PowerShell.nu » SID http://www.powershell.nu Wed, 14 Jul 2010 22:17:44 +0000 en hourly 1 http://wordpress.org/?v=3.0 A Little on Security Identifiers ( SID ) using PowerShell http://www.powershell.nu/2009/01/19/a-little-on-security-identifiers-sid-using-powershell/ http://www.powershell.nu/2009/01/19/a-little-on-security-identifiers-sid-using-powershell/#comments Mon, 19 Jan 2009 21:25:03 +0000 Niklas Goude http://www.powershell.nu/?p=358 $Guest = gwmi Win32_UserAccount | Where { $_.Name -like "Guest" [...]]]> A SID is used to identify a security principal or security group in Windows. SIDs are especially useful when troubleshooting security audits or migrations

Starting of, lets look at the WMI Class Win32_UserAccount. This class can be used to retrieve a Users SID.


PS > $Guest = gwmi Win32_UserAccount | Where { $_.Name -like "Guest" }
PS > $Guest


AccountType : 512
Caption     : APA\Guest
Domain      : APA
SID         : S-1-5-21-2827855531-1551796799-1404517278-501
FullName    :
Name        : Guest

The Object contains even more informtaion that we might find useful:


PS > $Guest | Format-List *


Status             : Degraded
Caption            : APA\Guest
PasswordExpires    : False
__GENUS            : 2
__CLASS            : Win32_UserAccount
__SUPERCLASS       : Win32_Account
__DYNASTY          : CIM_ManagedSystemElement
__RELPATH          : Win32_UserAccount.Domain="APA",Name="Guest"
__PROPERTY_COUNT   : 16
__DERIVATION       : {Win32_Account, CIM_LogicalElement, CIM_ManagedSystemEleme
                     nt}
__SERVER           : SERVER1
__NAMESPACE        : root\cimv2
__PATH             : \\SERVER1\root\cimv2:Win32_UserAccount.Domain="APA",Name="
                     Guest"
AccountType        : 512
Description        : Built-in account for guest access to the computer/domain
Disabled           : True
Domain             : APA
FullName           :
InstallDate        :
LocalAccount       : False
Lockout            : False
Name               : Guest
PasswordChangeable : False
PasswordRequired   : False
SID                : S-1-5-21-2827855531-1551796799-1404517278-501
SIDType            : 1
Scope              : System.Management.ManagementScope
Path               : \\SERVER1\root\cimv2:Win32_UserAccount.Domain="APA",Name="
                     Guest"
Options            : System.Management.ObjectGetOptions
ClassPath          : \\SERVER1\root\cimv2:Win32_UserAccount
Properties         : {AccountType, Caption, Description, Disabled...}
SystemProperties   : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers         : {dynamic, Locale, provider, UUID}
Site               :
Container          :

If we only want sepcific information, we can pipe the object to the Select-Object CmdLet and specify what information we wnat to see.


PS > $Guest | Select SID, Name, Description, Disabled, Domain


SID         : S-1-5-21-2827855531-1551796799-1404517278-501
Name        : Guest
Description : Built-in account for guest access to the computer/domain
Disabled    : True
Domain      : APA

If we know the Users SID but don’t know the Users Name, we can filter on the SID alphanumeric string instead.


PS > $Guest = gwmi Win32_UserAccount |
>> where { $_.SID -like "S-1-5-21-2827855531-1551796799-1404517278-501" }
PS > $Guest


AccountType : 512
Caption     : APA\Guest
Domain      : APA
SID         : S-1-5-21-2827855531-1551796799-1404517278-501
FullName    :
Name        : Guest

Another nice trick is to use wildcards when filtering. Here i use 501 which is the “Guest” account. you can also filter on 500, “Administrator”. Here’s a link to Microsft that describes Well-Known Security Identifiers.


PS > $Guest = gwmi Win32_UserAccount | where { $_.SID -like "*-501" }
PS > $Guest


AccountType : 512
Caption     : APA\Guest
Domain      : APA
SID         : S-1-5-21-2827855531-1551796799-1404517278-501
FullName    :
Name        : Guest

It’s also possible to use .NET System.Security to retrieve a Users SID. The .NET class takes Domain and AccountName as arguments. First we need to get the User.


PS > $Guest = New-Object System.Security.Principal.NTAccount("APA.CORP","Guest")
PS > $Guest

Value
-----
APA.CORP\Guest

Next, we have to translate the User name to its SID.


PS > $SID = $Guest.Translate([System.Security.Principal.SecurityIdentifier])
PS > $SID | Format-List *


BinaryLength     : 28
AccountDomainSid : S-1-5-21-2827855531-1551796799-1404517278
Value            : S-1-5-21-2827855531-1551796799-1404517278-501

Below is the code used in this Post.


$Guest = gwmi Win32_UserAccount | Where { $_.Name -like "Guest" }
$Guest
$Guest | Select SID, Name, Description, Disabled, Domain

$Guest = gwmi Win32_UserAccount |
	where { $_.SID -like "S-1-5-21-2827855531-1551796799-1404517278-501" }
$Guest

$Guest = gwmi Win32_UserAccount | where { $_.SID -like "*-501" }
$Guest

$Guest = New-Object System.Security.Principal.NTAccount("APA.CORP","Guest")
$SID = $Guest.Translate([System.Security.Principal.SecurityIdentifier])
$SID | Format-List *

]]> http://www.powershell.nu/2009/01/19/a-little-on-security-identifiers-sid-using-powershell/feed/ 0