I thought the key names immediately below HKEY_USERS were supposed to be the usernames of whoever logged in at this machine at some time. But in my machine what appears is:
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN
S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN_Classes
I'd like to be able to determine which subtree corresponds to which user. How can I do that?
Edit: WHat I need is to get the usernames from the SIDs. I want to inspect the configurations of each user that has ever logged on, and I need to know their names. For example, in the registry above, I need to be able to, based on the string "S-1-5-21-NNNNNNNNN-NNNNNNNNN-NNNNNNNNNN-NNNNN", find out that it correspond to DOMAIN\somebody, or LOCALMACHINENAME\somebodyelse.
It is possible to query this information from WMI. The following command will output a table with a row for every user along with the SID for each user.
wmic useraccount get name,sid
You can also export this information to CSV:
wmic useraccount get name,sid /format:csv > output.csv
I have used this on Vista and 7 (according to the comments it works on 2008 R2 as well). For more information see WMIC - Take Command-line Control over WMI.
For PowerShell this is quick:
gwmi win32_userprofile | ft localpath, sid
Ashley McGlone
Microsoft PFE
http://aka.ms/GoateePFE
I believe those numbers are the user's security ID (SID). You can use SysInternals to get the SIDs of users:
http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
HKLM\System\CurrentControlSet\Control\hivelist will show you where the hives are mounted from. While not a direct mapping, usually the mount point has the user name in the path.
I'm sure there is a better answer than this though...
When doing it manually (without extra tools), the easiest way is to open permissions for that key. The only user who has full permissions is the owner of the key.
When from a program, you will need a way to convert SIDs to account names. In C# (or PowerShell), have a look at the SecurityIdentifier and NtAccount class for that.
in C# there is appears to be an answer to translating username to SID here http://community.bartdesmet.net/blogs/bart/archive/2006/09/08/4394.aspx but its only for local PCs.
For AD I converted it to:
using System;
using System.DirectoryServices;
using System.Security.Principal;
class Program {
static void Main(string[] args) {
string path = "LDAP://" + args[0];
DirectoryEntry root = new DirectoryEntry(path, args[1], null, AuthenticationTypes.Secure);
string sid = new SecurityIdentifier((byte[])root.Properties["objectSID"][0], 0).Value;
Console.WriteLine(sid);
}
}
The usage is : programname.exe DOMAIN username
e.g. programname.exe somecompany.com preet_sangha
Please use powershell:
$mydocuments = [Environment]::GetFolderPath("mydocuments")
gwmi win32_userprofile | ft localpath, sid, status -AutoSize | Out-File $mydocuments\userprofiles.txt
Related
Many examples on the web show the way to check current user for Administrative privileges using
[Security.Principal.WindowsPrincipal]
[Security.Principal.WindowsIdentity]::GetCurrent()
Is there a similar way to check not the 'current' identity, but any (local or domain, for example, retrieved from Get-ACL cmdlet) when running commands on a particular server.
I checked https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.-ctor?view=netframework-4.7.2#System_Security_Principal_WindowsIdentity__ctor_System_String_, but couldn't find a way to do it (only if you use constructor with UPN parameter, which is not suitable in my case). I would appreciate any hint.
You can try the following function, which, for a given user name:
tries to find the underlying identity (NT user account) in the same context as the calling user (domain vs. local); the user name may be specified in several formats, among them the NTLM format (<domain>\<username>).
then tests that identity for (static) membership in the built-in local Administrators group.
function Test-LocalAdminGroupMembership {
param([string] $user)
# Load the required assembly (a no-op if already loaded).
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
# Obtain the specified user as a UserPrincipal instance.
$up = try {
if (-not $user) { # default to current user
[System.DirectoryServices.AccountManagement.UserPrincipal]::Current
} else {
[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity(
[System.DirectoryServices.AccountManagement.UserPrincipal]::Current.Context,
$user
)
}
} catch {
Throw
}
# See if the well-known SID of the local Administrators group
# is among the SIDs of the groups that the user is a member of (PSv3+ syntax).
$up.GetGroups().SID.Value -contains 'S-1-5-32-544'
}
I am trying to create a module for our support team which will contain some tools we use on daily basis but we used CMD until now.
One of the commands we use is net user $username /domain in order to check if the user's password has expired and all the other useful details the command output.
I tried to put that command in a function like this:
function Get-UserDetails {
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true)]
[string]$UserName
)
net user $UserName /domain
}
The function works fine but I want to filter the output for a few details only.
The problem is that net user is not a PowerShell cmdlet and it has no properties so I cant select any of it.
So my questions is:
Do you know a better way to get all that data in one command? because the Get-ADUser outputs less data then net user.
You can use Get-ADUser and pick the msDS-UserPasswordExpiryTimeComputed property from it. Problem is - this property may not enumerate even when using -Properties *, so it might not be apparent when trying to inspect the returned object. To make matters even better, the timestamp is not in a human-readable format.
Nonetheless, you can get the password expiration date fromthe AD cmdlets and also make it human-readable as follows:
# Get ADUser
$user = Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed
# Get expiry timestamp and convert it from file time format
$userCredExpiryDate = [DateTime]::FromFileTime( $user.'msDS-UserPasswordExpiryTimeComputed' )
Here is the MSDN documentation for that AD DS attribute.
For other field values that show up in net user /domain but not in Get-ADUser - there should be other AD DS attributes you can search on if they don't show up with -Properties *. For these you will need to look for the appropriate property in the AD DS documentation.
UPDATE: Someone linked me to this page on another question (related to this behavior) and this seems to list additional properties that are available for processing, but are not returned when trying to look at "all" AD DS properties on an object. I don't know how complete this list is but it is a good starting point for understanding what additional AD attributes you have to work with.
How can I extract the user name in my active directory when I only have the computer name.
Obviously, no relation whats or ever between the computer name and the user name in terms of naming.
ArcSet's answer is great (it's what I'd do) but for basic PowerShellers, I'd have pushed them towards the AD-cmdlets like (Mitchell did):
Get-ADUser -Property samaccountname
or even:
Get-ADObject -ldapfilter '(objectcategory=user)' -Property samaccountname
This will get you all users from the domain the current computer is joined to:
(([adsisearcher]“objectcategory=user”).FindAll()).Properties.samaccountname
I recommend utilizing this cmdlet: Get-ADComputer. After getting the AD information associated with this you can pipe the data out and utilize filters to get the information you require. The filter code is also specified within the documentation.
Documentation can be found here: https://technet.microsoft.com/en-us/library/ee617192.aspx
Hope this helps (I'm not 100% sure if this is what you are looking for... The more details in your question the better)!
netusergetinfo is returning 2221 error code for valid user . What is the reason? It is because of some security setting on active directory but I am not aware of it.
Probably you have the same problem as described here Get current user's last logon.
One possible reason is that you don't use UNICODE format for the user name.
Another problem is if you try to ask the name of domain user. In this case you should use not a form
nStatus = NetUserGetInfo (NULL, L"Domain\\TestUser", dwLevel, (LPBYTE *) & pBuf);
but use as the first parameter the name of a domain controller from a domain which has trust to domain "Domain". You can use DsGetDcName or NetGetAnyDCName or NetGetDCName to get this name.
To answer on your question exactly you should post the corresponding source code and describe shortly your domain environment and the role of the computer and the current user under which current process are running.
API: NetUserSetInfo / netusergetinfo
Error Code: 2221
Reason: The Username you are trying to update is not present in the system.
for reference:https://learn.microsoft.com/en-us/windows/win32/netmgmt/network-management-error-codes
Anyone know how to get a user's short user name, eg. "johnsmith", given their full name, eg. "John Smith"?
Note I'm interested in any user, not the current user, so functions like NSUserName are irrelevant.
Why? I am authenticating a username and password using Authorization Services. This allows people to enter either their short name or their full name, which is nice, but I then need to know who they've actually logged in as (ie. short user name and/or user id).
Nasty hacks like [NSHomeDirectoryForUser(username) lastPathComponent] don't work consistently.
You need to use the Collaboration Framework :).
Link this framework to your project, and then you just need to do the following:
CBIdentity* identity = [CBIdentity identityWithName:#"John Smith" authority:[CBIdentityAuthority localIdentityAuthority]];
NSLog(#"Posix name: %#", [identity posixName]);
And voilà!
EDIT: If you need to find only users that are bound on the network, you need to use +managedIdentityAuthority instead of +localIdentityAuthority.
And if you need to find both local users AND network users, use +defaultIdentityAuthority.