Find account or group from SID in local administrators group

Arif Usman 496 Reputation points
2021-06-04T20:23:06.537+00:00

folks,
In my windows 10 devices (just autopilot imaged, AAD joined), under local administrators group, I am seeing some Two SIDs listed like
S-1-12-1-698813523-XXXXXXXXXX-XXXXXXXXX-XXXXXX
S-1-12-1-809045407-XXXXXXXXXX-XXXXXXXXX-XXXXXX
how can i find account or group name for these SID. I know they belong to global group in azure. i ran few powershell azureaduser but didn't give me account name. we are totally in Azure cloud and these computers are AAD Joined.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Arif Usman 496 Reputation points
    2021-06-10T01:56:46.29+00:00

    Resolved!!!! virtual thanks to Oliver Kieselbach on this blog: https://oliverkieselbach.com/2020/05/13/powershell-helpers-to-convert-azure-ad-object-ids-and-sids/

    So i converted sid link i have put above, got Object id for each SID.
    Run Get-AzureADDirectoryRole and it matches object id to :
    ## Global Administrator
    ##Azure AD Joined Device Local Administrator

    3 people found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-06-08T11:44:04.93+00:00

    @Arif Usman Thanks for reaching out. Those would be the administrator added to devices using this option probably :

    103350-image.png

    Since you have only 2 SIDs you can use this manual method to find them.

    1) You can navigate to Registry path : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    2) Select your corresponding SID
    3) Check the Profile Image Path value. This should contain the account name.

    103481-image.png


    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    2 people found this answer helpful.
    0 comments No comments

  2. Cristian SPIRIDON 4,486 Reputation points Volunteer Moderator
    2021-06-05T06:45:58.357+00:00

    Hi,

    When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device

    · The Azure AD global administrator role

    · The Azure AD device administrator role

    · The user performing the Azure AD join

    See more info at https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin.

    Hope this helps.

    Cristian

    0 comments No comments

  3. Arif Usman 496 Reputation points
    2021-06-10T01:49:22.083+00:00

    So, little update on this.
    I run into this blog by Oliver Kieselbach which converts sids to Objectidhttps://oliverkieselbach.com/2020/05/13/powershell-helpers-to-convert-azure-ad-object-ids-and-sids/

    It talks about same think i was looking for SIDs under administrators group. Now when i convert to ObjectID, I can't find reference in AAD. Any thoughts?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.