You are viewing limited content. For full access, please sign in.



SID name in Audit Trail

posted on July 24, 2019


I am preparing an audit report about an entry in which security permissions were changed. The results show "old security descriptor" and "new security descriptor", however, the value shown apparently corresponds to a SID of a user.

Where do I relate this SID to the username? I have tried at the database level however the values do not match the users registered in the repository.



0 0
replied on July 24, 2019

If the SID starts (as the one pictured does) with S-1-9-, it's a repository user, and the final component (in the pictured case, 9) is the trustee ID.  If the trustee still exists, you should be able to query on that in the repository database (e.g. SELECT trustee_name FROM trustee WHERE trustee_id = 9).  If the trustee has been deleted from the repository, you could try looking for other audit events with a trustee ID of 9 to see if one of them mentions the name.

If the SID starts with S-1-5-, it's a Windows trustee, and you'll need to query Active Directory to figure out the name.  Unfortunately, I'm less familiar with the particulars of how to do that.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.