A Little on Security Identifiers ( SID ) using PowerShell
January 19th, 2009
No comments
A SID is used to identify a security principal or security group in Windows. SIDs are especially useful when troubleshooting security audits or migrations
Starting of, lets look at the WMI Class Win32_UserAccount. This class can be used to retrieve a Users SID.
PS > $Guest = gwmi Win32_UserAccount | Where { $_.Name -like "Guest" }
PS > $Guest
AccountType : 512
Caption : APA\Guest
Domain : APA
SID : S-1-5-21-2827855531-1551796799-1404517278-501
FullName :
Name : Guest
The Object contains even more informtaion that we might find useful:
PS > $Guest | Format-List *
Status : Degraded
Caption : APA\Guest
PasswordExpires : False
__GENUS : 2
__CLASS : Win32_UserAccount
__SUPERCLASS : Win32_Account
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_UserAccount.Domain="APA",Name="Guest"
__PROPERTY_COUNT : 16
__DERIVATION : {Win32_Account, CIM_LogicalElement, CIM_ManagedSystemEleme
nt}
__SERVER : SERVER1
__NAMESPACE : root\cimv2
__PATH : \\SERVER1\root\cimv2:Win32_UserAccount.Domain="APA",Name="
Guest"
AccountType : 512
Description : Built-in account for guest access to the computer/domain
Disabled : True
Domain : APA
FullName :
InstallDate :
LocalAccount : False
Lockout : False
Name : Guest
PasswordChangeable : False
PasswordRequired : False
SID : S-1-5-21-2827855531-1551796799-1404517278-501
SIDType : 1
Scope : System.Management.ManagementScope
Path : \\SERVER1\root\cimv2:Win32_UserAccount.Domain="APA",Name="
Guest"
Options : System.Management.ObjectGetOptions
ClassPath : \\SERVER1\root\cimv2:Win32_UserAccount
Properties : {AccountType, Caption, Description, Disabled...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
If we only want sepcific information, we can pipe the object to the Select-Object CmdLet and specify what information we wnat to see.
PS > $Guest | Select SID, Name, Description, Disabled, Domain SID : S-1-5-21-2827855531-1551796799-1404517278-501 Name : Guest Description : Built-in account for guest access to the computer/domain Disabled : True Domain : APAIf we know the Users SID but don’t know the Users Name, we can filter on the SID alphanumeric string instead.
PS > $Guest = gwmi Win32_UserAccount |
>> where { $_.SID -like "S-1-5-21-2827855531-1551796799-1404517278-501" }
PS > $Guest
AccountType : 512
Caption : APA\Guest
Domain : APA
SID : S-1-5-21-2827855531-1551796799-1404517278-501
FullName :
Name : Guest
Another nice trick is to use wildcards when filtering. Here i use 501 which is the “Guest” account. you can also filter on 500, “Administrator”. Here’s a link to Microsft that describes Well-Known Security Identifiers.
PS > $Guest = gwmi Win32_UserAccount | where { $_.SID -like "*-501" }
PS > $Guest
AccountType : 512
Caption : APA\Guest
Domain : APA
SID : S-1-5-21-2827855531-1551796799-1404517278-501
FullName :
Name : Guest
It’s also possible to use .NET System.Security to retrieve a Users SID. The .NET class takes Domain and AccountName as arguments. First we need to get the User.
PS > $Guest = New-Object System.Security.Principal.NTAccount("APA.CORP","Guest")
PS > $Guest
Value
-----
APA.CORP\Guest
Next, we have to translate the User name to its SID.
PS > $SID = $Guest.Translate([System.Security.Principal.SecurityIdentifier]) PS > $SID | Format-List * BinaryLength : 28 AccountDomainSid : S-1-5-21-2827855531-1551796799-1404517278 Value : S-1-5-21-2827855531-1551796799-1404517278-501Below is the code used in this Post.
$Guest = gwmi Win32_UserAccount | Where { $_.Name -like "Guest" }
$Guest
$Guest | Select SID, Name, Description, Disabled, Domain
$Guest = gwmi Win32_UserAccount |
where { $_.SID -like "S-1-5-21-2827855531-1551796799-1404517278-501" }
$Guest
$Guest = gwmi Win32_UserAccount | where { $_.SID -like "*-501" }
$Guest
$Guest = New-Object System.Security.Principal.NTAccount("APA.CORP","Guest")
$SID = $Guest.Translate([System.Security.Principal.SecurityIdentifier])
$SID | Format-List *
[?]
