TechTip: Look-up Active Directory username from SID using PowerShell

Occasionally, you will come across an SID (security identifier) in your DFIR investigation, or threat hunting, that you may want to convert back to to the Active Directory user or group name.

According to this helpful TechNet script, you can do it like this:

$objSID = New-Object System.Security.Principal.SecurityIdentifier (sid_here
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount]).Value

There is also an easier way, if you have the Remote Server Administration Tools installed on your machine:

Get-ADUser -Filter {(SID -eq "sid_here")}

Only caveat, is that the SID might be for a group, not a user. So if you run the above command, and you don't get a result, try it with the "Get-ADGroup" command next:

Get-ADGroup Filter {(SID -eq "sid_here")}

Of course, if you don't have your PowerShell updated to version 5, you will also need to manually load the ActiveDirectory module first, using this easy command:

Import-Module Active Directory

Some additional tips:

  • If you need to run the query with a different account, you can prompt yourself for the credentials, then use the credentials in the above query:

    $credential = Get-Credential
    Get-ADUser -Credential $credential -Filter {(SID -eq "sid_here")}

  • You can also get the above query to return all the properties of the user/group that you're looking up by adding -Properties * at the end:

    Get-ADUser -Filter {(SID -eq "sid_here")} -Properties *
    Get-ADGroup Filter {(SID -eq "sid_here")} -Properties *

No comments: