Active Directory: Finding the Renamed Administrator Account

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Dave Wyatt Dave Wyatt 3 years, 10 months ago.

  • Author
  • #9502
    Profile photo of Marty

    This works for finding the renamed Administrator account in a domain:

    Get-ADUser -Filter * -Properties SID -ResultPageSize 1000 | Where {$_.SID -like "*500"}

    Why doesn't this work?

    Get-ADUser -Filter 'SID -like "*500"'* -Properties SID

    I am trying to retrieve only the one record I am looking for. My guess is the second command (if it worked) would be faster than the first.

  • #9503
    Profile photo of Dave Wyatt
    Dave Wyatt

    I'm not sure how to make this work in an LDAP Filter, but you can use WMI to accomplish basically the same thing:

    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='$env:USERDOMAIN' AND SID LIKE '%500'"
  • #9504
    Profile photo of Dave Wyatt
    Dave Wyatt

    Here's a way to do this just using the AD cmdlets. I still haven't been able to find a wild card filter that works for SIDs, but you can construct the complete SID and search for that:

    $domainSID = Get-ADDomain -Current LoggedOnUser | Select-Object -ExpandProperty DomainSID
    if ($domainSID -ne $null)
        Get-ADUser -Filter "SID -eq '$domainSID-500'"

You must be logged in to reply to this topic.