question

usarif avatar image
0 Votes"
usarif asked usarif answered

Find account or group from SID in local administrators group

folks,
In my windows 10 devices (just autopilot imaged, AAD joined), under local administrators group, I am seeing some Two SIDs listed like
S-1-12-1-698813523-XXXXXXXXXX-XXXXXXXXX-XXXXXX
S-1-12-1-809045407-XXXXXXXXXX-XXXXXXXXX-XXXXXX
how can i find account or group name for these SID. I know they belong to global group in azure. i ran few powershell azureaduser but didn't give me account name. we are totally in Azure cloud and these computers are AAD Joined.

azure-ad-access-reviews
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

usarif avatar image
0 Votes"
usarif answered

Resolved!!!! virtual thanks to Oliver Kieselbach on this blog: https://oliverkieselbach.com/2020/05/13/powershell-helpers-to-convert-azure-ad-object-ids-and-sids/

So i converted sid link i have put above, got Object id for each SID.
Run Get-AzureADDirectoryRole and it matches object id to :
## Global Administrator
##Azure AD Joined Device Local Administrator

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianSPIRIDON72 avatar image
0 Votes"
CristianSPIRIDON72 answered

Hi,

When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device

· The Azure AD global administrator role

· The Azure AD device administrator role

· The user performing the Azure AD join

See more info at https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin.

Hope this helps.

Cristian


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@usarif Thanks for reaching out. Those would be the administrator added to devices using this option probably :

103350-image.png


Since you have only 2 SIDs you can use this manual method to find them.

1) You can navigate to Registry path : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
2) Select your corresponding SID
3) Check the Profile Image Path value. This should contain the account name.

103481-image.png



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



image.png (67.1 KiB)
image.png (33.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

usarif avatar image
0 Votes"
usarif answered

So, little update on this.
I run into this blog by Oliver Kieselbach which converts sids to Objectidhttps://oliverkieselbach.com/2020/05/13/powershell-helpers-to-convert-azure-ad-object-ids-and-sids/

It talks about same think i was looking for SIDs under administrators group. Now when i convert to ObjectID, I can't find reference in AAD. Any thoughts?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.