Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to get primary domain SID when running under a local user account
August 26
How to get primary domain SID when running under a local user account

The following PowerShell script determines primary Active Directory (AD) domain SID (security identifier) of the local computer. It works both if the local computer is either a domain member workstation or a domain member server or if it is an AD domain controller. In both cases, the result value is SID of the AD domain which the computer is member of. In case of a domain controller, it is the SID of the domain hosted by the DC in fact.

The script works when running either under domain user account or even under a local user account. It should work for local limited users as well. No Administrators group membership is necessary. The only requirement is to run it on a machine which is a domain member and the machine must be online against at least one of the domain's DCs., because the script tries to translate SID of the built-in krbtgt account. Hopefully, the krbtgt account has the same name on all language mutations of Active Directory.

function global:Get-PrimaryDomainSID ()
{
  # Note: this script obtains SID of the primary AD domain for the local computer. It works both
  #       if the local computer is a domain member (DomainRole = 1 or DomainRole = 3)
  #       or if the local computer is a domain controller (DomainRole = 4 or DomainRole = 4).
  #       The code works even under local user account and does not require calling user
  #       to be domain account.

  [string] $domainSID = $null

  [int] $domainRole = gwmi Win32_ComputerSystem | Select -Expand DomainRole
  [bool] $isDomainMember = ($domainRole -ne 0) -and ($domainRole -ne 2)

  if ($isDomainMember) {

    [string] $domain = gwmi Win32_ComputerSystem | Select -Expand Domain
    [string] $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
    $domainSID = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
  }

  return $domainSID
}

 

Comments

There are no comments for this post.

Add Comment

Sorry comments are disable due to the constant load of spam *


This simple antispam field seems to work well. Just put here the number.

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Attachments