How to get (AD) LDAP person entry by SID?

Solution 1:

I wish it was as easy as:

dsget user "objectSID={thesid},CN=Users,DC=domain,DC=com" -samid

But it's not; AD stores the objectSID as hexadecimal.

The folks on serverfault have written a few answers that may help, though:

Retrieve user details from Active Directory using SID

Solution 2:

Another way would be to forsake LDAP and use WMIC:

H:\>wmic useraccount where (sid = "S-1-5-21-1698188384-1693678267-1543859470-6637") get * /format:list    

AccountType=512
Caption=MYDOMAIN\quux
Description=some guy's account
Disabled=FALSE
Domain=MYDOMAIN
FullName=Some Guy
InstallDate=
LocalAccount=FALSE
Lockout=FALSE
Name=quux
PasswordChangeable=TRUE
PasswordExpires=FALSE
PasswordRequired=TRUE
SID=S-1-5-21-1698188384-1693678267-1543859470-6637
SIDType=1
Status=OK

Now you have several attributes that should be easy to search via LDAP, if you still need to.