Search PowerShellers and other PowerShell-related sites

Thursday, June 11, 2009

How to get computer SID using PowerShell

Let's start with the theory. ;)

The computer SID is stored in the HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account Registry subkey. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data. This SID is in a standard format (3 32-bit subauthorities preceded by three 32-bit authority fields).

Because you can't see the SECURITY hive's contents by default (even as an administrator), you need a little trick. Use at command to schedule the startup of PowerShell. Make sure that you schedule the task as Interactive and that the Scheduler service runs in the security context of the System (aka LocalSystem) account because this account—unlike a regular user account—has privileges to view the SAM and SECURITY hives.

c:\> at TIME /interactive powershell.exe

PS> $key = Get-Item HKLM:\security\sam\domains\account
PS> $values = Get-ItemProperty $key.pspath
PS> $bytearray = $values.V
PS> New-Object System.Security.Principal.SecurityIdentifier($bytearray[272..295],0) | Format-List *

BinaryLength : 24
AccountDomainSid : S-1-5-21-796845957-602608370-839522115
Value : S-1-5-21-796845957-602608370-839522115

You can check your result with Sysinternals' PsGetSid:

PS> .\psgetsid.exe 



dmitrysotnikov said...

Hmm, why not just use:

(Get-QADComputer computername).SID

marcus said...

you could also invoke powershell without at, since it's clear you have sysinternals tools. :)

psexec.exe -s -i powershell.exe

Anonymous said...

Is there a way to search a domain for a PC with the SID. I have an orphaned SID floating about and I need a way to find it to see what is going on.

Many Thanks,

aleksandar said...

If you know computer's SID, you can find its DN using the following commands:

PS> $sid = 'S-1-5-21-52832475-452809606-928726530-24352'
PS> [ADSI]"LDAP://<SID=$sid>"


Anonymous said...

The computer SID is not the same thing as the AD computer object SID.

Anonymous said...

On Windows 7, this message:

Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).

binoj said...

Simple command.
Get-adcomputer -id "ComputerName"

Adam D said...

Bingo dmitrysotnikov !

Jeff Miller said...

I like using this. It displays the sid and the name of the machine it belongs to.

Get-ADComputer -Filter "name -eq " -Properties sid | select name, sid

Chris Davis, PFE said...

Why does everyone keep posting that they can get this out of AD. You folks realize that the computer has its own SID, which is different than the SID of the computer object on the domain, right? ;-)