Click here to Skip to main content
12,952,725 members (45,040 online)
Click here to Skip to main content
Add your own
alternative version


22 bookmarked
Posted 19 Feb 2003

How to get user SID using DirectoryServices classes

, 19 Feb 2003
Rate this:
Please Sign up or sign in to vote.
An article describing how to use DirectoryServices classes to get a user's SID.


This article demonstrates how you can make use of DirectoryServices namespace classes to get a user's SID. This code does not make use of PInvoke to call into Win32 APIs to get the required information. We have extended the concepts of our previous article, How to get full name of logged in user, to show how every piece of information can be obtained by using DirectoryEntry object for a given user.

User's sid is returned by accessing objectSid property of DirectoryEntry obect. The value is returned as Byte [] array. This byte array can be parsed to get string representation of SID value. The binary representation of SID consists of following values.

SubAuthorityCount            - Next 1 Byte
SubAuthority0                - Next 4 bytes
SubAuthority1                - Next 4 bytes
SubAuthority2                - Next 4 bytes
SubAuthority3                - Next 4 bytes
SubAuthority4                - Next 4 bytes
SubAuthority5                - Next 4 bytes
SubAuthority6                - Next 4 bytes
SubAuthority7                - Next 4 bytes

Number of sub-authority values depend upon value of SubAuthorityCount. The max number of sub-authorities is 8.

private string GetSid(string strLogin)
    string str = "";
    // Parse the string to check if domain name is present.
    int idx = strLogin.IndexOf('\\');
    if (idx == -1)
        idx = strLogin.IndexOf('@');

    string strDomain;
    string strName;

    if (idx != -1)
        strDomain = strLogin.Substring(0, idx);
        strName = strLogin.Substring(idx+1);
        strDomain = Environment.MachineName;
        strName = strLogin;

    DirectoryEntry obDirEntry = null;
        Int64 iBigVal = 5;
        Byte[] bigArr = BitConverter.GetBytes(iBigVal);
        obDirEntry = new DirectoryEntry("WinNT://" + 
                              strDomain + "/" + strName);
                           coll = obDirEntry.Properties;
        object obVal = coll["objectSid"].Value;
        if (null != obVal)
            str = this.ConvertByteToStringSid((Byte[])obVal);
    catch (Exception ex)
        str = "";
    return str;

private string ConvertByteToStringSid(Byte[] sidBytes)
    StringBuilder strSid = new StringBuilder();
        // Add SID revision.
        // Next six bytes are SID authority value.
        if (sidBytes[6] != 0 || sidBytes[5] != 0)
            string strAuth = String.Format
            Int64 iVal = (Int32)(sidBytes[1]) +
                (Int32)(sidBytes[2] << 8) +
                (Int32)(sidBytes[3] << 16) +
                (Int32)(sidBytes[4] << 24);

        // Get sub authority count...
        int iSubCount = Convert.ToInt32(sidBytes[7]);
        int idxAuth = 0;
        for (int i = 0; i < iSubCount; i++)
            idxAuth = 8 + i * 4;
            UInt32 iSubAuth = BitConverter.ToUInt32(sidBytes, idxAuth);
    catch (Exception ex)
        return "";
    return strSid.ToString();

Please feel free to send your suggestions directly to me at


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Web Developer
United States United States
To learn more about us, Please visit us at

You may also be interested in...


Comments and Discussions

GeneralSystem.Security.Principal.SecurityIdentifier is the best Pin
webmoon19-Jan-09 17:32
memberwebmoon19-Jan-09 17:32 
GeneralRe: System.Security.Principal.SecurityIdentifier is the best Pin
shawnadrock5-Nov-13 3:45
membershawnadrock5-Nov-13 3:45 
GeneralTry this! Pin
Mohammad Reza Jooyandeh12-Jul-07 5:57
memberMohammad Reza Jooyandeh12-Jul-07 5:57 
GeneralWinNT Provider not supported on 2003 Pin
Xileh15-Sep-05 8:39
sussXileh15-Sep-05 8:39 
This is a good article, but remember that it will not work on a 2003 machine. Sniff | :^)

Because you have relied on getting the SID using the WinNT provider, this code will not run on any platform that uses 2003 or later.

Unfortunately this solution will not work if you simply switch to the LDAP provider.

If anyone has a solution using directory services that does not involve using the WinNt provider please post it. Until then I'll be stuck using p/invoke for Win32 code Frown | :(
GeneralRelated: Get SIDs from GC cache Pin
Lehi6-Jan-05 14:31
memberLehi6-Jan-05 14:31 
GeneralJust one safe method Pin
maher.tebourbi22-Nov-04 2:56
membermaher.tebourbi22-Nov-04 2:56 
GeneralSID decoding is wrong Pin
Sidhe27-Apr-04 1:58
memberSidhe27-Apr-04 1:58 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170525.1 | Last Updated 20 Feb 2003
Article Copyright 2003 by Softomatix
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid