The following little scripts will allow you to play and take your first steps with the Active Directory object SID
Resolve object SID to username
$objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-123456789-1234567890-123456789-12345") $objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) $objUser.Value
Get the SID of a username
Script (with Microsoft Active Directory module loaded : import-module activedirectory) :
get-aduser "username" -Properties sid | select sid
Script (with Quest Active Directory module) :
Get-QADUser "username" -IncludedProperties sid |select sid
SID structure :
A security identifier (SID) is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy, like a telephone number, and identify the SID-issuing authority (Windows 2000, for example), the SID-issuing domain, and a particular security principal or group. Figure 12.7 illustrates the structure of a SID.
Figure 12.7 SID Structure
The individual parts of a SID are as follows:
Revision This value indicates the version of the SID structure used in a particular SID. The structure used in all SIDs created by Windows NT and Windows 2000 is revision level 1.
Identifier authority This value identifies the highest level of authority that can issue SIDs for this particular type of security principal. For example, the identifier authority value in the SID for the group Everyone is 1 (World Authority). The identifier authority value in the SID for a specific Windows NT and Windows 2000 account or group is 5 (NT Authority).
Subauthorities The most important information in a SID is contained in a series of one or more subauthority values. All values up to but not including the last value in the series collectively identify a domain in an enterprise. This part of the series is the domain identifier . The last value in the series identifies a particular account or group relative to a domain. This value is the relative identifier (RID).
The components of a SID are easier to visualize when SIDs are converted from binary to string format using standardized notation:
S-R-X-Y 1 -Y 2 ...-Y n-1 -Y n
In this notation, the components of a SID are as follows:
- S indicates that the string is a SID.
- R is the revision level.
- X is the identifier authority value.
- Y is a series of subauthority values, where n is the number of values. This number corresponds to the Subauthority Count shown in Figure 12.7.
The SID’s most important information is contained in the series of subauthority values. The first part of the series (-Y 1 -Y 2 …-Y n-1 ) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, for the domain identifier is what differentiates SIDs issued by one domain from SIDs issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier. The last item in the series of subauthority values (-Y n ) is the relative identifier. It is what distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
This SID has:
- A revision level, 1
- An identifier authority value, 5 (NT Authority)
- A domain identifier, 32 (Builtin)
- A relative identifier, 544 (Administrators)
SIDs for built-in accounts and groups always have the same domain identifier value, 32. This value identifies the domain Builtin, which exists on every computer running Windows NT or Windows 2000. It is never necessary to distinguish one computer’s built-in accounts and groups from another computer’s built-in accounts and groups because they are local in scope—local either to a single computer or, in the case of domain controllers for a network domain, local to several computers acting as one. However, built-in accounts and groups do need to be distinguished from one another within the scope of the Builtin domain, therefore the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the Builtin domain has a SID with a final value of 544.
For another example, consider the SID for the global group Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following is the SID for Reskit\Domain Admins:
The SID for Reskit\Domain Admins has:
- A revision level, 1
- An identifier authority, 5 (NT Authority)
- A domain identifier, 21-1004336348-1177238915-682003330 (Reskit)
- A relative identifier, 512 (Domain Admins)
The SID for Reskit\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier, 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Reskit\Domain Admins is distinguished from the SIDs for other accounts and groups created in the Reskit domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.