Mark Russinovich wrote about "The Machine SID Duplication Myth" on his blog last year where he explained why he had retired a utility called "NewSID" that he had written more than a decade ago.

Today, I saw an e-mail that referenced to this article. And while reading the discussion, I started to wonder if there was a way to list SIDs of users using PowerShell instead of other well-known tools like SysInternals utility PSGetSID.

I was almost sure that it would be somewhere in WMI but obvious first question with WMI is how to find it. I remembered seeing Jeff Snover's blog on 'Exploring WMI' which gave me an idea about how to look. I had to start somewhere to search for SIDs so I started searching for WMI classes that included keyword 'account':

PS C:\> gwmi -list *account* |ft -auto

NameSpace: ROOT\cimv2

Name                Methods  Properties
----                -------  ----------
Win32_Account       {}       {Caption, Description, Domain, InstallDate...}
Win32_UserAccount   {Rename} {AccountType, Caption, Description, Disabled...}
Win32_SystemAccount {}       {Caption, Description, Domain, InstallDate...}
Win32_AccountSID    {}       {Element, Setting}

Win32_AccountSID seemed like the best match but it turned out a bit more difficult to read than I expected:

PS C:\> gwmi win32_accountsid |select element,setting |ft -auto

element                                                                                  setting
-------                                                                                  -------
\\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Administrators"                        \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-544"
\\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Distributed COM Users"                 \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-562"
\\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Event Log Readers"                     \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-573"
\\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Guests"                                \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-546"
\\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="IIS_IUSRS"                             \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-568"

Simply using Win32_UserAccount showed me the user accounts & their SIDS in a cleaner way:

PS C:\> gwmi win32_useraccount |select name,sid |ft -auto

name            sid
----            ---
Adil Hindistan  S-1-5-21-2019936553-3113866535-3325437445-1000
Administrator   S-1-5-21-2019936553-3113866535-3325437445-500
Bezen           S-1-5-21-2019936553-3113866535-3325437445-1002
Guest           S-1-5-21-2019936553-3113866535-3325437445-501
HomeGroupUser$  S-1-5-21-2019936553-3113866535-3325437445-1013
__vmware_user__ S-1-5-21-2019936553-3113866535-3325437445-1012

Similarly, Win32_SystemAccount can be used to display SIDs of System accounts or Win32_Account can display both user and system account info.

No comments: