0

So I'm trying to find the SID for a user that's logged onto a system before. Our system has a split of non-administrative users (without a # at the start) and administrative users (with a #). My PowerShell script so far is this:

$CurrentDomainUser = wmic computersystem get username
$Separator = "\"
$CurrentDomainUserSplit = $CurrentDomainUser.split($Separator)
$DomainUser= $CurrentDomainUserSplit[3]

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_Users

$UserSID = ls 'hklm:software/microsoft/windows nt/currentversion/profilelist' | ? {
               $_.getvalue('profileimagepath') -match '$DomainUser' -and
               $_.getvalue('profileimagepath') -notmatch '#'
           } | % pschildname

This script doesn't work if I have use the '$DomainUser' in the final $UserSID = ... line above. It does work if I put in the actual value that I'm searching for.

I'm guessing this is a simple PowerShell syntax problem.

Improve this question
9
  • Hi, in $CurrentDomainUserSplit[3], why 3 ? And what are you trying to achieve in the end ? Commented Aug 18, 2016 at 12:08
  • 1
    Use Get-WmiObject / Get-CimInstance to query Win32_ComputerSystem. Using wmic to do it then parsing is a little silly. Commented Aug 18, 2016 at 12:10
  • @sodawillow: The output of CurrentDomainUserSplit[3] is the username part of the command "wmic computersystem get username" (without the domain name, back slashes, etc.) Commented Aug 18, 2016 at 12:11
  • When you do this '$DomainUser' you're using a non-expandable string so your string will literally contain $DomainUser not the content of the variable behind. Either use double quotes ("$DomainUser") or, better still, don't use quotes at all in this case. Commented Aug 18, 2016 at 12:12
  • @Chris Dent: Fair point; I'll look at improving that bit. Presuming, however, that I can still get the right data in the $DomainUser variable as a result of your change, my problem still exists in the $UserSID line. Commented Aug 18, 2016 at 12:12

2 Answers 2

Reset to default
2

Using Get-WmiObject instead of wmic

$DomainUser = (Get-WmiObject Win32_ComputerSystem).Username -replace '^.+\\'
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_Users
$UserSID = Get-ChildItem 'HKLM:/software/microsoft/windows nt/currentversion/profilelist' |
    Where-Object { $_.getvalue('profileimagepath') -match $DomainUser -and $_.getvalue('profileimagepath') -notmatch '#'} |
    ForEach-Object pschildname

Using NTAccount.Translate

Windows already knows how to translate names to security identifiers. We might use use this method of getting to a SID.

$userName = (Get-WmiObject Win32_ComputerSystem).Username 
$ntAccount = New-Object System.Security.Principal.NTAccount($userName)
$sid = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Boom - that does it. Thanks very much!
1 
... -match '$DomainUser' ...

PowerShell expands Variables only in double-quoted strings, not in single-quoted strings. Replace the single quotes with double qoutes or remove the quotes entirely.

Improve this answer

4 Comments

Chris Dent suggested this above, but it doesn't seem to be working - see my comment to him.
Then the value of your string isn't what you think it is.
Thank you - you're right. As per the comments section above, you would have been right at a general level. Is there a way I can give you credit for your input, whilst admitting that Chris' answer actually gets me to where I need to be?
You don't have enough reputation yet to upvote, so right now you can only accept answers. If Chris' answer is the best overall solution for your problem, then his answer is the one you should accept, even if it doesn't address the immediate question.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.