Today, I saw an e-mail that referenced to this article. And while reading the discussion, I started to wonder if there was a way to list SIDs of users using PowerShell instead of other well-known tools like SysInternals utility PSGetSID.
I was almost sure that it would be somewhere in WMI but obvious first question with WMI is how to find it. I remembered seeing Jeff Snover's blog on 'Exploring WMI' which gave me an idea about how to look. I had to start somewhere to search for SIDs so I started searching for WMI classes that included keyword 'account':
PS C:\> gwmi -list *account* |ft -auto NameSpace: ROOT\cimv2 Name Methods Properties ---- ------- ---------- MSFT_NetBadAccount {} {SECURITY_DESCRIPTOR, TIME_CREATED} Win32_Account {} {Caption, Description, Domain, InstallDate...} Win32_UserAccount {Rename} {AccountType, Caption, Description, Disabled...} Win32_SystemAccount {} {Caption, Description, Domain, InstallDate...} Win32_AccountSID {} {Element, Setting}
Win32_AccountSID seemed like the best match but it turned out a bit more difficult to read than I expected:
PS C:\> gwmi win32_accountsid |select element,setting |ft -auto element setting ------- ------- \\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Administrators" \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-544" \\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Distributed COM Users" \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-562" \\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Event Log Readers" \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-573" \\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="Guests" \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-546" \\AHFB\root\cimv2:Win32_Group.Domain="AHFB",Name="IIS_IUSRS" \\AHFB\root\cimv2:Win32_SID.SID="S-1-5-32-568" ...
Simply using Win32_UserAccount showed me the user accounts & their SIDS in a cleaner way:
PS C:\> gwmi win32_useraccount |select name,sid |ft -auto name sid ---- --- Adil Hindistan S-1-5-21-2019936553-3113866535-3325437445-1000 Administrator S-1-5-21-2019936553-3113866535-3325437445-500 Bezen S-1-5-21-2019936553-3113866535-3325437445-1002 Guest S-1-5-21-2019936553-3113866535-3325437445-501 HomeGroupUser$ S-1-5-21-2019936553-3113866535-3325437445-1013 __vmware_user__ S-1-5-21-2019936553-3113866535-3325437445-1012
Similarly, Win32_SystemAccount can be used to display SIDs of System accounts or Win32_Account can display both user and system account info.
No comments:
Post a Comment