Menu
I'm not looking for User SIDs. I'm looking for the computer SID, which active directory would use to uniquely identify the computer. I also don't want to query the active directory server, i want to query the computer itself.
270
If you want to see a computer's SID just pass the computer's name as a command-line argument. If you want to see a user's SID, name the account (e.g. "administrator") on the command-line and an optional computer name.
To determine if the SID is simply that of a deleted user or group, you can search for the object's tombstone, which is something Active Directory (AD) leaves after an object is deleted. Tombstones include the name of the user or group, the object type, and the SID.
The sid command displays the security identifier in the standard format, for either the current user, or a given user, optionally specified with a domain. Also, if a security identifier is specified, sid sid displays the user associated with that identifier.
(Ooh, this was a fun one! I went on a wild goose chase, as they say, trying to get the Win32_SID instance, which is a singleton and not enumerable by the usual InstancesOf or Query methods... yadda yadda yadda.)
Well, it depends which computer SID you want (seriously!). There's the SID that the local computer uses for itself... For this, you just need to get the SID of the local Administrator user, and remove the "-500" from the end to get the computer's SID.
In VBScript, it looks like this:
strComputer = "AFAPC001" strUsername = "Administrator" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objAccount = objWMIService.Get("Win32_UserAccount.Name='" & strUsername & "',Domain='" & strComputer & "'") WScript.Echo "Administrator account SID: " & objAccount.SID WScript.Echo "Computer's SID: " & Left(objAccount.SID, Len(objAccount.SID) - 4) In PowerShell, like this:
function get-sid { Param ( $DSIdentity ) $ID = new-object System.Security.Principal.NTAccount($DSIdentity) return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString() } > $admin = get-sid "Administrator" > $admin.SubString(0, $admin.Length - 4) In C# on .NET 3.5:
using System; using System.Security.Principal; using System.DirectoryServices; using System.Linq; public static SecurityIdentifier GetComputerSid() { return new SecurityIdentifier((byte[])new DirectoryEntry(string.Format("WinNT://{0},Computer", Environment.MachineName)).Children.Cast<DirectoryEntry>().First().InvokeGet("objectSID"), 0).AccountDomainSid; } Results from all of these match the response I get from PsGetSid.exe.
On the other hand, there's the SID that Active Directory uses to identify each domain member computer... That one you fetch by getting the SID of the machine account in the domain--the one that ends with a dollar sign.
E.g., using the above PowerShell function for a domain member called "CLIENT", you can type get-sid "CLIENT$".
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
