Search PowerShellers and other PowerShell-related sites

Thursday, June 11, 2009

How to get computer SID using PowerShell

Let's start with the theory. ;)

The computer SID is stored in the HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account Registry subkey. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data. This SID is in a standard format (3 32-bit subauthorities preceded by three 32-bit authority fields).

Because you can't see the SECURITY hive's contents by default (even as an administrator), you need a little trick. Use at command to schedule the startup of PowerShell. Make sure that you schedule the task as Interactive and that the Scheduler service runs in the security context of the System (aka LocalSystem) account because this account—unlike a regular user account—has privileges to view the SAM and SECURITY hives.

c:\> at TIME /interactive powershell.exe


PS> $key = Get-Item HKLM:\security\sam\domains\account
PS> $values = Get-ItemProperty $key.pspath
PS> $bytearray = $values.V
PS> New-Object System.Security.Principal.SecurityIdentifier($bytearray[272..295],0) | Format-List *

BinaryLength : 24
AccountDomainSid : S-1-5-21-796845957-602608370-839522115
Value : S-1-5-21-796845957-602608370-839522115


You can check your result with Sysinternals' PsGetSid:

PS> .\psgetsid.exe 

SID for \\COMPUTER:
S-1-5-21-796845957-602608370-839522115

18 comments:

Anonymous said...

Hmm, why not just use:

(Get-QADComputer computername).SID

Marcus Oh said...

you could also invoke powershell without at, since it's clear you have sysinternals tools. :)

psexec.exe -s -i powershell.exe

Anonymous said...

Is there a way to search a domain for a PC with the SID. I have an orphaned SID floating about and I need a way to find it to see what is going on.


Many Thanks,
Maureen

aleksandar said...

If you know computer's SID, you can find its DN using the following commands:


PS> $sid = 'S-1-5-21-52832475-452809606-928726530-24352'
PS> [ADSI]"LDAP://<SID=$sid>"

distinguishedName
-----------------
{CN=TESTCOMP,CN=Computers,DC=test,DC=local}

Anonymous said...

The computer SID is not the same thing as the AD computer object SID.

Anonymous said...

On Windows 7, this message:

Warning: Due to security enhancements, this task will run at the time expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?' for details).

binoj said...

Simple command.
Get-adcomputer -id "ComputerName"

A said...

Bingo dmitrysotnikov !

Unknown said...

I like using this. It displays the sid and the name of the machine it belongs to.

Get-ADComputer -Filter "name -eq " -Properties sid | select name, sid

Chris Davis, PFE said...

Why does everyone keep posting that they can get this out of AD. You folks realize that the computer has its own SID, which is different than the SID of the computer object on the domain, right? ;-)

Unknown said...

I realise this is an old old thread, but there is a (slightly cheaty) way to get the local computer SID in PowerShell without needing to elevate privs to System.

https://gist.github.com/IISResetMe/36ef331484a770e23a81

Richard C said...

((Get-LocalUser | Select-Object -First 1).SID).AccountDomainSID.ToString()

Basically gets the 1st local account and obtains the computer sid from this object.

Hope this helps someone.

Anonymous said...

Thank you my friend, it helped to me! Kind regards!!

Dominique said...

Hello,

I am getting an error on the powershell:
New-Object System.Security.Principal.SecurityIdentifier($bytearray[272..295],0) | Format-List *
New-Object : Cannot convert argument "0", with value: "System.Object[]", for "SecurityIdentifier" to type
"System.Security.Principal.WellKnownSidType": "Cannot convert value "173" to type
"System.Security.Principal.WellKnownSidType" due to enumeration values that are not valid. Specify one of the
following enumeration values and try again. The possible enumeration values are "NullSid,WorldSid,LocalSid,CreatorOwner
Sid,CreatorGroupSid,CreatorOwnerServerSid,CreatorGroupServerSid,NTAuthoritySid,DialupSid,NetworkSid,BatchSid,Interactiv
eSid,ServiceSid,AnonymousSid,ProxySid,EnterpriseControllersSid,SelfSid,AuthenticatedUserSid,RestrictedCodeSid,TerminalS
erverSid,RemoteLogonIdSid,LogonIdsSid,LocalSystemSid,LocalServiceSid,NetworkServiceSid,BuiltinDomainSid,BuiltinAdminist
ratorsSid,BuiltinUsersSid,BuiltinGuestsSid,BuiltinPowerUsersSid,BuiltinAccountOperatorsSid,BuiltinSystemOperatorsSid,Bu
iltinPrintOperatorsSid,BuiltinBackupOperatorsSid,BuiltinReplicatorSid,BuiltinPreWindows2000CompatibleAccessSid,BuiltinR
emoteDesktopUsersSid,BuiltinNetworkConfigurationOperatorsSid,AccountAdministratorSid,AccountGuestSid,AccountKrbtgtSid,A
ccountDomainAdminsSid,AccountDomainUsersSid,AccountDomainGuestsSid,AccountComputersSid,AccountControllersSid,AccountCer
tAdminsSid,AccountSchemaAdminsSid,AccountEnterpriseAdminsSid,AccountPolicyAdminsSid,AccountRasAndIasServersSid,NtlmAuth
enticationSid,DigestAuthenticationSid,SChannelAuthenticationSid,ThisOrganizationSid,OtherOrganizationSid,BuiltinIncomin
gForestTrustBuildersSid,BuiltinPerformanceMonitoringUsersSid,BuiltinPerformanceLoggingUsersSid,BuiltinAuthorizationAcce
ssSid,WinBuiltinTerminalServerLicenseServersSid,MaxDefined"."
At line:1 char:1
+ New-Object System.Security.Principal.SecurityIdentifier($bytearray[27 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Did something change ?
Thanks,
Dom

Dominique said...

I am also using also:
Get-ADComputer -Filter "name -eq 'name'" -Properties sid | select name, sid | fl *

this is working but I need a second option to confirm.

Thanks,
Dom

Anonymous said...

you can also use this

Get-ADComputer -Identity *COMPUTER_NAME_HERE*

Anonymous said...

Richard C said...
((Get-LocalUser | Select-Object -First 1).SID).AccountDomainSID.ToString()

Basically gets the 1st local account and obtains the computer sid from this object.

Hope this helps someone.
---------------------------------------

Yes thanks Richard C, it just proved that someone just cloned one of our www servers in an HA pair and didn't perform the sysprep on the 2nd system so cheers mate.

Anonymous said...

Hi.
I understand that this is an older thread, but I want to share a clever workaround to obtain the local computer SID in PowerShell without requiring elevated privileges to System. Here is sharing some AlterY Training information may be its helpful to you. AlterYX Training