Check Windows User SID
For system administrators, querying information about the environment and configuration is an everyday job. One of these information is the Security Identifier (SID), which is used by Windows to identify users and groups. User names on a network can be duplicated, so that there is no conflict, each user is assigned a unique SID.
When assowing user rights, Windows uses the SID defined for that purpose. A SID is roughly similar to a Globally Unique Identifier (GUID) that each object in Windows owns. However, SIDs receive only security-relevate objects, because the SID is used for authentication of authenticity.
This SID identifies the user across the network. Even if the user’s name is changed, the SID persists, the user on the network is deleted and his SID is unchanged.
Structure of my SID
S-1-5-21–4147432549-3588766049-1627529166-1001
The SID (Security Identifier) tokens have the following meanings:
| S | It is a SID |
| 1 | Revision |
| 5 | Identifier Authority |
| 18 | System profiles |
| 19 | Localservice |
| 20 | Networkservice |
| 21 | User profile |
| 4147432549-3588766049-1627529166 | Domain ID, Computer ID |
| 1001 | User ID (RID) |
Table with SID of system accounts
SID Queries
If you want to query the SID of all user accounts, you can do so with the following command in a Command Prompt (cmd).
|
1 2 |
wmic useraccount get sid,name |
All SIDs and user names are output.
|
1 2 3 4 5 6 7 8 9 10 11 |
C:\>wmic useraccount get sid,name Name SID Administrator S-1-5-21-4147432549-3588766049-1627529166-500 DefaultAccount S-1-5-21-4147432549-3588766049-1627529166-503 John S-1-5-21-4147432549-3588766049-1627529166-1001 Guest S-1-5-21-4147432549-3588766049-1627529166-501 |
Here are the SIDs of the local accounts. For a query in a network domain, there may be some more.
Computer and domain SIDs consist of a base SID and a relative ID (RID) appended to the base SID. If the computer belongs to a domain, another SID comes into play. The computer still has its own computer SID and local accounts and groups, but is also a member of a domain and therefore has a SID that represents the computer account in that domain. The SID of a computer account consists of the SID of the administrator account, minus the RID, which is omitted last 3 bit or 4 bit (500).
If a user’s SID is to be specifically queried, such as his own SID, this can be done with the following command.
|
1 2 |
wmic useraccount where name='%username%' get name,sid |
If you want to know another user’s SID, you can specify a user instead of %username%, e.g., john.
The following command detects the SID of the user who is currently logged on in an AD domain.
|
1 2 |
wmic useraccount where (name='%username%' and domain='%userdomain%') get domain,name,sid |
In the opposite way, it is also possible to query the user name of a SID.
|
1 2 |
wmic useraccount where sid='S-1-5-21-4147432549-3588766049-1627529166-1001' get name |
In the PowerShell, the query looks like this.
|
1 2 |
[wmi] "win32_userAccount.Domain='$env:UserDomain',Name='$env:UserName'" |
The user name and SID of the user logged on to the company domain is output.
|
1 2 3 4 5 6 7 8 9 |
PS C:\>[wmi] "win32_userAccount.Domain='$env:UserDomain',Name='$env:UserName'" AccountType : 512 Caption: company-john Domain : company SID : S-1-5-21-4147432549-3588766049-1627529166-1001 FullName : john smith Name : john |
For example, you can use the SID to find the ProfileImagePath for the user profile in the registry in order to make repairs or adjustments. The SID is also used as an ObjectID in SQL tables to identify and authorize users from Active Directory in an application, such as Dynamics AX.
