How to Convert SID to User/Group Name and User to SID

SID (Security IDentifier) is a unique identifier that is assigned to users, groups, computers, or other security objects when they are created in Windows, an Active Directory domain, or an Entra ID (Azure) tenant. Windows uses the SID, rather than user/group names, to control access to different resources: shared network folders, registry keys, file system objects (NTFS permissions), printers, etc. In this article, we’ll show how to find the SID of a user, group, or computer, as well as the reverse procedure: how to obtain an object name by a known SID.

What is a Security Identifier (SID) in Windows?

As we mentioned, a SID (security identifier) allows you to uniquely identify a security principal (user, group, or computer) within a certain scope (domain or local computer). The following format is used for the SID string:

S-1-5-21–489056535-1467421822-2524099697–1231

• S – indicates that this string contains a SID
• 1 – version number of the identifier (always 1)
• 5 – authority identifier (5 for NT Authority, 12 for Entra ID, 1– Everyone group)
• 21-489056535-1467421822-2524099697– this is the unique identifier of the domain that issued the SID. This part will be the same for all objects within the same domain
• 1231 – the object’s relative security identifier (RID). It starts at 1000 and increases by 1 for each new object. Issued by a domain controller with the FSMO role RID Master.

The SIDs of Active Directory objects are stored in the NTDS.dit database, and the SIDs of local users and groups are in the local Windows Security Account Manager (SAM) database in the HKEY_LOCAL_MACHINE\SAM\SAM registry key. A SID is a unique value within its issuing environment. For example, a local user SID is unique within a computer, while a domain SID is unique within a domain.

There are so-called Well-known SIDs in Windows. These are the SIDs for built-in users and groups on any Windows computer. For example:

• S-1-5-32-544 – built-in Administrators group
• S-1-5-32-545 – local users
• S-1-5-32-555 – Remote Desktop Users group that is allowed to log in via RDP
• S-1-5-21-<domain>-500 – built-in Windows administrator account (domain admin)
• S-1-5-21-<domain>-512 — Domain Admins
• S-1-5-21-<domain>-513 — Domain Users
• etc.

In Windows, you can use different tools to convert SID -> Name and Username -> SID: whoami tool, wmic, WMI classes, PowerShell, or third-party utilities.

How to Find a Local User Security Identifier (SID)

You can use the wmic tool to query the computer’s WMI (Windows Management Instrumentation) namespace and get the SID of the local user account. To find the SID of the local user test_user, use the following WMIC command:

wmic useraccount where name='test_user' get sid

The command above returned the SID of the specified local userS-1-5-21-1175659216-1321616944-201305354-1005.

However, starting with Windows 11 24H2 and Windows Server 2025, the wmic command is not installed by default, so you need to use PowerShell commands instead. Retrieve the SID of the user test_user from the WMI namespace using PowerShell (as an alternative to using the wmic command):

(Get-CimInstance -Class win32_userAccount -Filter "name='test_user' and domain='$env:computername'").SID

Another option is to find out the SID of a local user using the built-in LocalAccounts management PowerShell module:

Get-LocalUser -Name 'test_user' | Select-Object Name, SID

List all local Windows users and their SIDs:

Get-LocalUser | Select-Object  name,sid

Obtain the SID of the current user (under which the command is executed):

Get-LocalUser -Name $env:USERNAME | Select-Object name,sid

Note that the registry stores information about local user profiles on the computer in the ProfileList key with the SID (rather than the username). Thus, the username can be extracted from the registry by its SID:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3414967564-123456789-0123456789-1006" /v ProfileImagePath

In the same way, you can get the SID of a group of the local computer:

Get-LocalGroup -Name tstGroup1 | Select-Object Name, SID

On older versions of Windows, you can also use the .NET classes System.Security.Principal.SecurityIdentifier and System.Security.Principal.NTAccount to get the user’s SID via PowerShell:

$objUser = New-Object System.Security.Principal.NTAccount("LOCAL_USER_NAME")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

How to Get a User or Group SID in Active Directory

Use the following command to obtain a SID for your current domain account:

whoami /user

You can also view the user’s SID in the Attribute Editor tab of the user’s properties in the graphical ADUC snap-in (dsa.msc). Check the value of the objectSid property.

The WMIC tool can be used to obtain the SID of an Active Directory domain user. In this case, the domain name must be specified in the command:

wmic useraccount where (name='jjsmith' and domain='corp.woshub.com') get sid

However, the WMIC command has been deprecated. It is therefore better to use the Get-ADUser cmdlet (part of the Active Directory Module for Windows PowerShell) to obtain the SID of a domain user. Let’s get the SID for the jabrams domain user account:

Get-ADUser -Identity 'jabrams' | select SID

You can use the Get-ADGroup cmdlet to get the SID of an AD security group.

Get-ADGroup -Filter {Name -like "fr-sales-*"} | Select SID

If the PowerShell AD module is not installed on a computer, you can get the user’s SID from the AD domain using the .NET classes mentioned earlier:

$objUser = New-Object System.Security.Principal.NTAccount("corp.woshub.com","jabrams")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

The same PowerShell one-liner:

(new-object security.principal.ntaccount "jabrams").translate([security.principal.securityidentifier])

Getting the Local Machine and Domain SID of a Computer

If a Windows computer is joined to an Active Directory domain, it will have two different SIDs. The first SID is the local computer identifier, or Machine SID. The second is the unique computer object security identifier in AD.

You can get the SID of a computer in the Active Directory domain using the command:

Get-ADComputer mun-rds1 -properties sid|select name,sid

The SID of the local computer (Machine SID) can be obtained using the PsGetSID tool (https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid).

.\PsGetsid64.exe

Or (even simpler), by trimming the last 4 characters of any local user’s RID and SID:

$user=(Get-LocalUser Administrator).sid
$user -replace ".{4}$"

How to Convert a SID to a User or Group Name

Another common scenario is when you need to find the name of a user or group from a known SID (the reverse procedure). As shown in the screenshot below, the group member list displays the SIDs of objects instead of their names.

To find the user account name by the known SID (a reverse procedure), use one of the following commands:

wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name

You can also find out the group or user name by SID with the built-in PowerShell classes (without using additional modules):

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-3-12-12451234567-1234567890-1234567-1434")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

When searching for objects by a known SID in an AD domain, it is better to use the Get-ADObject cmdlet. This is a universal method for searching objects in the Active Directory domain by SID when you don’t know the type of AD object to which the SID belongs or which cmdlet to use to find it (Get-AdUser, Get-ADComputer, or Get-ADGroup),

$sid = 'S-1-5-21-2412346651-123456789-123456789-12345678;
Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass

In our case, the AD object with the specified SID is a domain computer (see the objectClass attribute).