none
find user profiles with sid from old domain RRS feed

  • Question

  • Hello Community,

    i have a question regarding the following script. This commands gives me all the sids of c:\users but without the actual folder. I could run this script against all computers and store it on a central place and search for the string S-1-5-21-xxxOldDomainAxxx in it. But its hard to read. Do anyone of you know how to get the folder name in it? I mean C:\users\Someuser in front of this Addl Entry. Background is i want to know if any old sid is used somewhere in c:\users folder. We migrated from Domain A to Domain B.

    $Items =  get-childitem -path 'c:\users' -Recurse
    $output = foreach($Item in $Items){
        switch ($Item.PSIsContainer){
            $true {[System.Security.AccessControl.DirectorySecurity]::new($Item.fullname,('Owner','Group','Access')).
                    GetSecurityDescriptorSddlForm(('Owner','Group','Access')); 
                    break }

            $false {[System.Security.AccessControl.FileSecurity]::new($Item.fullname,('Owner','Group','Access')).
                GetSecurityDescriptorSddlForm(('Owner','Group','Access')); break}
        }
    }
    $output | Out-file "c:\tmp\sidlist.log" -Append

    Wednesday, August 14, 2019 10:31 AM

Answers

  • I would recommend querying the Win32_UserProfile WMI class rather than hard-coding the "C:\Users" path in your script. The Win32_UserProfile class can also tell you if a user profile is in use, if it is a "special" profile (like for the system account), the time it was last used, and more.

    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Melankani Thursday, August 15, 2019 8:55 AM
    Wednesday, August 14, 2019 2:51 PM
    Moderator

All replies

  • I would recommend querying the Win32_UserProfile WMI class rather than hard-coding the "C:\Users" path in your script. The Win32_UserProfile class can also tell you if a user profile is in use, if it is a "special" profile (like for the system account), the time it was last used, and more.

    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Melankani Thursday, August 15, 2019 8:55 AM
    Wednesday, August 14, 2019 2:51 PM
    Moderator
  • thanks a lot! i ended up with this:

    $output = gwmi win32_userprofile | select LocalPath, SID, LastUseTime | 
     where {($_.SID -like "S-1-5-21-xxxxxxxxxx-*"<# old-domain #> `
     -and $_.LocalPath -notlike "*_admin*"`
     -and $_.SID -notlike "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234") <# C:\Users\user_xyz #> `
     -and $_.SID -notlike "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-5678" <# C:\Users\user_abc #> `
     }

    $output | Out-file "\\fileshare\abc.log" -Append

    Thursday, August 15, 2019 8:55 AM
  • You can speed your query by using WQL in the -Filter parameter; e.g.:


    Get-WmiObject Win32_UserProfile -Filter "(SID LIKE 'S-1-5-21-nnnnnnnnnn-%') AND (NOT (LocalPath LIKE '%admin_%'))"

    This will likely be a bit faster if you connect to remote machines over a slower link (and if you have a large number of user profiles).


    -- Bill Stewart [Bill_Stewart]

    Thursday, August 15, 2019 1:41 PM
    Moderator
  • Use "Special" to eliminate all local special accounts and just ask for the domain matching SID.

    $filter = "Special=False AND SID LIKE 'S-1-5-21-nnnnnnnnnn-%'"
    Get-WmiObject Win32_UserProfile -Filter $filter | Select-Object LocalPath,SID
    


    \_(ツ)_/


    • Edited by jrv Thursday, August 15, 2019 2:01 PM
    Thursday, August 15, 2019 2:01 PM
  • Thank You!
    Thursday, August 15, 2019 2:03 PM
  • Actually you should not even require "Special" because you are asking for a domain account.  Only local accounts are marked special and path is not an issue for what you are doing.  Just get all accounts in the old domain:

    $filter = "SID LIKE 'S-1-5-21-nnnnnnnnnn-%'"
    Get-WmiObject Win32_UserProfile -Filter | Select-Object localPath,SID

    If the accounts have been removed from the account manager then this will not return anything as profiles are only tracked for existing accounts.

    This will also not find abandoned profiles.


    \_(ツ)_/


    • Edited by jrv Thursday, August 15, 2019 2:08 PM
    Thursday, August 15, 2019 2:08 PM