Read Active Directory SIDs in Local Administrators Group when Off Premises

0
votes

I have a rather unusual question regarding the "Local Administrators" (LA) group on Windows PCs. When a system can contact the domain controller (DC) (on prem), the active directory (AD) security groups (such as "Domain Admins") show as expected. Naturally, when off prem, the DC cannot be reached, so viewing the LA group shows the SID of that group instead of the name. When viewing this data via computer management, I can of course read that SID. However, PowerShell scripts to read the LA group do not show anything about the AD security groups that cannot be resolved.

I would like to be able to utilize PowerShell or any other system process to grab these SIDs when a system is off prem. We utilize this data for inventory and rights purposes, but off prem machines are proving to be a headache.

Any thoughts?

Thanks!

1
powershellactive-directory
Share your current code you use so we can replicate and see if any changes can be made to it. Otherwise your asking people to write from scratchEric Weintraub
Are you using [adsi] or WIM/CIM to query your local admin group?TheMadTechnician
Eric, I was using the built-in net localgroup administrators built-in to grab the data. @Bill_Stewart I am not looking to cache all possible SID values, or cache anything. I am looking to see what SIDs exist on any given machine if it is off prem, as I cannot grab the actual group name. The group names can help pinpoint the group the machine belongs to for inventory purposes.Tim P.
@TheMadTechnician ADSI - I never thought to try it! I got it working using ADSI! I will post the solution below.Tim P.
@TheMadTechnician - I have a strange, slightly related question (stackoverflow.com/questions/56171544/…) - Can I actively AVOID querying the domain controller if it is contactable, but still get the SIDs somehow? I want to do this same enumeration, but on many servers at the same time and so want to avoid hammering the domain controllerMilney

1 Answers

0
votes

The solution came via Eric's mention of ADSI. I have used it a lot in my code, but didn't think to apply it here. The code below grabs all members of the local admins. If the Domain Controller is available, AD security groups and users show as expected. If the DC is unavailable, it outputs the SIDs of any domain object. The SIDs can be converted back for what we need.

$Computer = $env:COMPUTERNAME
$ADSIComputer = [ADSI]("WinNT://$Computer,computer")
$group = $ADSIComputer.psbase.children.find('Administrators',  'Group')

$group.psbase.invoke("members")  | ForEach{

    $_.GetType().InvokeMember("Name",  'GetProperty',  $null,  $_, $null)

}