This works for finding the renamed Administrator account in a domain:
Get-ADUser -Filter * -Properties SID -ResultPageSize 1000 | Where {$_.SID -like “*500”}
Why doesn’t this work?
Get-ADUser -Filter 'SID -like "500"’ -Properties SID
I am trying to retrieve only the one record I am looking for. My guess is the second command (if it worked) would be faster than the first.
I’m not sure how to make this work in an LDAP Filter, but you can use WMI to accomplish basically the same thing:
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='$env:USERDOMAIN' AND SID LIKE '%500'"
Here’s a way to do this just using the AD cmdlets. I still haven’t been able to find a wild card filter that works for SIDs, but you can construct the complete SID and search for that:
$domainSID = Get-ADDomain -Current LoggedOnUser | Select-Object -ExpandProperty DomainSID
if ($domainSID -ne $null)
{
Get-ADUser -Filter "SID -eq '$domainSID-500'"
}