Get SID by Powershell for SharePoint

You can use following powershell to check SID from AD.

$NTAccount = new-object System.Security.Principal.NTAccount(‘SamAccountName’)
$TranslatedToSidObject = $NTAccount.Translate( [System.Security.Principal.SecurityIdentifier])
$SID = New-Object System.Security.Principal.SecurityIdentifier($TranslatedToSidObject.Value)
$TranslatedToNTAccount = $SID.Translate([System.Security.Principal.NTAccount])
Write-host $TranslatedToSidObject.Value `t`t $TranslatedToNTAccount.Value

You can use following powershell to check SID in SharePoint

$site = get-spsite http://blog.bugrapostaci.com
$web = $site.OpenWeb()
$user = $web.EnsureUser(“BLOG\bugra”)
$user.Sid

 

Using Distribution Groups in SharePoint for securing SharePoint securables is not possible.

Using Distribution Groups in SharePoint for securing SharePoint securables is not supported. So if you checked fallowing article on SharePoint side,

http://technet.microsoft.com/en-us/library/cc261972.aspx

“In Active Directory Domain Services (ADDS), the following groups are commonly used to organize users:

  • Distribution group A group that is used only for  e-mail distribution and that is not security-enabled. Distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.
  • Security group A group that can be listed in DACLs. A security      group can also be used as an e-mail entity.

You can use security groups to control permissions for your site by adding security groups to SharePoint groups and granting permissions to the SharePoint groups. You cannot add distribution groups to SharePoint groups, but you can expand a distribution group and add the individual members to a SharePoint group. If you use this method, you must manually keep the SharePoint group synchronized with the distribution group. If you use security groups, you do not need to manage the individual users in the SharePoint application. Because you included the security group instead of the individual members of the group, ADDS manages the users for you.”

You can not use any Distribution Group for providing  permission on SharePoint securables. Because distribution groups cannot be listed in discretionary access control lists (DACLs), which are used to define permissions on resources and objects.SharePoint is using this ACL objects to make security operations. There is no way or workaround for using Distribution Groups in SharePoint for securing SharePoint objects.

So we have some other options.

1)      As mentioned in above article :  you can expand a distribution group and add the individual members to a SharePoint group and using this SharePoint groups for securing objects.

2)      Changing Distribution Groups as Security Group in AD and use it in SharePoint. (I am suggesting this step because AD Groups will provide more gain on performance issues)

MOSS 2007 – Welcome name is not updated problem.

This is a very well know problem.  Even if you run full profile import on sharepoint 2007 the user’s which is name property has changed in AD , not updated on your site welcome name.
First of all you have to detect that the problem has encounter between Sharepoint and AD connection issues. If you see the updates in Profile Store in SSP correctly but not affecting welcome name this article may help you. If it is not updated correctly in Profile Store , it is another problem that out of scope for this article.

So what you can do :

Here is the command for force the sync operations.

stsadm -o sync -ignoreisactive 1
stsadm -o sync -deleteolddatabases 0
stsadm -o sync -synctiming m:5
stsadm -o sync -sweeptiming m:5
stsadm -o sync

Wait min 5 minutes. and check.

You can get more information about stsadm -o sync operations.
http://technet.microsoft.com/en-us/library/cc263196(office.12).aspx
If this is not solve your problem you can use fallowing tool for a workaround;
http://blog.bugrapostaci.com/2012/01/22/sharepoint-tools-wsscontentdbsync-v1-0-command-line-tool/

 

Checking Replication Directory Changes for account by PowerShell

This power shell script checks Replication Directory Changes rights for specific user. You can use this script for detect sharepoint 2010 user profile service account has correct rights

Important !!!: this script not work with Domain Administrator’s accounts .

#Save to script a file named CheckRDC.ps1
usage syntax:
open Sharepoint 2010 PowerShell Console
PS> .\CheckRDC.ps1 “DOMAIN\username”

param( [string] $userName="")
function Check-ADUserPermission(
    [System.DirectoryServices.DirectoryEntry]$entry, 
    [string]$user, 
    [string]$permission)
{
    $dse = [ADSI]"LDAP://Rootdse"
    $ext = [ADSI]("LDAP://CN=Extended-Rights," + $dse.ConfigurationNamingContext)

    $right = $ext.psbase.Children | 
        ? { $_.DisplayName -eq $permission }

    if($right -ne $null)
    {
        $perms = $entry.psbase.ObjectSecurity.Access |
            ? { $_.IdentityReference -eq $user } |
            ? { $_.ObjectType -eq [GUID]$right.RightsGuid.Value }

        return ($perms -ne $null)
    }
    else
    {
        Write-Warning "Permission '$permission' not found."
        return $false
    }
}

# Globals

$replicationPermissionName = "Replicating Directory Changes"

# Main()

$dse = [ADSI]"LDAP://Rootdse"

$entries = @(
    [ADSI]("LDAP://" + $dse.defaultNamingContext),
    [ADSI]("LDAP://" + $dse.configurationNamingContext));

Write-Host "User '$userName': "
foreach($entry in $entries)
{
    $result = Check-ADUserPermission $entry $userName $replicationPermissionName

    if($result)
    {
        Write-Host "`thas a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
            -ForegroundColor Green
    }
    else
    {
        Write-Host "`thas no a '$replicationPermissionName' permission on '$($entry.distinguishedName)'" `
            -ForegroundColor Red
    }
}

The synchronization account for a connection to Active Directory Domain Services (AD DS) must have the following permissions:

It must have Replicate Directory Changes permission on the domain that you will synchronize with. See Grant Replicate Directory Changes permission on a domain for instructions to grant this permission.

If the domain controller is running Windows Server 2003, the synchronization account must be a member of the Pre-Windows 2000 Compatible Access built-in group. See Add an account to the Pre-Windows 2000 Compatible Access group for instructions to grant this permission.

If the NetBIOS name of the domain differs from the domain name, the synchronization account must have Replicate Directory Changes permission on the cn=configuration container. See Grant Replicate Directory Changes permission on the cn=configuration container for instructions to grant this permission.

If you will export property values from SharePoint Server to AD DS, the synchronization account must have Create Child Objects (this object and all descendants) and Write All Properties (this object and all descendants) permissions on the organizational unit (OU) that you are synchronizing with. See Grant Create Child Objects and Write permission for instructions to grant this permission.

for more info :
http://technet.microsoft.com/en-us/library/ee721049.aspx