{"id":3497,"date":"2013-10-15T14:12:49","date_gmt":"2013-10-15T18:12:49","guid":{"rendered":"http:\/\/jdhitsolutions.com\/blog\/?p=3497"},"modified":"2013-10-15T14:12:49","modified_gmt":"2013-10-15T18:12:49","slug":"resolving-sids-with-wmi-wsman-and-powershell","status":"publish","type":"post","link":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/","title":{"rendered":"Resolving SIDs with WMI, WSMAN and PowerShell"},"content":{"rendered":"

In the world of Windows, an account SID can be a very enigmatic thing. Who is S-1-5-21-2250542124-3280448597-2353175939-1019? Fortunately, many applications, such as the event log viewer resolve the SID to an account name. The downside, is that when you are accessing that same type of information from PowerShell, you end up with the \"raw' SID. And while there are a variety of command line tools, and probably even some cool .NET trick someone will share after I post this, you most likely want to find a PowerShell solution.<\/p>\n

Your initial assumption might be to use WMI. Searching Root\\CIMv2 you'll even find a Win32_SID class. Woohoo! This is all I need to do:<\/p>\n

get-wmiobject win32_sid -filter \"sid='S-1-5-21-2250542124-3280448597-2353175939-1019'\"<\/pre>\n
Well, no. As you can see in the figure, you can't query this particular class.<\/p>\n
\"win32_sid-fail\"<\/a><\/p>\n
Instead, you need to directly access the instance of the Win32_SID class. In PowerShell, the easy way is to use the [WMI] type accelerator, and specify the path to the instance.<\/p>\n
[WMI]\"root\\cimv2:win32_sid.sid='S-1-5-21-2250542124-3280448597-2353175939-1019'\"<\/pre>\n
\"wmi-sid\"<\/a><\/p>\n
If you wanted to query the SID on a remote computer, the path would be \\\\SERVERNAME\\root\\cimv2:CLASSNAME.Keyproperty='Something'. But be aware that there is no way to specify alternate credentials using [WMI]. Although, you could query the Win32_Account class for the SID.<\/p>\n
PS Scripts:\\> get-wmiobject win32_account -filter \"sid='S-1-5-21-2250542124-3280448597-2353175939-1019'\"\r\n\r\nAccountType : 512\r\nCaption     : Serenity\\localadmin\r\nDomain      : Serenity\r\nSID         : S-1-5-21-2250542124-3280448597-2353175939-1019\r\nFullName    :\r\nName        : localadmin<\/pre>\n
This gives you the benefit of using a cmdlet, querying a remote computer and using alternate credentials.<\/p>\n
In PowerShell 3.0 if you want to use the new CIM cmdlets and query WMI over WSMan, it is pretty easy to turn the previous command into a CIM command.<\/p>\n
PS Scripts:\\> get-ciminstance win32_account -filter \"sid='S-1-5-21-2250542124-3280448597-2353175939-1019'\"\r\n\r\nName             Caption              AccountType          SID                  Domain\r\n----             -------              -----------          ---                  ------\r\nlocaladmin       Serenity\\localadmin  512                  S-1-5-21-22505421... Serenity<\/pre>\n
These queries are pretty good, but I believe that if you can go straight to the instance, so much the better. Unfortunately, I can't find any CIM related accelerator that would give me the same result as using the [WMI] accelerator. Remember, my goal is to leverage the new WSMan protocol. The solution is to use the Get-WSManInstance cmdlet.<\/p>\n
Get-WSManInstance -ResourceURI \"wmicimv2\/Win32_SID\" -SelectorSet @{SID=\"S-1-5-21-2250542124-3280448597-2353175939-1019\"}<\/pre>\n
I think you can tell that the ResourceUri is the path to the class and the SelectorSet is a hashtable with key property, in this case SID, and the corresponding value. The result looks a little different, but the critical parts, like the account name are there.
\n\"get-wsmaninstance-1\"<\/a><\/p>\n
Get-WSManInstance also supports alternate credentials. So given all of this, I put together a function called Resolve-SID that uses this approach. But as a fallback, you can also tell it to use WMI.<\/p>\n
Function Resolve-SID {\r\n\r\n<#\r\n.Synopsis\r\nResolve account name from SID.\r\n.Description\r\nThis command uses the WSMAN protocol to query WMI and resolve an account based\r\non its SID.  Using WMI it was possible to run a command like this:\r\n\r\n[wmi]$user=\"\\\\SERVER01\\root\\cimv2:Win32_SID.Sid='S-1-5-18'\"\r\n\r\nBut this relies on WMI and DCOM. This command uses a CIM-cmdlet approach that\r\nqueries WMI over the WSMAN protocol. If the SID can't be resolved to a user name\r\nan exception will be thrown.\r\n\r\nIf you want to revert back to the WMI and DCOM approach, use the -UseWMI parameter.\r\nHowever, you will not be able to use alternate credentials.\r\n\r\n.Parameter SID\r\nIt is assumed the SID will start with S- and you must enter a complete SID.\r\nWildcards are not allowed.\r\n\r\n.Parameter Computername\r\nThe name of the computer to query. The default is the localhost. The parameter\r\nhas an alias of CN.\r\n\r\n.Parameter UseWMI\r\nRevert to the legacy [WMI] command. This parameter has an alias of WMI.\r\n\r\n.Parameter Credential\r\nThis parameter as an alias of RunAs. Specify either a username or a PSCredential\r\nobject.\r\n\r\n.Notes\r\nLast Updated: October 15, 2013\r\nVersion     : 1.0\r\n\r\nLearn more:\r\n PowerShell in Depth: An Administrator's Guide (http:\/\/www.manning.com\/jones2\/)\r\n PowerShell Deep Dives (http:\/\/manning.com\/hicks\/)\r\n Learn PowerShell 3 in a Month of Lunches (http:\/\/manning.com\/jones3\/)\r\n Learn PowerShell Toolmaking in a Month of Lunches (http:\/\/manning.com\/jones4\/)\r\n PowerShell and WMI (http:\/\/www.manning.com\/siddaway2\/)\r\n\r\n****************************************************************\r\n* DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED *\r\n* THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK.  IF   *\r\n* YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, *\r\n* DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING.             *\r\n****************************************************************\r\n\r\n.Example\r\nPS C:\\> resolve-sid S-1-5-18\r\n\r\nName                 : NT AUTHORITY\\SYSTEM\r\nAccountName          : SYSTEM\r\nReferencedDomainName : NT AUTHORITY\r\nSID                  : S-1-5-18\r\nComputername         : WIN8-LAP\r\n\r\n.Example\r\nPS C:\\> resolve-sid S-1-5-21-1199145963-1667969739-787794555-1011 -Computername chi-win8-01 -Credential globomantics\\administrator\r\n\r\nName                 : CHI-WIN8-01\\localadmin\r\nAccountName          : localadmin\r\nReferencedDomainName : CHI-WIN8-01\r\nSID                  : S-1-5-21-1199145963-1667969739-787794555-1011\r\nComputername         : CHI-WIN8-01\r\n\r\n.Example\r\nPS C:\\> resolve-sid S-1-5-18 -verbose -computername jdhit-dc01 -UseWMI\r\n\r\nVERBOSE: Starting Resolve-SID\r\nVERBOSE: Resolving SID S-1-5-18 on jdhit-dc01\r\nVERBOSE: Reverting back to WMI\r\nVERBOSE: \\\\jdhit-dc01\\root\\cimv2:Win32_SID.SID='S-1-5-18'\r\nVERBOSE: Associated account found\r\n\r\nName                 : NT AUTHORITY\\SYSTEM\r\nAccountname          : SYSTEM\r\nReferencedDomainName : NT AUTHORITY\r\nSID                  : S-1-5-18\r\nComputername         : JDHIT-DC01\r\n\r\nVERBOSE: Ending Resolve-SID\r\n\r\n.Link\r\nGet-WSManInstance\r\nGet-CIMInstance\r\n\r\n.Link\r\nhttp:\/\/jdhitsolutions.com\/blog\/2013\/10\/resolving-sids-with-wmi-wsman-and-powershell\r\n\r\n.Inputs\r\nStrings\r\n\r\n.Outputs\r\nA custom object\r\n#>\r\n[cmdletbinding(DefaultParameterSetName=\"CIM\")]\r\n\r\nParam(\r\n[Parameter(Position=0,Mandatory=$True,HelpMessage=\"Enter a SID\",\r\nValueFromPipeline,ValueFromPipelineByPropertyName)]\r\n[ValidatePattern(\"^S-\")]\r\n[string]$SID,\r\n[Parameter(ValueFromPipelineByPropertyName)]\r\n[Alias(\"CN\",\"PSComputername\")]\r\n[ValidateNotNullorEmpty()]\r\n[string]$Computername=$env:computername,\r\n[Alias(\"RunAs\")]\r\n[Parameter(ParameterSetName=\"CIM\")]\r\n[System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty,\r\n[Parameter(ParameterSetName=\"WMI\")]\r\n[Alias(\"wmi\")]\r\n[switch]$UseWMI\r\n)\r\n\r\nBegin {\r\n    Write-Verbose -Message \"Starting $($MyInvocation.Mycommand)\"  \r\n} #begin\r\nProcess {\r\n    Write-Verbose \"Resolving SID $SID on $Computername\"\r\n    #build a hashtable of paramters to splat to Get-WSManInstance\r\n    $paramHash=@{\r\n        ErrorAction=\"Stop\"\r\n        ErrorVariable=\"MyError\"\r\n        ResourceURI=\"wmicimv2\/win32_SID\"\r\n        SelectorSet=@{SID=\"$SID\"}\r\n        Computername=$Computername\r\n    }\r\n\r\n    If ($Credential.username) {\r\n        Write-Verbose \"Adding alternate credential for $($Credential.username)\"\r\n        $paramHash.Add(\"Credential\",$Credential)\r\n    }\r\n\r\n    Try {\r\n\r\n        #if UseWMI, use Get-WMIObject\r\n        if ($UseWMI) {\r\n            Write-Verbose \"Reverting back to WMI\"\r\n            Write-Verbose \"\\\\$computername\\root\\cimv2:Win32_SID.SID='$SID'\"\r\n            [WMI]$Result = \"\\\\$computername\\root\\cimv2:Win32_SID.SID='$SID'\"\r\n\r\n        }\r\n        else {\r\n            $result = Get-WSManInstance @paramhash \r\n        }\r\n    }\r\n    Catch {\r\n        Write-Warning \"Get-WSManInstance failed to retrieve SID from $($Computername.ToUpper())\"\r\n        Write-Warning $myError.ErrorRecord\r\n        #bail out\r\n        Return\r\n    }\r\n\r\n    <#\r\n    if there is no account name then the SID was not resolved, but there was\r\n    no error. The query will still succeed and write an object to the pipeline\r\n    but it won't have any useful information.  Only write the result to the pipeline\r\n    if there is an associated account, otherwise an exception will be thrown.\r\n    #>\r\n\r\n    if ($result.AccountName) {\r\n        Write-Verbose \"Associated account found\"\r\n        $result | \r\n        Select @{Name=\"Name\";Expression={\"$($_.ReferencedDomainName)\\$($_.AccountName)\"}},\r\n        Accountname,ReferencedDomainName,SID,\r\n        @{Name=\"Computername\";Expression={$Computername.ToUpper()}}\r\n    }\r\n    else {\r\n        Write-Verbose \"Failed to resolve SID. This is the result\"\r\n        Write-Verbose $($Result | Out-String)\r\n        Throw \"Failed to resolve SID $SID on $($Computername.ToUpper())\"\r\n    }\r\n} #process\r\n\r\nEnd {\r\n    Write-Verbose -Message \"Ending $($MyInvocation.Mycommand)\"\r\n} #end\r\n\r\n} #close function Resolve-SID<\/pre>\n
I think between the comment based help, internal comments and verbose messages you should be able to understand how the function works. So now you have a variety of techniques for resolving SIDs. Querying locally, using [WMI] or querying the Win32_Account class for the SID should be sufficient performance-wise. But remotely, using [WMI] or Get-WSManInstance is significantly faster than querying and filtering. Using Get-WMIboject or Get-CIMInstance took between 600-750ms, where as the [WMI]approach took about 200MS and using Get-WSManInstance took 150MS.<\/p>\n
I hope you are resolved to not let SIDS stand in your way any longer.<\/p>\n","protected":false},"excerpt":{"rendered":"
In the world of Windows, an account SID can be a very enigmatic thing. Who is S-1-5-21-2250542124-3280448597-2353175939-1019? Fortunately, many applications, such as the event log viewer resolve the SID to an account name. The downside, is that when you are accessing that same type of information from PowerShell, you end up with the “raw’ SID….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Fresh Meat: Resolving SIDs with WMI, WSMAN and #PowerShell","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4,359,8,62,19],"tags":[388,103,442,534,443,89],"class_list":["post-3497","post","type-post","status-publish","format-standard","hentry","category-powershell","category-powershell-3-0","category-scripting","category-security","category-wmi","tag-get-ciminstance","tag-get-wmiobject","tag-get-wsmaninstance","tag-powershell","tag-sid","tag-wsman"],"yoast_head":"\nResolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Resolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator\" \/>\n<meta property=\"og:description\" content=\"In the world of Windows, an account SID can be a very enigmatic thing. Who is S-1-5-21-2250542124-3280448597-2353175939-1019? Fortunately, many applications, such as the event log viewer resolve the SID to an account name. The downside, is that when you are accessing that same type of information from PowerShell, you end up with the "raw' SID....\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/\" \/>\n<meta property=\"og:site_name\" content=\"The Lonely Administrator\" \/>\n<meta property=\"article:published_time\" content=\"2013-10-15T18:12:49+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail-1024x330.png\" \/>\n<meta name=\"author\" content=\"Jeffery Hicks\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:site\" content=\"@JeffHicks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jeffery Hicks\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/\"},\"author\":{\"name\":\"Jeffery Hicks\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"headline\":\"Resolving SIDs with WMI, WSMAN and PowerShell\",\"datePublished\":\"2013-10-15T18:12:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/\"},\"wordCount\":507,\"commentCount\":9,\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2013\\\/10\\\/win32_sid-fail-1024x330.png\",\"keywords\":[\"Get-CIMInstance\",\"Get-WMIObject\",\"Get-WSManInstance\",\"PowerShell\",\"SID\",\"wsman\"],\"articleSection\":[\"PowerShell\",\"Powershell 3.0\",\"Scripting\",\"security\",\"WMI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/\",\"name\":\"Resolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2013\\\/10\\\/win32_sid-fail-1024x330.png\",\"datePublished\":\"2013-10-15T18:12:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#primaryimage\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2013\\\/10\\\/win32_sid-fail.png\",\"contentUrl\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/wp-content\\\/uploads\\\/2013\\\/10\\\/win32_sid-fail.png\",\"width\":1137,\"height\":367},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/powershell\\\/3497\\\/resolving-sids-with-wmi-wsman-and-powershell\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"PowerShell\",\"item\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/category\\\/powershell\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Resolving SIDs with WMI, WSMAN and PowerShell\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/\",\"name\":\"The Lonely Administrator\",\"description\":\"Practical Advice for the Automating IT Pro\",\"publisher\":{\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/jdhitsolutions.com\\\/blog\\\/#\\\/schema\\\/person\\\/d0258030b41f07fd745f4078bdf5b6c9\",\"name\":\"Jeffery Hicks\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\",\"caption\":\"Jeffery Hicks\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Resolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/","og_locale":"en_US","og_type":"article","og_title":"Resolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator","og_description":"In the world of Windows, an account SID can be a very enigmatic thing. Who is S-1-5-21-2250542124-3280448597-2353175939-1019? Fortunately, many applications, such as the event log viewer resolve the SID to an account name. The downside, is that when you are accessing that same type of information from PowerShell, you end up with the \"raw' SID....","og_url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/","og_site_name":"The Lonely Administrator","article_published_time":"2013-10-15T18:12:49+00:00","og_image":[{"url":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail-1024x330.png","type":"","width":"","height":""}],"author":"Jeffery Hicks","twitter_card":"summary_large_image","twitter_creator":"@JeffHicks","twitter_site":"@JeffHicks","twitter_misc":{"Written by":"Jeffery Hicks","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#article","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/"},"author":{"name":"Jeffery Hicks","@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"headline":"Resolving SIDs with WMI, WSMAN and PowerShell","datePublished":"2013-10-15T18:12:49+00:00","mainEntityOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/"},"wordCount":507,"commentCount":9,"publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#primaryimage"},"thumbnailUrl":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail-1024x330.png","keywords":["Get-CIMInstance","Get-WMIObject","Get-WSManInstance","PowerShell","SID","wsman"],"articleSection":["PowerShell","Powershell 3.0","Scripting","security","WMI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/","url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/","name":"Resolving SIDs with WMI, WSMAN and PowerShell • The Lonely Administrator","isPartOf":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#primaryimage"},"image":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#primaryimage"},"thumbnailUrl":"http:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail-1024x330.png","datePublished":"2013-10-15T18:12:49+00:00","breadcrumb":{"@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#primaryimage","url":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail.png","contentUrl":"https:\/\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2013\/10\/win32_sid-fail.png","width":1137,"height":367},{"@type":"BreadcrumbList","@id":"https:\/\/jdhitsolutions.com\/blog\/powershell\/3497\/resolving-sids-with-wmi-wsman-and-powershell\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"PowerShell","item":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},{"@type":"ListItem","position":2,"name":"Resolving SIDs with WMI, WSMAN and PowerShell"}]},{"@type":"WebSite","@id":"https:\/\/jdhitsolutions.com\/blog\/#website","url":"https:\/\/jdhitsolutions.com\/blog\/","name":"The Lonely Administrator","description":"Practical Advice for the Automating IT Pro","publisher":{"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jdhitsolutions.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/jdhitsolutions.com\/blog\/#\/schema\/person\/d0258030b41f07fd745f4078bdf5b6c9","name":"Jeffery Hicks","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","url":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg","caption":"Jeffery Hicks"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/832ae5d438fdcfc1420d720cd1991307927de8a0b12f2342e81c30f773e21098?s=96&d=wavatar&r=pg"}}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1532,"url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/1532\/get-local-administrators-with-wmi-and-powershell\/","url_meta":{"origin":3497,"position":0},"title":"Get Local Administrators with WMI and PowerShell","author":"Jeffery Hicks","date":"July 1, 2011","format":false,"excerpt":"Earlier this week I was helping someone out on a problem working with the local administrators group. There are a variety of ways to enumerate the members of a local group. The code he was using involved WMI. I hadn't really worked with the WMI approach in any great detail\u2026","rel":"","context":"In "PowerShell v2.0"","block_context":{"text":"PowerShell v2.0","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell-v2-0\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5931,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/5931\/a-powershell-mystery\/","url_meta":{"origin":3497,"position":1},"title":"A PowerShell Mystery","author":"Jeffery Hicks","date":"April 2, 2018","format":false,"excerpt":"The other day I was prepping for my sessions at the upcoming PowerShell + DevOps Global Summit. As I usually do, when I am building demos that will connect to remote machines I often use the local computer as a placeholder. This should always work right? so imagine my surprise\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":636,"url":"https:\/\/jdhitsolutions.com\/blog\/scripting\/636\/select-wmi\/","url_meta":{"origin":3497,"position":2},"title":"Select WMI","author":"Jeffery Hicks","date":"May 13, 2010","format":false,"excerpt":"I\u2019ve been helping out on some WMI and PowerShell issues in the forums at ScriptingAnswers.com. As I was working on a problem I ended up taking a slight detour to address an issue that has always bugged me. When I run a command like this: get-wmiobject -query \"Select Name,Description,Disabled from\u2026","rel":"","context":"In "PowerShell v2.0"","block_context":{"text":"PowerShell v2.0","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell-v2-0\/"},"img":{"alt_text":"selectwmi","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2010\/05\/selectwmi-300x89.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1806,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/1806\/wmi-powershell-tricks-for-windows-server\/","url_meta":{"origin":3497,"position":3},"title":"WMI PowerShell Tricks for Windows Server…","author":"Jeffery Hicks","date":"November 15, 2011","format":false,"excerpt":"WMI PowerShell Tricks for Windows Server Management*My first article for @petri_co_il on WMI PowerShell Tricks http:\/\/bit.ly\/rx1YrD Get-WMIObject - PowerShell Tricks Windows Server Management Get-WMIObject in Windows Powershell makes it easier to utilize Windows Management Instrumentation (WMI) and makes managing windows servers much easier.","rel":"","context":"In "Google Plus"","block_context":{"text":"Google Plus","link":"https:\/\/jdhitsolutions.com\/blog\/category\/google-plus\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2338,"url":"https:\/\/jdhitsolutions.com\/blog\/wmi\/2338\/query-local-administrators-with-wmi\/","url_meta":{"origin":3497,"position":4},"title":"Query Local Administrators with WMI","author":"Jeffery Hicks","date":"May 23, 2012","format":false,"excerpt":"I have a quick post today on using WMI to list members of the local administrators group. It is very simple to get the group itself with the Win32_Group class. PS S:\\> get-wmiobject win32_group -filter \"name='Administrators'\" Caption Domain Name SID ------- ------ ---- --- SERENITY\\Adminis... SERENITY Administrators S-1-5-32-544 But the\u2026","rel":"","context":"In "WMI"","block_context":{"text":"WMI","link":"https:\/\/jdhitsolutions.com\/blog\/category\/wmi\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8541,"url":"https:\/\/jdhitsolutions.com\/blog\/powershell\/8541\/getting-ciminstance-by-path\/","url_meta":{"origin":3497,"position":5},"title":"Getting CIMInstance by Path","author":"Jeffery Hicks","date":"August 20, 2021","format":false,"excerpt":"I am a member of the PowerShell Cmdlet Working Group. We've been looking into this issue and it is an intriguing one. Enough so that I spent some time looking into it and writing up some test code. If you work with WMI\/CIM this might be of interest to you.\u2026","rel":"","context":"In "PowerShell"","block_context":{"text":"PowerShell","link":"https:\/\/jdhitsolutions.com\/blog\/category\/powershell\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/jdhitsolutions.com\/blog\/wp-content\/uploads\/2021\/08\/add-ciminstancepath2.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/3497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/comments?post=3497"}],"version-history":[{"count":0,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/posts\/3497\/revisions"}],"wp:attachment":[{"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/media?parent=3497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/categories?post=3497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jdhitsolutions.com\/blog\/wp-json\/wp\/v2\/tags?post=3497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}