Security Identifier(SID): GetSID of a user,object using Registry, WMIC, PowerShell
At times, we are in a situation when need to identify the SID of any object. The security identifier (SID) structure is a variable-length structure used to uniquely identify users or groups. For more information Refer here
We have different ways to identify the SID of any object. However, my main objective of writing this blog is to point out the PowerShell option, I will still list out other options.
1. Using PSGetSID
We can use this sysinternal’s tool PsGetSid https://technet.microsoft.com/en-in/sysinternals/bb897417.aspx but you will have to download this and than run this.
2. By looking at the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
We can look at these registry hives at following path. Each of the item at this hive is named with the SID of the account. By looking at the ProfileImagePath key under specific account’s hive, you can identify the account’s name. Like below, we can see this is for “NetworkService” account.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Also, like below, selected item is for a user named “gaurav” and it’s SID is the name of the hive.
This approach has one limitation which is you can only get the SID of either a local user or a domain user who has logged in at least once onto this machine.
3. WMIC
There is this approach which we can use and will work in all of the cases except on any OS prior to Windows XP. We will use WMI commands to find out the SID of any user within the network. Like below, in the following command, gauravtestMachine is the computer name.
wmic useraccount where (name='administrator' and domain='gauravtestMachine') get name,sid
Name SID
administrator S-1-5-21-1976753858-2077894621-3616986626-500
We can run the same command if we want to get the SID of a domain user by replacing domain value with the actual value.
4. Using PowerShell
Since the focus is on PowerShell, I have give a feWe have got yet another option to fetch the SID using the PowerShell command which i think is the most suitable and convenient option. Here is the command. Please remember that this command has to be exactly like this. If you put an extra space, that can cause a problem.
A. For a domain user
PS C:\Users\Administrator> [wmi] "win32_userAccount.Domain='webfarm',Name='testuser'"
AccountType : 512
Caption : webfarm\testuser
Domain : webfarm
SID : S-1-5-21-2536614405-3629634762-1218571035-1116
FullName : Test User
Name : testuser
B. For a local user,
You just have to replace the Domain value with the computer name and your command should look like this.
PS C:\Users\gaarya> [wmi] "Win32_userAccount.Domain='gauravkarya',Name='Administrator'"
AccountType : 512
Caption : gauravkarya\Administrator
Domain : gauravkarya
SID : S-1-5-21-1976753858-2077894621-3616986626-500
FullName :
Name : Administrator
Alternatively, you can also use PowerShell cmdlet Get-WmiObject rather than using [WMI]. Get-WmiObject is just a PowerShell way of using WMI.
PS C:\Users\Administrator> Get-WmiObject win32_useraccount -Filter "name = 'testuser' AND domain = 'webfarm'"
AccountType : 512
Caption : WEBFARM\testuser
Domain : WEBFARM
SID : S-1-5-21-2536614405-3629634762-1218571035-1116
FullName : Test User
Name : testuser
I think that above PowerShell approach is the easiest one. However, you find yet another way of doing this only using PowerShell cmdlets here Windows PowerShell Tip of the Week.
Please feel free to write the feedback.
Thanks
Gaurav
References
==============
1. https://technet.microsoft.com/en-us/library/ff730940.aspx
3. https://blogs.technet.com/b/askperf/archive/2012/02/17/useful-wmic-queries.aspx
4. https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
5. https://msdn.microsoft.com/en-us/library/aa826699(v=vs.85).aspx
Comments
Anonymous
August 05, 2014
This is great for finding the SID, but what about when I want it to stay the same after a sysprep or if I want to take the original SID from account before it was syspreped.Anonymous
September 07, 2014
For a domain user, you can use the command whoami with the /user switch in the commandline. C:UsersUser>whoami /user Seems easiest for me.Anonymous
September 07, 2014
forgot to indicate the the earlier command (whoami /user) is for the currently logged user only.Anonymous
September 08, 2014
Thanks Vincent for bringing this up. Yes that option is also there. I did not mention since this works only for current logged in user.Anonymous
October 15, 2014
What would be the PowerShell command if you wanted to find the SID for all of the users in your domain (about 200)?Anonymous
February 25, 2015
WMI is not necesarry: technet.microsoft.com/.../ff730940.aspxAnonymous
March 26, 2015
great article.... ThanksAnonymous
January 11, 2017
How would you find the name of the RID500 user account (ADSAdministrator) without resorting to something like: Get-WmiObject Win32_Account -Filter "Domain='$TargetDomain' and SID Like '%-500' " which searches all accounts in the domain. Or, to put it another way, how would you find the SID of the domain? (and then append "-500")