
    Dim objShell


    strAccountRegex = "(\%\{[A-Z,0-9,\-]*\})"
    strComputer = "."

    Wscript.StdOut.writeLine "Querying WMI to retrieve user-data" 

    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objShell    = WScript.CreateObject("WScript.Shell")
    Set objRegex    = new RegExp
    objRegex.Pattern= strAccountRegex
    for each objMatch in objRegex.Execute(Message)
            REM Wscript.StdOut.writeLine "Found an Account ID: " & objMatch.value
            Dim strSID
            strSID=NormalizeSID(objMatch.value)
            REM Wscript.Echo "SID after escaping: " & strSID
            Set objUser = objWMIService.Get _
            ("Win32_SID.SID='" & strSID & "'")
    next
    FindUser=objUser.ReferencedDomainName & "\" & objUser.AccountName
End Function

It works fine, but I would like to do it via Active Directory instead of going via WMI. Can you help me?

Answer 1

OK. I found a way to do this via Active Directory. For compeleteness here is the code:

REM Converts the SID into a from, that can be processed by WMI
Function NormalizeSid(strSidToNormalize)
  Dim regEx,strReplace
  strReplace=""
  ' Create regular expression.
  Set regEx = New RegExp
  regEx.Global  = True
  regEx.Pattern = "(%|{|})"
  regEx.IgnoreCase = True

  ' Make replacement.
  NormalizeSid = regEx.Replace(strSidToNormalize, strReplace)
End Function

REM Searches for a SID the in the Message that was passed as argument
REM SID returned will be of the  form %{S-1-5-21-3968247570-3627839482-368725868-1110}
REM NOTE: Neither WMI nor ADSI will accept this. Use NormalizeSid like in FindUser
Function FindSidInMessage(Message)
    Dim strAccountRegex
    Dim objRegex
    Dim objMatch
    Dim strSID

    strAccountRegex = "(\%\{S\-[,0-9,\-]*\})"
    Set objRegex    = new RegExp
    objRegex.Pattern= strAccountRegex

    for each objMatch in objRegex.Execute(Message)
            REM Wscript.StdOut.writeLine "Found an Account ID: " & objMatch.value
            strSID=objMatch.value
    next

    FindSidInMessage=strSID
End Function 

REM Searches Directory for the User matching the SID passed as parameter
Function FindUser(userSID)
    Dim normalizedSID
    Dim objUser

    normalizedSID=NormalizeSid(userSID)
    Wscript.Echo "SID after escaping: " & normalizedSID

    Wscript.StdOut.writeLine "Querying AD to retrieve user-data" 
    Set objUser = GetObject("LDAP://<SID="& normalizedSID & ">")
    FindUser=objUser.EmailAddress
End Function

Hope this will be useful to others.

Answer 2

How can i get this working? Do I need an export of the Eventlog? And if so, how can i make the script run through the export. Sorry, I´m not a programmer. I just try to match a SID inside an event to its User.