Saturday, December 1, 2012

How to confirm domain user SIDs and SMTP addresses

I was recently managing an Exchange migration for a company and had an interesting problem. On the surface it appeared I was over the hump and close to completion so everything seemed spot on. However, on the home stretch I started seeing applications issues. I chalked it up to a specific VM having a problem but then the issues started following me to another Exchange VM. I managed to resolve the issues and then simply moved on. Later on upon attempting to remove the legacy Exchange via Add/Remove programs the uninstall failed. I almost went the route of manually removing the Exchange server from Active Directory with ADSI edit when I noticed the X400 address for the domain administrator ended with a 2.

After much digging I was left puzzled, and with a much larger question. The previous IT didn't leave any real documentation, and management had no idea if the admin account was renamed. Luckily I found a VB script to run which reports all of the SIDs in the domain and then dumps it into Excel. I also used a second VB script to list all of the email addresses within the domain which led me to find a restricted user account with an smtp proxy address of Other than that small detail and the X400 address on the currently named administrator account I had no way of knowing which was which. Additionally the renamed account was on a list of users which I was given to remove after the migration was complete. Both accounts will need to be kept now because one is the default S-500 account, and the other was used to install the new version of Exchange.

The scripts worked perfectly to identify the S-500 default domain account, and to identify the account that was currently named Administrator was a fake. When I started the project I was given the account and told it had all of the permissions needed. Confirming the S-500 account will now be a standard practice of mine going forward. You can find the links to the VB scripts I used below. Simply save the files and rename the extension to ".VBS".

List SIDs script

The machine you run the List SIDs script on must have Excel installed as the script will dump the output directly into Excel. When you run the VB script it will ask you to enter the name of the server OR workstation you are running it from. You do not need to be logged into the workstation as a domain admin to run it because all users and computers joined to the domain have full read access to Active Directory.

List SMTP addresses script

The machine you run the SMTP script on should be a domain controller or Exchange server. To run the script on Server 2003 simply double click the file and it will dump the output to a text file in the root of C:\ called emailaddresses.txt. To run the script on Server 2008 or later you must run it from an administrative command prompt. Again, it will dump the output to a text file in the root of C:\ called emailaddresses.txt.