none
How to get a computer SID using a doss command RRS feed

  • Question

  • I have around 20 machines which has ghost images, I assume that those have same SID. I want to know the DOS command to check the computer SID, I know the command to get current user and domain user SID and I don't want ant tool.

    Please refer DOS command or any batch file to use in the network or directly.

    Monday, May 2, 2016 11:46 AM

Answers

  • Ah, you are referring to the local computer account SID. My snippet retrieves domain SID's. The following VBScript program will retrieve the name and local objectSID of the local administrator user on any domain joined computer. The SID of the local computer is the same, but with the trailing "-500" removed (the RID). You just specify the NetBIOS name of the computer. Also, you need to be a member of the local Administrators group on the computer. By default, the domain group "Domain Admins" is a member of this group on all domain joined computers, so if you are a member of "Domain Admins", you should have permissions to retrieve the information. The script follows:

    strComputer = "MyComputer"
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colAccounts = objWMIService.ExecQuery _
        ("Select * From Win32_UserAccount Where Domain = '" & strComputer & "'")
    For Each objAccount in colAccounts
        If Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
            Wscript.Echo objAccount.Name
            Wscript.Echo objAccount.SID
        End If
    Next
    

    The SID of the local computer is equal to the SID of the local Administrator user with the trailing "-500" removed. You can run the above script at a command prompt with the following:

    cscript GetSID.vbs

    where the VBScript code is saved in the file named GetSID.vbs. Also, be sure you assign the NetBIOS name of the computer to the variable strComputer in the script.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, May 4, 2016 3:06 PM
  • Two ways to get the SID at a command prompt with command line utilities:

    dsquery * -Filter "(name=MyComputer)" -attr objectSID

    or

    dsquery computer -name "MyComputer" | dsget computer -SID
    These require that RSAT (Remote Server Administration Tools) be installed on your client, but if you can retrieve user and domain SID values, you probably have this.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Monday, May 2, 2016 2:13 PM

All replies

  • Hi

     This may help you ; https://blogs.technet.microsoft.com/heyscriptingguy/2013/05/25/weekend-scripter-use-powershell-to-find-computers-sids-in-ad-ds/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, May 2, 2016 11:52 AM
  • Hello.

    You can use PowerShell to get the computer's SID: read here to know how to do that.

    Bye.


    Luigi Bruno
    MCP, MCTS, MOS, MTA

    Monday, May 2, 2016 12:25 PM
  • Thanks for your reply, Could you please share some dos command batch script to find computer SID
    Monday, May 2, 2016 1:24 PM
  • Thanks for your reply, I couldn't access your link due to some firewall settings,

    Could you please share some dos command batch script to find computer SID

    Monday, May 2, 2016 1:24 PM
  • Thanks for your reply, Could you please share some dos command batch script to find computer SID

    Hi

     AFAIK,you can do it with powershell script.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, May 2, 2016 2:09 PM
  • Two ways to get the SID at a command prompt with command line utilities:

    dsquery * -Filter "(name=MyComputer)" -attr objectSID

    or

    dsquery computer -name "MyComputer" | dsget computer -SID
    These require that RSAT (Remote Server Administration Tools) be installed on your client, but if you can retrieve user and domain SID values, you probably have this.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Monday, May 2, 2016 2:13 PM
  • Hi,

    You could also use PsGerSid to achieve your goal.

    For more information about PsGetSid, you could refer to the article below.

    PsGetSid

    https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 3, 2016 3:16 AM
    Moderator
  • Hi, Thanks for the command...!

    dsquery computer -name "MyComputer" | dsget computer -SID 

    This command is working on my machine only, when use same command to other user's machine i'm getting dsquery failed error. could you please let me know any additional privileges are required.

    when use the 1st command i'm getting dsquery failed error.

    Could you please help me on this..!

    Tuesday, May 3, 2016 9:01 AM
  • Hi,

    To use dsquery, you must run the dsquery command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

    https://technet.microsoft.com/en-us/library/cc732952(v=ws.11).aspx

    in addition, have look @ joe Richard ADfind tool.

    http://www.joeware.net/freetools/tools/adfind/

    Ex: adfind -sc c:Dev objectsid


    Devaraj G | Technical solution architect

    Tuesday, May 3, 2016 11:11 AM
  • I have confirmed that the dsquery and dsget commands I suggested earlier work to retrieve the SID of any computer object in AD, as long as you use an elevated command prompt (using "Run as administrator"). The actual computer does not even need to be available or online, but you need permissions in AD to read the computer object attributes.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, May 3, 2016 12:51 PM
  • Thanks for the additional info, when i check the computer registry i could see multiple registry entry for domain user, normal user, local users. now which is the unique computer SID?

    Actually I have a problem in patching, those machines OS were installed by the ghost image method so I suspect that the SID may be cause this issue because one machine I re-imaged and I able to do patching successfully.

    Wednesday, May 4, 2016 10:37 AM
  • Ah, you are referring to the local computer account SID. My snippet retrieves domain SID's. The following VBScript program will retrieve the name and local objectSID of the local administrator user on any domain joined computer. The SID of the local computer is the same, but with the trailing "-500" removed (the RID). You just specify the NetBIOS name of the computer. Also, you need to be a member of the local Administrators group on the computer. By default, the domain group "Domain Admins" is a member of this group on all domain joined computers, so if you are a member of "Domain Admins", you should have permissions to retrieve the information. The script follows:

    strComputer = "MyComputer"
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colAccounts = objWMIService.ExecQuery _
        ("Select * From Win32_UserAccount Where Domain = '" & strComputer & "'")
    For Each objAccount in colAccounts
        If Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
            Wscript.Echo objAccount.Name
            Wscript.Echo objAccount.SID
        End If
    Next
    

    The SID of the local computer is equal to the SID of the local Administrator user with the trailing "-500" removed. You can run the above script at a command prompt with the following:

    cscript GetSID.vbs

    where the VBScript code is saved in the file named GetSID.vbs. Also, be sure you assign the NetBIOS name of the computer to the variable strComputer in the script.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, May 4, 2016 3:06 PM