Active Directory: Finding the Renamed Administrator Account

This topic contains 2 replies, has 2 voices, and was last updated by  Dave Wyatt 4 years, 4 months ago.

  • Author
    Posts
  • #9502

    Marty
    Participant

    This works for finding the renamed Administrator account in a domain:

    Get-ADUser -Filter * -Properties SID -ResultPageSize 1000 | Where {$_.SID -like "*500"}

    Why doesn't this work?

    Get-ADUser -Filter 'SID -like "*500"'* -Properties SID

    I am trying to retrieve only the one record I am looking for. My guess is the second command (if it worked) would be faster than the first.

  • #9503

    Dave Wyatt
    Moderator

    I'm not sure how to make this work in an LDAP Filter, but you can use WMI to accomplish basically the same thing:

    Get-WmiObject -Class Win32_UserAccount -Filter "Domain='$env:USERDOMAIN' AND SID LIKE '%500'"
    
  • #9504

    Dave Wyatt
    Moderator

    Here's a way to do this just using the AD cmdlets. I still haven't been able to find a wild card filter that works for SIDs, but you can construct the complete SID and search for that:

    $domainSID = Get-ADDomain -Current LoggedOnUser | Select-Object -ExpandProperty DomainSID
    if ($domainSID -ne $null)
    {
        Get-ADUser -Filter "SID -eq '$domainSID-500'"
    }
    

You must be logged in to reply to this topic.