How to resolve orphan SID’ account name with Powershell

Sometimes you open an Access Control List and discover an orphan SID.

orphan SID without username

However, before removing the permission you want to know to which account this SID was matching.

The SID matched to a local account

In this case, you are done.
There is no way to find to which account name the SID was matching.

The SID matched to a domain account

If you activated the Recycle Bin before the deletion, you can still find the matching account until the object is completely removed from Active Directory.

Usually to resolve a SID to a username you can just use the Get-ADUser cmdlet.

Get-ADUser -Identity 'S-1-5-21-11111111111-111111111111111111111-11111'

But unfortunately, when the account is already deleted, this cmdlet won’t help.

Instead, you can use the Get-ADObject cmdlet.
However, there are two tricky parts:
– Unlike the Get-ADUser cmdlet, the Get-ADObject cmdlet has no SID property and you must use the objectSID property instead
– In addition, you must specify the IncludeDeletedObjects parameter

Get-ADObject -Filter {objectSid -eq 'S-1-5-21-1595408694-1749029380-1551332766-35683'} -IncludeDeletedObjects -Properties *

More about

Active Directory Recycle Bin Step-by-Step Guide (Technet)

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting (Ned PYLE)

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s