RSS All Posts

RSS PowerShell Posts

Tags

2142 Active Directory Administrativia Announcements Battlefield Blogging Cricket Deployment Deployment4 Get-PSUGUK Group Policy HowTo Linux MDT MDT 2010 Microsoft Deployment Toolkit MSDN Music Permissions Personal PowerGui Power Lines PowerShell PowerShell Groups PowerShell Support PowerShell Tools PowerShell V2 Presentations PSUGAU Quick Tips Scripting SDDL Security Tech Talk Ubuntu User Groups Virtualisation VMware Infrastructure Client WAIK Weekly Poll Windows 7 Windows Automation Installation Kit Windows Server 2003 Windows Server 2008 XML

Archives

Meta


« | Main | »

Security Identifiers (SIDs) and NT Account name

By Adam Bell | March 26, 2007

I have a couple of functions that are quite useful when dealing with Active Directory permissions.

Translate SID to NT Account:
:get-NTaccount.ps1


#----------------------------------------------------------------------------------------------------------
function get-NTaccount
#----------------------------------------------------------------------------------------------------------
{
Param (
  $SID
  )
  $id = New-Object System.Security.Principal.SecurityIdentifier($sid)
  $account = $id.Translate( [System.Security.Principal.NTAccount] )
  return $account
}
 
#----------------------------------------------------------------------------------------------------------
get-NTaccount "S-1-5-21-812403740-544655063-2921696178-1958"

In this function we take a SID in string format, and cast it as a SecurityIdentifier and then use the .Net method to translate this into the NT Account name.

Translate NT Account to SID:
:get-SID.ps1


#----------------------------------------------------------------------------------------------------------
function get-sid
#----------------------------------------------------------------------------------------------------------
{
Param (
  $DSIdentity
  )
  $ID = new-object System.Security.Principal.NTAccount($DSIdentity)
  return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
}
 
#----------------------------------------------------------------------------------------------------------
get-sid "bella"

This is basically the same premise as above, only we are working the other way around. If you provide a name without a domain prefix or UPN, the method presumes the current domain.

So with our Test OU, you can output the SDDL format of the Security Descriptor to a text file to examine the permissions.
:noclick


$root = [adsi]""
$test = [adsi]("LDAP://ou=test ou,"+$root.distinguishedName)
$test.psbase.get_objectsecurity().GetSecurityDescriptorSddlForm("All") > DS-SDDL.txt

When you start playing around with Security Discriptors, and examining various permissions structures, it quickly becomes very useful to be able to translate SID’s back and forth to confirm things are working as expected.

Topics: PowerShell | 1 Comment »

One Response to “Security Identifiers (SIDs) and NT Account name”

  1. Script remote DCOM / WMI access for a non admin « Unlock-PowerShell Says:
    November 20th, 2009 at 23:45

    [...] http://www.leadfollowmove.com/archives/powershell/security-identifiers-sids-and-nt-account-name [...]

Comments