Skip to Content

SAP IDM read objectguid from Active Directory

Dec 06, 2016 at 01:02 PM


avatar image
Former Member

Hi everyone,

with our SAP IDM, I am trying to read the objectguid from groups and users from the Active Directory, but for users I get only a string of symbols and for groups a NULL result. I guess this has to do with the objectguid being an octet string, but I have not yet found a way to read it properly. I read in some blogs that using a script could help, maybe someone could post his/her solution? I would be very grateful!!



10 |10000 characters needed characters left characters exceeded


I'll see if I can't find something in my test system today. However if you can post a screenshot of what you have, it would be most helpful.



* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Michael Franke Dec 14, 2016 at 10:27 AM

Hi Lisa,

yes, it is possible via script. We are using the following

function l_ad_hex2guid(Par){
    //Script creates from AD hex value the ObjectGUID
    //Input Example: {HEX}CC9AB70C2E2F8A4899E09AC6F1767C78
    //Output Example: 0CB79ACC-2F2E-488A-99E0-9AC6F1767C78
    var hex = Par;

    var hex1, hex2, hex3, hex4, hex5, guid = '';

    hex1 = hex.substr(-26, 2) + hex.substr(-28, 2) + hex.substr(-30, 2) + hex.substr(-32, 2);
    hex2 = hex.substr(-22, 2) + hex.substr(-24, 2);
    hex3 = hex.substr(-18, 2) + hex.substr(-20, 2);
    hex4 = hex.substr(-16, 4);
    hex5 = hex.substr(-12, 12);

    guid = hex1 + '-' + hex2 + '-' + hex3 + '-' + hex4 + '-' + hex5;

    return guid;

Important: You have to put a "!" before the "objectGUID" in the source column of destination tab of the "FromLDAP" pass (please see attachment).

Hope this will help!


4czd2.png (2.2 kB)
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Jan 19, 2017 at 06:27 AM

Hi Michael, hi Matt,

thank you so much for your help and sorry for my late reply, somehow I did not get notified that there were replies to my question! So thank you for the late Christmas gift :)

Michaels script works perfectly fine. I can now read the guid from users and groups (the reason why I got a NULL result for the groups first was, because the attribute was not added in the LDAP search string....). Now I can continue to try and set all group mskeyvalues to include the guid, so that changes in group names do not affect our IDM anymore. Wish me luck!

Kind regards


10 |10000 characters needed characters left characters exceeded