In this guide, I’ll show you how to find a users SID in Active Directory with PowerShell and the AD Pro Toolkit. I’ll also show you how to find the SID of a deleted user account.
A SID (Security Identifier) It is a unique number assigned to each security principal (such as users, groups, and computers) in a Windows environment. SIDs are important for security as they are used to control access to resources such applications, computer access, printers and so on. If a user account is renamed or moved in Active Directory the SID remains the same.
Get User SID With PowerShell
In this example, I’ll get the SID for an existing user account in Active Directory. See below for more examples.
Step 1. Open PowerShell
Step 2. Run the following command.
get-aduser -Identity username | select name, SIDYou can see below the users SID in the red box.
Get User SID of Multiple Active Directory Users
In this example, I’ll use the AD Reporting Tool that is included in the AD Pro Toolkit. This GUI tool makes it easy to find the SID for a single user or all domain users.
Step 1: Click on User Reports -> Users SID and click Run. Click browse to select an OU or group.
You can also add additional attributes with the toolkit such as the user GUID.
Get the SID of a Deleted User Account
Have you ever run into the problem of seeing a SID on a network resource but don’t know which account it belongs to?
For example, I have a file server and some of the folders are showing a SID rather than a user or group.
If you know the SID but not the username you can use the below command to find the account.
$SID = "S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX"
Get-ADObject -IncludeDeletedObjects -Filter * -Properties * | where{$_.objectSid -eq $SID}In the screenshot below the command returned the user Alvin Andes.
Get All Active Directory Users SID with PowerShell
To get a list of all domain users and their SID use the below command.
get-aduser -filter * | select-object name, SID
Get Users SID from a Specific OU
To get users from a specific OU you can use the searchbase parameter. In this example, I’ll get the account name and SID for all users in my Purchasing OU.
get-aduser -filter * -searchbase "OU=Purchasing,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" | select name, SID
Get Computer SID in Active Directory
To get the SID of computer object in Active Directory you can use the Get-ADComputer cmdlet.
Get-ADComputer -Filter * | Select-Object Name, SID
Get Group SID in Active Directory
To get the SID of an Active Directory group you would use the Get-ADGroup cmdlet. In this example, I’ll get the SID of the Accounting_Folders group in my Active Directory domain.
Get-ADGroup -Identity Accounting_Folders | Select-Object Name, SID
Search for User SID with GUI Tool
If you don’t want to mess with PowerShell scripts then I recommend the AD Pro Toolkit. This is a GUI desktop application that makes it easy to report on objects in Active Directory.
You can search by the SID, username or displayname. Run the Users SID report then enter text in the search box to search for a user or SID.
You can download a free trial of the AD Pro Toolkit and try it in your own environment. You can also book a demo and we can show you a live demo of the product.
Conclusion
In this article, I showed you several examples of how to find the SID of users, groups and computers in Active Directory. Finding the SID of a user account is probably not something you will do on a daily basis. It is typically needed when you only see the SID on a network resource such as a file share. You can then use the commands shown in this guide to find the user account for the SID.