Click here to Skip to main content
11,922,788 members (51,206 online)
Click here to Skip to main content
Add your own
alternative version


22 bookmarked

How to get user SID using DirectoryServices classes

, 19 Feb 2003
Rate this:
Please Sign up or sign in to vote.
An article describing how to use DirectoryServices classes to get a user's SID.


This article demonstrates how you can make use of DirectoryServices namespace classes to get a user's SID. This code does not make use of PInvoke to call into Win32 APIs to get the required information. We have extended the concepts of our previous article, How to get full name of logged in user, to show how every piece of information can be obtained by using DirectoryEntry object for a given user.

User's sid is returned by accessing objectSid property of DirectoryEntry obect. The value is returned as Byte [] array. This byte array can be parsed to get string representation of SID value. The binary representation of SID consists of following values.

SubAuthorityCount            - Next 1 Byte
SubAuthority0                - Next 4 bytes
SubAuthority1                - Next 4 bytes
SubAuthority2                - Next 4 bytes
SubAuthority3                - Next 4 bytes
SubAuthority4                - Next 4 bytes
SubAuthority5                - Next 4 bytes
SubAuthority6                - Next 4 bytes
SubAuthority7                - Next 4 bytes

Number of sub-authority values depend upon value of SubAuthorityCount. The max number of sub-authorities is 8.

private string GetSid(string strLogin)
    string str = "";
    // Parse the string to check if domain name is present.
    int idx = strLogin.IndexOf('\\');
    if (idx == -1)
        idx = strLogin.IndexOf('@');

    string strDomain;
    string strName;

    if (idx != -1)
        strDomain = strLogin.Substring(0, idx);
        strName = strLogin.Substring(idx+1);
        strDomain = Environment.MachineName;
        strName = strLogin;

    DirectoryEntry obDirEntry = null;
        Int64 iBigVal = 5;
        Byte[] bigArr = BitConverter.GetBytes(iBigVal);
        obDirEntry = new DirectoryEntry("WinNT://" + 
                              strDomain + "/" + strName);
                           coll = obDirEntry.Properties;
        object obVal = coll["objectSid"].Value;
        if (null != obVal)
            str = this.ConvertByteToStringSid((Byte[])obVal);
    catch (Exception ex)
        str = "";
    return str;

private string ConvertByteToStringSid(Byte[] sidBytes)
    StringBuilder strSid = new StringBuilder();
        // Add SID revision.
        // Next six bytes are SID authority value.
        if (sidBytes[6] != 0 || sidBytes[5] != 0)
            string strAuth = String.Format
            Int64 iVal = (Int32)(sidBytes[1]) +
                (Int32)(sidBytes[2] << 8) +
                (Int32)(sidBytes[3] << 16) +
                (Int32)(sidBytes[4] << 24);

        // Get sub authority count...
        int iSubCount = Convert.ToInt32(sidBytes[7]);
        int idxAuth = 0;
        for (int i = 0; i < iSubCount; i++)
            idxAuth = 8 + i * 4;
            UInt32 iSubAuth = BitConverter.ToUInt32(sidBytes, idxAuth);
    catch (Exception ex)
        return "";
    return strSid.ToString();

Please feel free to send your suggestions directly to me at


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Web Developer
United States United States
To learn more about us, Please visit us at

You may also be interested in...

Comments and Discussions

GeneralSystem.Security.Principal.SecurityIdentifier is the best Pin
webmoon19-Jan-09 18:32
memberwebmoon19-Jan-09 18:32 
GeneralRe: System.Security.Principal.SecurityIdentifier is the best Pin
shawnadrock5-Nov-13 4:45
membershawnadrock5-Nov-13 4:45 
GeneralTry this! Pin
Mohammad Reza Jooyandeh12-Jul-07 6:57
memberMohammad Reza Jooyandeh12-Jul-07 6:57 
GeneralWinNT Provider not supported on 2003 Pin
Xileh15-Sep-05 9:39
sussXileh15-Sep-05 9:39 
GeneralRelated: Get SIDs from GC cache Pin
Lehi6-Jan-05 15:31
memberLehi6-Jan-05 15:31 
GeneralJust one safe method Pin
maher.tebourbi22-Nov-04 3:56
membermaher.tebourbi22-Nov-04 3:56 
GeneralSID decoding is wrong Pin
Sidhe27-Apr-04 2:58
memberSidhe27-Apr-04 2:58 
Hi there,
I think your SID decoding is wrong. The number of sub authorities is the 2nd byte in the SID byte array, not the 8th, and the main authority has its bytes stored in the other order from the one you're reading in.

What you have will work on most SIDs because many SIDs start S-1-5-..., but it fails spectacularly on SIDs for built-in users. e.g. here's a valid set of SID bytes from a built-in: 1,2,0,0,0,0,0,5,32,0,0,0,39,2,0,0

Here's another piece of code that correctly *encodes* a SID, so you can see how the decode would need to work...

But, why bother with any of that when you can use the real ConvertSidToStringSid function in the advapi32.dll library via P/Invoke?

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.151125.1 | Last Updated 20 Feb 2003
Article Copyright 2003 by Softomatix
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid