Windows OS Hub / Active Directory / How to Convert SID to User/Group Name and User to SID?

December 2, 2021 Active Directory PowerShell Windows 10 Windows Server 2019

How to Convert SID to User/Group Name and User to SID?

SID (Security IDentifier) is a unique identifier that is assigned to users, groups, computers, or other security objects when they are created in Windows or Active Directory domain. Windows uses the SID, but not the username, to control access to different resources: network shared folders, registry keys, file system objects (NTFS permissions), printers, etc. In this article, we’ll show you some simple ways to find the SID of a user, group, or computer, and the reverse procedure – how to get an object name by a known SID.

Contents:

What is SID (Windows Security Identifier)?
How to Find a Local User Security Identifier (SID)?
How to Get User/Group SID in Active Directory?
Checking the Domain and Local Machine SID of a Computer
How to Convert a SID to User or Group Name?
Searching Active Directory by SID using PowerShell

What is SID (Windows Security Identifier)?

As we said, SID (security identifier) allows you to uniquely identify a user, group or computer within a certain scope (domain or local computer). SID is a string of the form:

S-1-5-21–489056535-1467421822-2524099697–1231

489056535-1467421822-2524099697– this is the unique identifier of the domain that issued the SID (this part will be the same for all objects in the same domain):
1231 – the object’s relative security identifier (RID). It starts at 1000 and increases by 1 for each new object. Issued by a domain controller with FSMO role RID Master.

SIDs of Active Directory objects are stored in the ntds.dit database, and SIDs of local users and groups in the local Windows Security Account Manager (SAM) database in the HKEY_LOCAL_MACHINE\SAM\SAM registry key.

There are so-called Well-known SIDs in Windows. These are the SIDs for built-in users and groups on any Windows computer. For example:

S-1-5-32-544 – built-in Administrators group
S-1-5-32-545 – local users
S-1-5-32-555 – Remote Desktop Users group that are allowed to log in via RDP
S-1-5-domainID-500 – built-in Windows administrator account
Etc.

On Windows, you can use various tools to convert SID -> Name and Username -> SID: whoami tool, wmic, WMI classes, PowerShell, or third-party utilities.

How to Find a Local User Security Identifier (SID)?

To get the SID of the local user account, you can use the wmic tool, which allows you to query the computer’s WMI namespace. To get the SID of the local user test_user, you can use the WMIC command:

wmic useraccount where name='test_user' get sid

This command can return an error if the WMI repository is damaged. Use this guide to repair the WMI repository.

The command above returned the SID of the specified local user. In this example – S-1-5-21-1175659216-1321616944-201305354-1005.

In order to list the SIDs of all local Windows users, run:

wmic useraccount get name,sid

If you need to get the SID of the current user, run the following command:

wmic useraccount where name='%username%' get sid

You can query WMI directly from PowerShell:

(Get-WmiObject -Class win32_userAccount -Filter "name='test_user' and domain='$env:computername'").SID

In newer versions of PowerShell Core 7.x, you must use Get-CimInstance instead of the Get-WmiObject cmdlet.

But it’s even easier to get the SID of a local user by using the built-in PowerShell module for managing local users and groups (Microsoft.PowerShell.LocalAccounts).

Get-LocalUser -Name 'test_user' | Select-Object Name, SID

In the same way, you can get the SID of a group of the local computer:

Get-LocalGroup -Name tstGroup1 | Select-Object Name, SID

You can also use the .NET classes System.Security.Principal.SecurityIdentifier and System.Security.Principal.NTAccount to get the user’s SID via PowerShell:

$objUser = New-Object System.Security.Principal.NTAccount("LOCAL_USER_NAME") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value

How to Get User/Group SID in Active Directory?

The following command can be used to get a SID of the current domain account:

whoami /user

You can find the SID of an Active Directory domain user using WMIC tool. You must specify your domain name in the following command:

wmic useraccount where (name='jjsmith' and domain=′corp.woshub.com′) get sid

To find the SID of an AD domain user, you can use the Get-ADUser cmdlet that is a part of the Active Directory Module for Windows PowerShell. Let’s get the SID for the jabrams domain user account:

Get-ADUser -Identity 'jabrams' | select SID

You can get the SID of an AD group using the Get-ADGroup cmdlet:

Get-ADGroup -Filter {Name -like "fr-sales-*"} | Select SID

If the PowerShell AD module is not installed on your computer, you can get the user’s SID from the AD domain using the .Net classes mentioned earlier:

$objUser = New-Object System.Security.Principal.NTAccount("corp.woshub.com","jabrams") $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier]) $strSID.Value

The same PowerShell one-liner command:

(new-object security.principal.ntaccount “jabrams").translate([security.principal.securityidentifier])

Checking the Domain and Local Machine SID of a Computer

If a Windows computer is joined to an Active Directory domain, it will have two different SIDs. The first SID is the local computer identifier (Machine SID), and the second is the unique computer object identifier in AD.

You can get the SID of a computer in the Active Directory domain using the command:

Get-ADComputer mun-rds1 -properties sid|select name,sid

The SID of the local computer (Machine SID) can be obtained using the PsGetSID tool (https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid). But you have to download and install the tool on each computer manually.

.\PsGetsid64.exe

Or simply by trimming the last 4 characters (RID) from the SID of any local user:

$user=(Get-LocalUser Administrator).sid $user -replace ".{4}$"

It is important that each computer in the domain has a unique local (machine) SID. If you are cloning computers or virtual machines or creating them from a template, you must run the sysprep utility before joining them to the domain. This tool resets the local Machine SID. This will save you from common trust relationship errors.

How to Convert a SID to User or Group Name?

To find out the name of the user account by the SID (a reverse procedure), you can use one of the following commands:

wmic useraccount where sid='S-1-3-12-12451234567-1234567890-1234567-1434' get name

You can get the domain user’s name by a SID using the RSAT-AD-PowerShell module:

Get-ADUser -Identity S-1-3-12-12451234567-1234567890-1234567-1434

To find the domain group name by a known SID, use the command:

Get-ADGroup -Identity S-1-5-21-247647651-3965464288-2949987117-23145222

You can also find out the group or user name by SID with the built-in PowerShell classes (without using additional modules):

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S S-1-3-12-12451234567-1234567890-1234567-1434") $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) $objUser.Value

Searching Active Directory by SID using PowerShell

If you don’t know what type of AD object a certain SID belongs to and what exact PowerShell cmdlet you need to use to find it (Get-AdUser, Get-ADComputer, or Get-ADGroup), you can use the universal method of searching objects in the Active Directory domain by a SID using the Get-ADObject cmdlet.

$sid = ‘S-1-5-21-2412346651-123456789-123456789-12345678’ Get-ADObject –IncludeDeletedObjects -Filter "objectSid -eq '$sid'" | Select-Object name, objectClass

The IncludeDeletedObjects parameter allows you to search for deleted objects in the Active Directory Recycle Bin.

In our case, the AD object with the specified SID is a domain computer (see the objectClass attribute).