Need to find SID for old account

Posted on 2005-04-18
Last Modified: 2012-06-27
We had an administrator account on our Windows 2000 server which was deleted. I've been told that the SID for this account should still be on the computer somewhere, but I don't know where to look.

Is it still on the computer and if so, how do I find it.

Question by:nathankaa
    LVL 16

    Expert Comment

    Here is a script that will tell you the sid of the admin account
    Copy and paste the code below into a notepad file and save it with a .vbs extension
    From your profile it looks like you are familiar with vb but here is a brief description for you:
    This script is going to grab the SID of the guest account which always ends in 501.
    It will then change it to end in 500 which is always the administrator account

    Then ( just in case ) it is going to check to see if by some chance someone has renamed the administrator account.
    You will see 2 message boxes as output.
    It will also create a file called AdminSid.txt on the root of your C drive with the info

    Let us know how it goes and if it errors out on anything

    Is this in a domain ?
    If so is this a DC or just a member server ?

    LVL 16

    Expert Comment

    '!!Begin Copy
    Const ForAppending = 8
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select sid from Win32_UserAccount where name = 'guest'", , 48)

    For Each objItem In colItems
        SLen = Len(objItem.SID)
        SADmin = Left(objItem.SID, (SLen - 1)) & 0
        MsgBox SADmin

    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select name, fullname from Win32_UserAccount where sid ='" & SADmin & "' ", , 48)

    For Each objItem In colItems
       sName = objItem.Name
       MsgBox "Name of Admin account is: " & objItem.Name

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objTextFile = objFSO.OpenTextFile _
        ("C:\AdminSid.txt", ForAppending, True)

    objTextFile.WriteLine "Sid of Admin Acct is " & SADmin
    objTextFile.WriteLine "Name of Admin account is: " & sName
    '!!End Copy

    Author Comment

    It is a Domain Controller.

    Author Comment

    Just to clarify, the account was not the actual administrator accout, it was an account the had administrative rights. Sorry about that.

    It was deleted and we are trying to see if we can find the SID for it.

    LVL 16

    Expert Comment

    OK How about this:

    Viewing deleted objects in Active Directory;EN-US;258310

    it uses the ldp.exe tool which if its not already installed I think it is part of the support tools in the support\tools folder of your Windows CD

    or here you can get it here:
    Windows XP Service Pack 2 Support Tools
    LVL 82

    Accepted Solution

    On a machine that this account has logged on at least once, open regedit and go to
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
    In there, you'll find a number of keys with SIDs as names; one of those SIDs is the one you're looking for. Those keys will have a value "ProfileImagePath", pointing to the user's profile. Look at this path to determine the key that belonged to the account you're looking for.
    LVL 30

    Expert Comment

    by:Wayne Barron
    No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
    I will leave the following recommendation for this question in the Cleanup topic area:
    [Accept: oBdA]

    Any objections should be posted here in the next 4 days. After that time, the question will be closed.

    EE Cleanup Volunteer

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Synchronize a new Active Directory domain with an existing Office 365 tenant
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now