In Windows environment, each user is assigned a unique identifier called Security ID or SID, which is used to control access to various resources like Files, Registry keys, network shares etc. We can obtain SID of a user through WMIC USERACCOUNT command. Below you can find syntax and examples for the same.
Get SID of a local user
wmic useraccount where name='username' get sid
For example, to get the SID for a local user with the login name ‘John’, the command would be as below
wmic useraccount where name='John' get sid
Get SID for current logged in user
To retrieve the SID for current logged in user we can run the below command. This does not require you to specify the user name in the command. This can be used in batch files which may be executed from different user accounts.
wmic useraccount where name='%username%' get sid
Get SID for current logged in domain user
Run the command ‘whoami /user’ from command line to get the SID for the logged in user.
Example:
c:\>whoami /user USER INFORMATION ---------------- User Name SID ============== ============================================== mydomain\wincmd S-1-5-21-7375663-6890924511-1272660413-2944159 c:\>
Get SID for the local administrator of the computer
wmic useraccount where (name='administrator' and domain='%computername%') get name,sid
Get SID for the domain administrator
wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid
Find username from a SID
Now this is tip is to find the user account when you have a SID. One of the readers of this post had this usecase and he figured out the command himself with the help of the commands given above. Adding the same here.
wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
very good explanation,it’s just great
Hi, Very good post!
Can you tell me how to get the SID of AD Group?
Hi,
to get the SID of a ADGroup you can simply use the PowerShell CmdLet Get-ADGroup:
Get-ADGroup -Identity “Group Name”
DistinguishedName : CN=Administratoren,CN=Builtin,DC=domain,DC=com
GroupCategory : Security
GroupScope : DomainLocal
Name : Administratoren
ObjectClass : group
ObjectGUID : 7d6471ab-9ea3-4cc4-8652-be3345623291
SamAccountName : Administratoren
SID : S-1-5-32-544
With the exact same Cmdlet you can get the Groupname from a given SID:
PS C:\Windows> Get-ADGroup -Identity S-1-5-32-544
DistinguishedName : CN=Administratoren,CN=Builtin,DC=horaios,DC=local
GroupCategory : Security
GroupScope : DomainLocal
Name : Administratoren
ObjectClass : group
ObjectGUID : 7d6471ab-9ea3-4cc4-8652-be3345623291
SamAccountName : Administratoren
SID : S-1-5-32-544
:-)
Well, nice tips!!!
Hi Guy, nice post.
Could you tell me how to get Admin SID from cmd using another user but administrator?
get-aduser -identity
How to delete SID in admin group..??
Very good post. Thanks for sharing the information.
How to get sid of ad user id, I am not able to get the user id from whoami command.
Try this
whoami /user
How to get sid of computer object for all user on AD ?
Thank you.
You would do that with Powershell:
get-adcomputer -filter * | select Name, SID
This will give you a list with computernames and corresponding SID.
to output to text:
get-adcomputer -filter * | select Name, SID >> C:\temp\computersandSID.txt
to output to csv:
get-adcomputer -filter * | select Name, SID | output-csv C:\temp\computersandSID.csv
this should be done from a Domain controller or from a domain client with RSAT tools.
I needed it the other way round, I had an SID and wanted to know what user it was, so I turned the wmic command around an it worked fine:
wmic useraccount where sid=’S-1-5-21-….’ get name
Thank you for this tip!
Hello Rofel, glad that this article helped you figure out the command for your reverse usecase. I am including this in the post for the benefit of others.
Hi .. is there a way to set the SID into a var?
Meanwhile i get this via wmic useraccount get name,sid | findstr %userprofile:~9% or woami /user is nice. ;)
and set it manually .. :/
Hi and thank you for this tip!
I have to create a little script to automatically copy some registry files.
First it has to get the sid of the user and then it has to navigate to the registry – HKEY_USERS\%sid% and copy the files there.
Can anyone help me out with that please?
Thank you in advance!
Thank you for this command line page.
B/G: OS 7 Home Premium SP1 in Dual Boot environment with Win 10
When checking file security of multiple files, I discovered two Unknown Account SIDs:
Account Unknown(S-1-5-21- … -1001)
Account Unknown(S-1-5-21- … -1007)
I was unable to delete these accounts and they did not show up under UAC. These accounts have inherited properties for EACH file. If I removed the inheritance, I couldn’t any access the file at all. I bumped up UAC to default, which had been turned off.
Turns out the dual boot scenario generated at least one of the unknown SIDs. I found that the SIDs does belong to my Win 10. So when I access files on the Win7 partition from a Win 10 logon, as I have done, the ‘unknown SID’ really belongs to the user there in 10 (moi).
Here are the command lines that I used:
WhoAmI ‘determines current user; works in Win 7, 10 and also as a Linux command as I understand.
wmic useraccount where name=’%username%’ get sid ;returns the SID
Source found here (and fairly easy to understand): http://www.windows-commandline.com/get-sid-of-user/
Running the latter on Win 10, gave me exactly one of the unknown SIDs. Bingo!
I also have Virtual Machines on my Win 7 machine with a shared folder and wondering if they created the second SID. Finally, my dual boot is really a tri-boot with Vista on a second drive and I will check its SID. I don’t recall accessing data from Vista in any other partition but I have copied files from Vista into 7.
At least the mystery is solved in that I do not have a virus, a keylogger, or some rogue user with full access to my machine.
Again the command that helped resolve this issue was: wmic useraccount where name=’%username%’ get sid
Thank you so much,
FC TC
Awesome work!
Wonder if there any option or wmic useraccount command to provide all the users that belong to a group
Something like wmic useraccount get domain,name,sid where SID=S-1-5-32-544 (this SID is from the Group command)
Looks good, thanks to all who have put this info out.
Now I need to put this in to a .bat file such that I can end up with a variable that has the user’s SID which I can then use to navigate to places that are based on the user sid such as in Win 10 there is a folder “c:\users\public\publicaccountpictures\usersSID”
or I could user it to go to the “Actual” user reg settings etc.
Thanks,
Ralph
Is there a way to use a wildcard in this command? This is kinda what I was looking to do…
wmic useraccount where sid=”S-1-5-21*” get name
But that is not working.
thanks a lot. How can i delete “SID” word. Example:
wmic useraccount where name=’%username%’ get sid > C:\sid.txt
and sid.txt
SID
S-1-5-21-2416115148-63416681-3240496290-1000
I only need the number (delete SID)
Thanks
@acg
you can use my script
—
wmic useraccount where name=’user’ get sid >usersid.txt
MORE /E +1 usersid.txt > usersidno.txt
set /p usersid=<usersidno.txt
set
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Creative\%setsid%"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Creative\%setsid%" /v "KEY" /t REG_DWORD /d "VALUE" /f
pause
—–
Hi!
Nice work!
How to get the list of (all) registered users?
– @Bryan –
wmic useraccount get name /all
Half way there. Is there a way to turn off the headers in the response? If not this is only good for you as an individual looking at it and if that’s the case, there’s not really value in this command. I need to be able to use the response as a value in a subsequent command and I don’t want to have to parse the results.
if you need the number (delete SID)
wmic useraccount where name=’user’ get sid >usersid.txt
MORE /E +1 usersid.txt > usersidno.txt
“name=” with a capital letter “Name=”
wmic useraccount where Name=’user’ get sid >usersid.txt
MORE /E +1 usersid.txt > usersidno.txt
Sir,
i want to disable the WMIC useraccount get name,sid from the domain ( for security purpose). because locally I enter this command from the local machine its showing all the users list so actually i dont want see this things to others users workshop.
Kindly suggest me how to disable
Thank you
How to get the SID`s of administrator groups using powershell for single system and group of systems
How can I recover an accidentally delete Administrator account
None of the above works while running it as a normal user. (without admin rights)
Use the Whoami command and convert its output of use in powershell:
This works with restricted or domain users.
$user = whoami /user /FO csv | ConvertFrom-Csv
#Accesing data
Write-Host $user.’User Name’
write-host $user.SID
#Accesing data (other method)
$user | Select-Object -ExpandProperty SID
how do I get the UID for a particular user ID from AD?
In the last example, “Find username from a SID”, one can change ‘wmic username’ to ‘wmic group’ to “Find Group name from a SID”. One may need to do this on a domain controller, or a Forest-Domain Controller do get results.
i.e. wmic group where sid=’S-1-5-21-_______-_______-_______-____’ get name
Hi,
If there are 3 users on a windows machine, I notice that when i search the SID of all users, only the last 4 digits change and rest of the UID remains same. Is it ever possible that the previous numeric numbers will be totally different for users on the same machine. What would be those conditions ?
Can you provide any link where I read about how Windows OS assigns numeric SID or UID to users…what is the methodology
can someone please tell how to get the sid of the domain controller ?
Thanks! This was really helpful! I found it especially useful applying it to other aliases and properties. Do you know if there’s a way to do comparisons other than “=”? It would be excellent if I could query *not equal to* but I’ve tried “!=”, “” and “NEQ” – none of them seem to work in tests I’ve run.
The Win32_UserAccount WMI class is really slow to retrieve the information for some reason. This is much quicker (PowerShell):
$UserName = $Env:USERNAME
$user = New-Object System.Security.Principal.NTAccount($UserName)
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sidtext = $sid.Value
can also use, for example:
$UserName = “domainname\usernameindomain”
hth, Daz.