I'm doing some exercises on a challenge lab. I'm SYSTEM on the Forest PDC.
I need to figure out the SID of a local user on a machine in another domain in the forest.
I can get there with PTH and run a command locally, but my exercises say I should be able to do that without leaving the PDC.
In Windows, how can you query local users on a domain joined workstation, when you're domain admin?
Well if you've ever used the "Local Users & Groups" snap-in, you'll know this is possible. Just remember that the accounts aren't actually going to be in AD at all, so you'll need to have the remote server do the lookup for you. In a C program, you can use NetUserGetInfo to get details on a specific account or NetUserEnum to get a list of all users.
However, I think your best bet might be to use PowerShell. Here's an example:
([ADSI] 'WinNT://TABLET').Children |
Where {$_.schemaClassName -match "user"} |
Select Name, objectSid |
ForEach-Object {
New-Object -TypeName PSObject -Property @{
Name = $_.name[0]
SID = (New-Object Security.Principal.SecurityIdentifier ($_.objectSid[0]), 0).Value
}
} | Format-Table
