SID (Security IDentifier) is a unique identifier that is assigned to users, groups, computers, or other security objects when they are created in Windows, an Active Directory domain, or an Entra ID (Azure) tenant. Windows uses the SID, rather than user/group names, to control access to different resources: shared network folders, registry keys, file system objects (NTFS permissions), printers, etc. In this article, we’ll show how to find the SID of a user, group, or computer, as well as the reverse procedure: how to obtain an object name by a known SID.
What is a Security Identifier (SID) in Windows?
As we mentioned, a SID (security identifier) allows you to uniquely identify a security principal (user, group, or computer) within a certain scope (domain or local computer). The following format is used for the SID string:
S-1-5-21–489056535-1467421822-2524099697–1231
- S – indicates that this string contains a SID
- 1 – version number of the identifier (always 1)
- 5 – authority identifier (5 for NT Authority, 12 for Entra ID, 1– Everyone group)
- 21-489056535-1467421822-2524099697– this is the unique identifier of the domain that issued the SID. This part will be the same for all objects within the same domain
- 1231 – the object’s relative security identifier (RID). It starts at 1000 and increases by 1 for each new object. Issued by a domain controller with the FSMO role RID Master.
The SIDs of Active Directory objects are stored in the NTDS.dit
database, and the SIDs of local users and groups are in the local Windows Security Account Manager (SAM) database in the HKEY_LOCAL_MACHINE\SAM\SAM
registry key. A SID is a unique value within its issuing environment. For example, a local user SID is unique within a computer, while a domain SID is unique within a domain.
There are so-called Well-known SIDs in Windows. These are the SIDs for built-in users and groups on any Windows computer. For example:
S-1-5-32-544
– built-in Administrators groupS-1-5-32-545
– local usersS-1-5-32-555
– Remote Desktop Users group that is allowed to log in via RDPS-1-5-21-<domain>-500
– built-in Windows administrator account (domain admin)S-1-5-21-<domain>-512
— Domain AdminsS-1-5-21-<domain>-513
— Domain Users- etc.
In Windows, you can use different tools to convert SID -> Name and Username -> SID: whoami
tool, wmic
, WMI classes, PowerShell, or third-party utilities.
How to Find a Local User Security Identifier (SID)
You can use the wmic tool to query the computer’s WMI (Windows Management Instrumentation) namespace and get the SID of the local user account. To find the SID of the local user test_user, use the following WMIC command:
wmic useraccount where name='test_user' get sid
The command above returned the SID of the specified local userS-1-5-21-1175659216-1321616944-201305354-1005
.
However, starting with Windows 11 24H2 and Windows Server 2025, the wmic command is not installed by default, so you need to use PowerShell commands instead. Retrieve the SID of the user test_user from the WMI namespace using PowerShell (as an alternative to using the wmic command):
(Get-CimInstance -Class win32_userAccount -Filter "name='test_user' and domain='$env:computername'").SID
Get-CimInstance
instead of the Get-WmiObject
cmdlet.Another option is to find out the SID of a local user using the built-in LocalAccounts management PowerShell module:
Get-LocalUser -Name 'test_user' | Select-Object Name, SID
List all local Windows users and their SIDs:
Get-LocalUser | Select-Object name,sid
Obtain the SID of the current user (under which the command is executed):
Get-LocalUser -Name $env:USERNAME | Select-Object name,sid
Note that the registry stores information about local user profiles on the computer in the ProfileList key with the SID (rather than the username). Thus, the username can be extracted from the registry by its SID:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3414967564-123456789-0123456789-1006" /v ProfileImagePath
In the same way, you can get the SID of a group of the local computer:
Get-LocalGroup -Name tstGroup1 | Select-Object Name, SID
On older versions of Windows, you can also use the .NET classes System.Security.Principal.SecurityIdentifier and System.Security.Principal.NTAccount to get the user’s SID via PowerShell:
$objUser = New-Object System.Security.Principal.NTAccount("LOCAL_USER_NAME")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
How to Get a User or Group SID in Active Directory
Use the following command to obtain a SID for your current domain account:
whoami /user
You can also view the user’s SID in the Attribute Editor tab of the user’s properties in the graphical ADUC snap-in (dsa.msc
). Check the value of the objectSid property.
The WMIC
tool can be used to obtain the SID of an Active Directory domain user. In this case, the domain name must be specified in the command:
wmic useraccount where (name='jjsmith' and domain='corp.woshub.com') get sid
However, the WMIC command has been deprecated. It is therefore better to use the Get-ADUser cmdlet (part of the Active Directory Module for Windows PowerShell) to obtain the SID of a domain user. Let’s get the SID for the jabrams domain user account:
Get-ADUser -Identity 'jabrams' | select SID
You can use the Get-ADGroup cmdlet to get the SID of an AD security group.
Get-ADGroup -Filter {Name -like "fr-sales-*"} | Select SID
If the PowerShell AD module is not installed on a computer, you can get the user’s SID from the AD domain using the .NET classes mentioned earlier:
$objUser = New-Object System.Security.Principal.NTAccount("corp.woshub.com","jabrams")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
The same PowerShell one-liner:
(new-object security.principal.ntaccount "jabrams").translate([security.principal.securityidentifier])
Getting the Local Machine and Domain SID of a Computer
If a Windows computer is joined to an Active Directory domain, it will have two different SIDs. The first SID is the local computer identifier, or Machine SID. The second is the unique computer object security identifier in AD.
You can get the SID of a computer in the Active Directory domain using the command:
Get-ADComputer mun-rds1 -properties sid|select name,sid
The SID of the local computer (Machine SID) can be obtained using the PsGetSID tool (https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid).
.\PsGetsid64.exe
Or (even simpler), by trimming the last 4 characters of any local user’s RID and SID:
$user=(Get-LocalUser Administrator).sid
$user -replace ".{4}$"
sysprep
tool. Computers within a domain cannot have the same domain SID because otherwise the trust relationship between the workstation and the domain will break.How to Convert a SID to a User or Group Name
Another common scenario is when you need to find the name of a user or group from a known SID (the reverse procedure). As shown in the screenshot below, the group member list displays the SIDs of objects instead of their names.
To find the user account name by the known SID (a reverse procedure), use one of the following commands:
wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name
You can also find out the group or user name by SID with the built-in PowerShell classes (without using additional modules):
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-3-12-12451234567-1234567890-1234567-1434")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value
When searching for objects by a known SID in an AD domain, it is better to use the Get-ADObject cmdlet. This is a universal method for searching objects in the Active Directory domain by SID when you don’t know the type of AD object to which the SID belongs or which cmdlet to use to find it (Get-AdUser, Get-ADComputer, or Get-ADGroup),
$sid = 'S-1-5-21-2412346651-123456789-123456789-12345678;
Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass
IncludeDeletedObjects
parameter allows you to search for deleted objects in the Active Directory Recycle Bin.In our case, the AD object with the specified SID is a domain computer (see the objectClass attribute).
5 comments
This was very useful, and thank you. I’ve noticed SIDs on files in O365, that are grouped in the format “S——. Additionally, some SIDs have another “2” 10-digit strings appended.
Do you happen to know what these mean? And why some have more groups of numbers than others? Are they group SIDs, perhaps, that are appended? Thanks very much in advance.
Perhaps you have in mind not the SIDs, but the SDDL (Security Descriptor Definition Language) file permission format?
Check out the article: https://woshub.com/how-to-backup-and-restore-ntfs-permissions-using-icacls/
Excellent! Showing multiple ways to obtain result. Love the PowerShell one-liner for obtaining “SID from User” and the $objSID + $objUser to obtain the “User from SID” that you shared. Those work for both Local and Domain cross reference!
Use this post at work, thank you.
Another command that could be added to the post is a simple command to see you’re own domain User SID using the whoami command like this at a command prompt: whoami /user .
fantastic, works like a charm.
thankyou