5

How can I determine user name and domain if all I have is the user's SID?

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
Xaver
  • 249
  • 2
  • 12

4 Answers4

4

psgetsid from SysInternals PSTools will do this. Put a SID on the command line it will give you the user/group name, and visa-versa.

Richard
  • 5,309
  • 1
  • 22
  • 20
3

ADFind can do this. The list of options is here. For example, you might do something like this to export a list of users with their SID:

adfind -h domaincontroller01:389 -b "CN=Users,DC=domain,DC=com" -f "(objectClass=user)" objectSID displayName

You can run ADFind from any box as long as it can reach a domain controller. Obviously you would replace domaincontroller01 with the name or IP of a domain controller and change the "CN=Users,DC=domain,DC=com" to reflect the path to the users in question.

icky3000
  • 4,718
  • 1
  • 20
  • 15
3

Fire up windows powershell and run:

$strSID="S-1-5-21-500000003-1000000000-1000000003-1001"
$uSid = [ADSI]"LDAP://<SID=$strSID>"
echo $uSid

the output should look something like this, 

distinguishedName : {CN=John Doe,OU=Domain Admins,OU=People,OU=xxx,DC=xxx}
Path              : LDAP://<SID=S-1-5-21-500000003-1000000000-1000000003-1001>
Tim Abell
  • 1,311
  • 3
  • 10
  • 21
  • 1
    11 years later, and this is still the easiest way to do this without relying on external tools. Output also includes a bunch of other AD attributes that can be selected, including `sAMAccountName` and `userPrincipalName`, either of which would fulfill the asker's original request. – Micah Yeager Mar 18 '21 at 17:00
0
  1. Open regedit (Windows-R regedit)
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  3. Click on the subkeys (something like S-1-5-19)
  4. Look at the ProfileImagePath (it'll have something like %SystemDrive%\Documents and Settings\LocalService).

So in this example SID S-1-5-19 is LocalService

Kevin Driedger
  • 101
  • 1
  • That doesn't answer the question. e.g. On my machine there's a user entry for S-1-5-21-2052111302-1972579041-1801674531-2121 but there's no way to tell from that who the user is. – John Gardeniers Aug 17 '10 at 21:19
  • double checking on the system in front of me, it shows the ProfileImagePath pointing at the user directory. @JohnGardeniers what does the ProfileImagePath subkey say for you? – Kevin Driedger Dec 03 '12 at 15:46
  • given that my comment was made over 2 years ago I'm sure you'll understand that I'm no longer at that machine, or even at that workplace. For that matter, I'm no longer even using the same OS. – John Gardeniers Dec 04 '12 at 00:43