Domain SID not resolving on Workgroup PC

Hi Everyone

Currently I am using a Autopilot PC and trying to export the network folder permission list through PowerShell script which results in SIDs and not resolving the username / group name - is it because my PC is in workgroup and they are domain users?
I am able to find the username and group name through windows file explorer - security tab.

Is there a script to resolve domain SID on a workgroup PC?

Thanks and have a wonderful day,
Gopinath Venkatachalam

Not tested on a workgroup PC … what happens if you try this:

$sid = 'some-sid-value'

Is the PC joined to the AD domain?
Where are the network folders located? On the PC? On another host? if another host, is that host domain joined?

Workgroup by definition means not joined to a domain. Any account you log into such a host would be a local account, not a domain account. Nothing so far provides any visibility into a domain, nor does it provide permissions to resolve SIDs.

I would run your script on a domain joined host and using an ID that is part of the domain, if the network folders are on an AD joined host.

You shouldn’t need any special permissions to resolve SIDs for “friendly”

Get-ADuser, Get-ADComputer, and Get-ADGroup can all accept SIDs as input and return the “friendly” name for the AD object.

You might need special permissions to query network shares depending on how they were setup and how you try and find out what groups are giving permissions

I am getting the below error and it looks it would work for SID accounts located on a computer but I am looking to resolve the SIDs of a Domain user / groups.

Cannot convert value “\\root\cimv2:Win32_SID.SID=‘S-1-5-21-1475062817-1407861736-3805098287-156531’” to type “System.Management.ManagementObject”. Error: "Invalid parameter "
At line:2 char:12

  • ([wmi]“\$($ENV:5CG1448R47)\root\cimv2:Win32_SID.SID=‘$sid’”).Account …
  •        ~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidArgument: (:slight_smile: , RuntimeException
    • FullyQualifiedErrorId : InvalidCastToWMI

Hi Matt

No the PC is not AD domain joined and it is an Intune PC (say in Azure AD) and the Fileservers are located on On-prem AD and don’t have any connection with Azure/intune - we are running in hybrid environment(two different authentications) like old devices are joined to AD domain(uses on-prem domain account) and new devices are enrolled on Intune Autopilot (uses Azure AD to authenticate) and not joined to AD domain.
Same script works fine in On-prem AD joined devices and resolving the SID to friendly name bydefault.

I am just thinking as the windows file explorer shows the friendly name on non-domain PC, so do we have anything to import results from file explorer to powershell?

$objSID = New-Object System.Security.Principal.SecurityIdentifier ($SID)
$objUser = ($objSID.Translate([System.Security.Principal.NTAccount])).value

The user object returned contains the AD account info, at least when run from a domain-joined computer. I don’t know how this will work from a non-domain computer, but this might point you toward a solution.

You added $ENV:5CG1448R47 which attempts to reference an environment variable 5CG1448R47 which does not exist. You do NOT change from $ENV:ComputeNarme as this references the Environment Variable “ComputerName” which is the computer you are running the commands from.

Try again exactly as I posted with a valid SID.

This part of the answer to your issues.