Security Identifier(SID): GetSID of a user,object using Registry, WMIC, PowerShell

At times, we are in a situation when need to identify the SID of any object. The security identifier (SID) structure is a variable-length structure used to uniquely identify users or groups. For more information Refer here 

We have different ways to identify the SID of any object. However, my main objective of writing this blog is to point out the PowerShell option, I will still list out other options.

 

1. Using PSGetSID

We can use this sysinternal’s tool PsGetSid https://technet.microsoft.com/en-in/sysinternals/bb897417.aspx but you will have to download this and than run this.

2. By looking at the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

We can look at these registry hives at following path. Each of the item at this hive is named with the SID of the account. By looking at the ProfileImagePath key under specific account’s hive, you can identify the account’s name. Like below, we can see this is for “NetworkService” account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

image 

Also, like below, selected item is for a user named “gaurav” and it’s SID is the name of the hive.

 

image

This approach has one limitation which is you can only get the SID of either a local user or a domain user who has logged in at least once onto this machine.

3. WMIC

There is this approach which we can use and will work in all of the cases except on any OS prior to Windows XP. We will use WMI commands to find out the SID of any user within the network. Like below, in the following command, gauravtestMachine is the computer name.

wmic useraccount where (name='administrator' and domain='gauravtestMachine') get name,sid

Name           SID
administrator  S-1-5-21-1976753858-2077894621-3616986626-500

image

We can run the same command if we want to get the SID of a domain user by replacing domain value with the actual value.

 

4. Using PowerShell

Since the focus is on PowerShell, I have give a feWe have got yet another option to fetch the SID using the PowerShell command which i think is the most suitable and convenient option.  Here is the command. Please remember that this command has to be exactly like this. If you put an extra space, that can cause a problem.

A. For a domain user

PS C:\Users\Administrator> [wmi] "win32_userAccount.Domain='webfarm',Name='testuser'"

AccountType : 512
Caption     : webfarm\testuser
Domain      : webfarm
SID         : S-1-5-21-2536614405-3629634762-1218571035-1116
FullName    : Test User
Name        : testuser

 

image

 

B. For a local user,  

You just have to replace the Domain value with the computer name and your command should look like this.

PS C:\Users\gaarya> [wmi] "Win32_userAccount.Domain='gauravkarya',Name='Administrator'"

AccountType : 512
Caption     : gauravkarya\Administrator
Domain      : gauravkarya
SID         : S-1-5-21-1976753858-2077894621-3616986626-500
FullName    :
Name        : Administrator

image

 

Alternatively, you can also use PowerShell cmdlet Get-WmiObject rather than using [WMI]. Get-WmiObject is just a PowerShell way of using WMI.

PS C:\Users\Administrator> Get-WmiObject win32_useraccount -Filter "name = 'testuser' AND domain = 'webfarm'"

AccountType : 512
Caption     : WEBFARM\testuser
Domain      : WEBFARM
SID             :  S-1-5-21-2536614405-3629634762-1218571035-1116
FullName    : Test User
Name         : testuser

 image

 

I think that above PowerShell approach is the easiest one. However, you find yet another way of doing this only using PowerShell cmdlets here Windows PowerShell Tip of the Week.

 

Please feel free to write the feedback.

 

Thanks

Gaurav

 

References

==============

1. https://technet.microsoft.com/en-us/library/ff730940.aspx

2. https://blogs.technet.com/b/heyscriptingguy/archive/2010/10/11/use-wmi-and-powershell-to-get-a-user-s-sid.aspx3

3. https://blogs.technet.com/b/askperf/archive/2012/02/17/useful-wmic-queries.aspx

4. https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx

5. https://msdn.microsoft.com/en-us/library/aa826699(v=vs.85).aspx

Comments

  • Anonymous
    August 05, 2014
    This is great for finding the SID, but what about when I want it to stay the same after a sysprep or if I want to take the original SID from account before it was syspreped.  

  • Anonymous
    September 07, 2014
    For a domain user, you can use the command whoami with the /user switch in the commandline. C:UsersUser>whoami /user Seems easiest for me.

  • Anonymous
    September 07, 2014
    forgot to indicate the the earlier command (whoami /user)  is for the currently logged user only.

  • Anonymous
    September 08, 2014
    Thanks Vincent for bringing this up. Yes that option is also there. I did not mention since this works only for current logged in user.

  • Anonymous
    October 15, 2014
    What would be the PowerShell command if you wanted to find the SID for all of the users in your domain (about 200)?

  • Anonymous
    February 25, 2015
    WMI is not necesarry: technet.microsoft.com/.../ff730940.aspx

  • Anonymous
    March 26, 2015
    great article.... Thanks

  • Anonymous
    January 11, 2017
    How would you find the name of the RID500 user account (ADSAdministrator) without resorting to something like: Get-WmiObject Win32_Account -Filter "Domain='$TargetDomain' and SID Like '%-500' " which searches all accounts in the domain. Or, to put it another way, how would you find the SID of the domain? (and then append "-500")