Windows OS Hub / Active Directory / How to Convert SID to User/Group Name and User to SID?

July 10, 2019 Active Directory PowerShell

How to Convert SID to User/Group Name and User to SID?

In Windows environment, each domain and local user, group and other security objects are assigned a unique identifier — Security Identifier or SID. It is a SID, but not the username, that is used to control access to different resources: network shared folders, registry keys, file system objects, printers, etc. In this article, we’ll show you some simple ways to find the SID of a user or group (Active Directory or local), and the reverse procedure – how to get the name of a Windows user or group by a known SID.

To convert username to SID, you can use the excellent tool from the Sysinternals toolset – PsGetSid. But you have to download and install this tool on each computer manually. An example of usage PsGetSID to get a SID by a user account name:

PsGetSid PC1\jjsmith

To get username by SID use the command:

PsGetSid S-1-5-21-1175651296-1316133944-203321314-1005

In my opinion, the easiest way to convert SID -> Username and Username -> SID is to use the internal Windows CLI tools or simple PowerShell cmdlets:

Contents:

How to Find a Local User SID?
How to Get SID for an Active Directory User/Group?
How to Convert a SID to User/Group Name?
Searching Active Directory by SID

How to Find a Local User SID?

To get the SID of the local user account on a current computer, you can use the wmic tool, which allows you to query the computer’s WMI namespace. To get the SID of the local user test_user, you can use the WMIC command:

wmic useraccount where name='test_user' get sid

The command above returned the SID of the specified local user. In this example – S-1-5-21-1175659216-1321616944-201305354-1005.

If you need to get the SID of the current user (under which the command is being executed), run the following command:

wmic useraccount where name='%username%' get sid

Using the two .NET classes System.Security.Principal.SecurityIdentifier and System.Security.Principal.NTAccount you can get the SID of the local user with PowerShell:

$objUser = New-Object System.Security.Principal.NTAccount("LOCAL_USER_NAME") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value

How to Get SID for an Active Directory User/Group?

The following command can be used to get a SID of the current domain account:

whoami /user

You can find out the domain user SID using WMIC tool. You must specify your domain name in the following command:

wmic useraccount where (name='jjsmith' and domain=′corp.woshub.com′) get sid

To find the SID of an AD domain user, you can use the Get-ADUser cmdlet that is a part of the Active Directory Module for Windows PowerShell. Get the SID for the jjsmith account:

Get-ADUser -Identity 'jabrams' | select SID

You can get the SID of an AD group using the Get-ADGroup cmdlet:

Get-ADGroup -Filter {Name -like "fr-sales-*"} | Select SID

If the PowerShell AD module is not installed on your computer, you can get the user’s SID from AD domain using the .Net classes mentioned earlier:

$objUser = New-Object System.Security.Principal.NTAccount("corp.woshub.com","jabrams") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value

The same PowerShell one-liner command:

(new-object security.principal.ntaccount “jabrams").translate([security.principal.securityidentifier])

How to Convert a SID to User/Group Name?

To get the name of the user account by the SID (a reverse procedure), you can use one of the following commands:

wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name

You can get the user name by a SID using the AD module for PowerShell:

Get-ADUser -Identity S-1-3-12-12451234567-1234567890-1234567-1434

To find the domain group name by a known SID, use the command:

Get-ADGroup -Identity S-1-5-21-247647651-3965464288-2949987117-23145222

You can also find out the group or user name by SID with the built-in PowerShell classes (without additional modules):

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S S-1-3-12-12451234567-1234567890-1234567-1434") $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) $objUser.Value

Searching Active Directory by SID

If you don’t know what type of AD object a certain SID belongs to and what exact PoSh cmdlet to use to find it (Get-AdUser, Get-ADComputer or Get-ADGroup), you can use the universal method of searching objects in Active Directory domain by a SID using the Get-ADObject cmdlet.

$sid = ‘S-1-5-21-2412346651-123456789-123456789-12345678’ Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass

In our case, the AD object with the specified SID is a domain computer (see the objectClass attribute).

Fix: The Local Print Spooler Service Not Running in Windows 10

2 comments

matt smith May 13, 2019 - 3:21 pm

This was very useful, and thank you. I’ve noticed SIDs on files in O365, that are grouped in the format “S——. Additionally, some SIDs have another “2” 10-digit strings appended.

Do you happen to know what these mean? And why some have more groups of numbers than others? Are they group SIDs, perhaps, that are appended? Thanks very much in advance.

admin May 14, 2019 - 1:29 pm

Perhaps you have in mind not the SIDs, but the SDDL (Security Descriptor Definition Language) file permission format?
Check out the article: http://woshub.com/how-to-backup-and-restore-ntfs-permissions-using-icacls/