Retrieve Machine SID

Content Authoring
1

(imported topic written by SystemAdmin)

I read several posts explaining how to convert the machine SID but nothing on how to get and display the SID

Were running into issues where machines are cloned buy other teams and problems are arising from that,

I just wanted to gather the SIDs from each machine and compare them

is there a easy way to do this ?

2

(imported comment written by SystemAdmin)

There is already a thread covering this topic here:

http://forum.bigfix.com/viewtopic.php?id=363

Also, this is slightly off the topic of BigFix, but is on the topic of SIDs:

That is an blog entry from earlier this week by Mark Russinovich of Sysinternals fame and the author of the NewSID utility. While I think having a unique machine SID is still a good thing because some programs rely on it, apparently we have had some misconceptions about the importance of the machine SID for quite a long time. It is a pretty interesting read.

3

(imported comment written by NoahSalzman)

The thread Brian mentioned – http://forum.bigfix.com/viewtopic.php?id=363 – answers the question “how to get the SID”.

last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string)

My recommendation would be to run that relevance on one of your machines and then post the results in the aforementioned thread… then I can update my SID converter relevance so that you can use a single query to get a properly formatted result.

4

(imported comment written by SystemAdmin)

I updated your other post with the relevance below

“S-1-5-21” & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of ((first 8 of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string)))))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of preceding text of position (length of it - 8) of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string))))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string))))) as string

This works great for the Local Machine SID, but i’m looking for the Machines DOMAIN SID

Get Local Machine SID

PsGetSid v1.43 - Translates SIDs to names and vice versa

Copyright © 1999-2006 Mark Russinovich

Sysinternals - www.sysinternals.com

SID for SERVER01\SERVER01:

S-1-5-21-796345917-1772027372-1177258915

This is what I want

Get Machines DOMAIN SID

C:\WINDOWS\system32>psgetsid SERVER01$

PsGetSid v1.43 - Translates SIDs to names and vice versa

Copyright © 1999-2006 Mark Russinovich

Sysinternals - www.sysinternals.com

SID for DOMAIN\SERVER01$:

S-1-5-21-1417301333-2146795355-725335543-71041

I can run psgetsid but I have 4000+ machines and i didnt want to run that on all, output to a text file, read the textfile…

5

(imported comment written by SystemAdmin)

That is some mighty nice relevance there mamacher. After seeing what a pain it is to get the local machine SID, I assumed it would be an equal pain to get the computer account SID, but it apparently can be done via BigFix inspectors:

component string of sid of security account (computer name & “$”)

Note that this will throw an error if the machine is not on a domain, so you could do this to make it look prettier:

if exists security account (computer name & “$”) then component string of sid of security account (computer name & “$”) else “N/A”

One quick note though: you are actually having the computer query AD for the computer account SID with this. If you ultimately want the information in BigFix or it is just a convenient place to store it, then go ahead and do that. Since the SIDs are stored on the domain controllers, there are VBS scripts and other utilities that can relatively easily export this information to a CSV without having thousands of computers make an individual query. That being said, I am lazy and love having BigFix do the work for me, so I just added this to one of my own analysis and just set it to evaluate once a day.

Hope this helps!

6

(imported comment written by NoahSalzman)

Caveat lector:

And, as always, be careful with relevance that causes the end-point to query the AD server. If you cause 1000s of computers to hit your AD server all at once you may overwhelm the AD server.