Get-adgroup -filter "SID-like" * -512 '"

Question

Get-adgroup -filter "SID-like" * -512 '"

I wanted to figure out how to use -filter

to get what I want. What I am trying to do is find the group by Domain Admins

operator -like

*-512

for the SID property using the following:

get-adgroup -filter "SID -like '*-512'"

It works if I put the actual SID

get-adgroup -filter "SID -eq 'S-1-5-21domain-512'"

I know it will work this way

get-adgroup -filter * | ? {$_.SID -like '*-512'}

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

+3

filter powershell sid

tony unger 21 jul. 17 at 18:22

source to share

1 answer

Mathias R. Jessen · Accepted Answer · 2017-07-21T22:59:21+0000

As BenH comments , you cannot partially filter SIDs in LDAP queries, due to the SID values being stored in the directory. The SID string you see is the SDDL representation of the underlying byte array.

My guess is that your motivation for trying to match wildcards to a well-known RID is that you don't know the domain SID in advance. You can easily get this with the cmdlet Get-ADDomain

:

$DomainSID = (Get-ADDomain).DomainSID
$DomainAdminsSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid,$DomainSID)

Get-ADGroup -Filter {SID -eq $DomainAdminsSid}

Get-adgroup -filter "SID-like" * -512 '"

More articles: