{"id":16841,"date":"2010-10-12T00:01:00","date_gmt":"2010-10-12T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/10\/12\/use-powershell-to-translate-a-users-sid-to-an-active-directory-account-name\/"},"modified":"2010-10-12T00:01:00","modified_gmt":"2010-10-12T00:01:00","slug":"use-powershell-to-translate-a-users-sid-to-an-active-directory-account-name","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-translate-a-users-sid-to-an-active-directory-account-name\/","title":{"rendered":"Use PowerShell to Translate a User’s SID to an Active Directory Account Name"},"content":{"rendered":"

 <\/p>\n

Summary<\/strong>: Microsoft Scripting Guy Ed Wilson shows how to use Windows PowerShell to translate a user’s SID to an Active Directory Domain Services account name.<\/p>\n

 <\/p>\n

\"Hey,Hey, Scripting Guy! It seems that whenever I search for Windows PowerShell scripts to translate a user name into a SID, all I can find is a script that uses WMI. WMI is too slow for our network. Is there a better way to do this?<\/p>\n

— KW<\/p>\n

 <\/p>\n

\"Hey, Hello KW, <\/p>\n

Microsoft Scripting Guy Ed Wilson here. You can easily use the .NET Framework classes in a Windows PowerShell script to translate a user name to a security identifier (SID). In addition, you can use a .NET Framework class to translate a SID to a user name, or you can simply take the SID and use LDAP to retrieve the user name. I will talk about all these techniques in today’s article. I created the UserToSid-SidToUser.ps1 script to illustrate these techniques. The complete script is shown here. <\/p>\n

\n

UserToSid-SidToUser.ps1<\/strong><\/span><\/span><\/p>\n

<#
 <\/span>  <\/span>.Synopsis
    <\/span>Translates a user name to a SID or a SID to a user name.
   <\/span>.Description
    <\/span>This script translates a user name to a SID or a SID to a user name.
    <\/span>Note: To translate the user name to the SID, you must
    <\/span>use the logon name (SAMAccountName), and not the full user name.
   <\/span>.Example
    <\/span>UserToSid.ps1  <\/span>-user “mytestuser”
    <\/span>Displays SID of mytestuser in current domain
   <\/span>.Example
    <\/span>UserToSid.ps1  <\/span>-sid “S-1-5-21-1877799863-120120469-1066862428-500”
    <\/span>Displays user with SID of “S-1-5-21-1877799863-120120469-1066862428-500”
   <\/span>.Inputs
    <\/span>[string]
   <\/span>.OutPuts
    <\/span>[string]
   <\/span>.Notes
    <\/span>NAME:  <\/span>UserToSid-SidToUser.ps1
    <\/span>AUTHOR: Ed Wilson
    <\/span>LASTEDIT: 10\/05\/2010
    <\/span>VERSION: 2.0
    <\/span>KEYWORDS: Active Directory, user accounts, Security.Principal.SecurityIdentifier
   <\/span>.Link
     <\/span>Http:\/\/www.ScriptingGuys.com
#Requires -Version 2.0
#>
param(
      <\/span>[string]
      <\/span>$domain = $env:USERDOMAIN,
      <\/span>[string]
      <\/span>$user,
      <\/span>[string]
      <\/span>$sid
      <\/span>) #end param <\/p>\n

# Begin Functions <\/p>\n

function New-Underline
{
<#
.Synopsis
 <\/span>Creates an underline the length of the input string
.Example
 <\/span>New-Underline -strIN “Hello world”
.Example
 <\/span>New-Underline -strIn “Morgen welt” -char “-” -sColor “blue” -uColor “yellow”
.Example
 <\/span>“this is a string” | New-Underline
.Notes
 <\/span>NAME:
 <\/span>AUTHOR: Ed Wilson
 <\/span>LASTEDIT: 5\/20\/2009
 <\/span>VERSION: 2.0
 <\/span>KEYWORDS: scripting techniques, string manipulation
.Link
 <\/span>Http:\/\/www.ScriptingGuys.com
#>
[CmdletBinding()]
param(
      <\/span>[Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
      <\/span>[string]
      <\/span>$strIN,
      <\/span>[string]
      <\/span>$char = “=”,
      <\/span>[string]
      <\/span>$sColor = “Green”,
      <\/span>[string]
      <\/span>$uColor = “darkGreen”,
      <\/span>[switch]
      <\/span>$pipe
 <\/span>) #end param
 <\/span>$strLine= $char * $strIn.length
 <\/span>if(-not $pipe)
  <\/span>{
   <\/span>Write-Host -ForegroundColor $sColor $strIN
   <\/span>Write-Host -ForegroundColor $uColor $strLine
  <\/span>}
  <\/span>Else
  <\/span>{
   <\/span>$strIn
   <\/span>$strLine
  <\/span>}
} #end New-Underline function <\/p>\n

Function Get-UserToSid()
{
  <\/span>$ntAccount = new-object System.Security.Principal.NTAccount($domain, $user)
  <\/span>$sid = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
  <\/span>New-UnderLine(“$domain\/$user sid is:”)
  <\/span>($local:sid).value
  <\/span>exit
} #end UserToSid <\/p>\n

Function Get-SidToUser()
{
 <\/span>New-Underline(“Obtaining SID translation … this might take a bit of time …”)
 <\/span>New-UnderLine(“Sid: $sid is:”)
 <\/span>[adsi]”LDAP:\/\/<SID=$sid>”
 <\/span>exit
} #end sidToUser <\/p>\n

# *** Entry point to script *** <\/p>\n

if($sid)       <\/span>{ Get-SidToUser }
if($user)      <\/span>{ Get-UserToSid }<\/span><\/span><\/span><\/p>\n<\/blockquote>\n

The UserToSid-SidToUser.ps1 script begins with a comment block. This block uses comment-based help to provide two things to our script. It contains the normal header we would put in a comment block at the top of our script. This includes the author of the script, the name of the script, when the script was written, notes about any special features, what the script uses, and special requirements. These are the sort of things you would want to include for any script you wrote, whether the language is batch, VBScript, Perl, Rexx, Jscript, or Windows PowerShell. In Windows PowerShell 1.0, if you wanted to make a multiline comment, you had to place a number character (#<\/strong>) at the beginning of each line. I still do this when I want my comments to stand out. A better way to do this, however, in Windows PowerShell 2.0 is to use the multiline comment characters. <\/p>\n

I talked about adding help to a Windows PowerShell script the week of January 4, 2010: <\/p>\n