Use WMI to convert a remote SID to username

Question

I am using Invoke-WMIMethod to identify all SIDS beginning with S-1-5-21, like so (thanks to Mathias R. Jessen):

$Keys = Invoke-WmiMethod -Path $ClassPath -Name EnumKey -ArgumentList 2147483651,'' 
| Select-Object -ExpandProperty sNames | Where-Object {$_ -match 'S-1-5-21-[\d\-]+$'}

I want to convert these SIDs from the remote system to usernames on the remote system using WMI. Is this possible through WMI or Invoke-WmiMethod?

Answer 1

Rather than grabbing from the registry you could get the same information from the Win32_UserProfile provider. Then if folder name is good enough, consider something like this:

$Computer = "ExampleComputer"
Get-WMIObject Win32_UserProfile -Filter "SID like 'S-1-5-21-*'"  -ComputerName $Computer |
    select SID,@{name=LocalPath;Expression={Split-Path -leaf $_.LocalPath}}

Otherwise Win32_UserAccount exists but can be really slow with a large domain.

$Computer = "ExampleComputer"
$SIDs = Get-WMIObject Win32_UserProfile -Filter "SID like 'S-1-5-21-*'"  -ComputerName $Computer | select -ExpandProperty SID
$UserAccounts = Get-WMIObject Win32_UserAccount -ComputerName $Computer
foreach ($SID in $SIDs) {
    foreach ($Account in $UserAccounts) {
        If ($SID -eq $Account.SID) {
            $Account
        }
    }
 }

Answer 2

You can use the Win32_SID class to obtain the account name:

foreach($Key in $Keys)
{
    $SID = [wmi]"\\$RemoteComputer\root\cimv2:Win32_SID.SID=$Key"
    New-Object psobject -Property @{
        SID = $Key
        Username = $SID.ReferencedDomainName,$SID.AccountName -join '\'
    }
}