[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

How to retrieve default names of accounts/groups with well-known SIDs?

Hi everybody,

today I stumbled across an interesting question. I couldn't answer it myself or find the solution with google and the EE search, so I decided to post my question:

Is it possible to retrieve the localized default names for pre-created groups and accounts (which have well-known SIDs)?
For example, on a french machine, the administrator account is by default called "Administrateur". If I rename it to "Cantaloupe", I can still get that new name from the SID (as it is a well-known SID with the -500 at the end), but how could I get the original name that Windows assigned during the installation? The same question applies to user groups with well-known SIDs, as the administrators group for example.

Any ideas are greatly welcome :)
0
Andre_Tertling
Asked:
Andre_Tertling
  • 3
  • 3
  • 2
  • +1
1 Solution
 
mdiglioCommented:
Hello,
This has a list of sids and their corresponding names, it includes users and groups:

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330
0
 
McKnifeCommented:
This could be it: http://www.jsifaq.com/subB/tip0500/rh0519.htm
XP SP2 will restrict anonymous logins, sid2user will not work. On 2000, it works.
0
 
Andre_TertlingAuthor Commented:
Hi,

obviously, I wasn't clear enough. I can lookup the current account name without a problem, and I already have the list of well-known SIDs. What I want is to retrieve the ORIGINAL name for a given well-known SID, even AFTER it has been renamed.
For example, the original account name for the SID S-1-5-<domain>-500 is "Administrator" on an english system, and "Administrateur" on a french system. If someone renames the admin account to "Larry", my "function" should still be able to return "Administrator". Due to the localized names, it is no good idea to just have a array of names and languages. So is there a way to determine these original names programmatically? A pointer to a resource in some file in Windows will do fine.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mdiglioCommented:
The closest I can come is a program where you input the name and you will get the sid ( what McKnife said )

e.g. "Larry" which use to be administrator,and this program will give you the sid...SID S-1-5-<domain>-500

The only way to make it give you the original name is to have a text file which contains a list and then programatically search the list.
This list will basically be the same as the link in my first post, except we would haev to find the French names to go along w/ the English ones
Which we can do if this is on the right track.

Other than that I do not know of a way to automatically get the original Name
0
 
McKnifeCommented:
Oh well, I got you right. With the help of sid2user, you can get any account name one by one using a batch.
0
 
Andre_TertlingAuthor Commented:
McKnife:
sid2user will return the *current* name of the account, right? I am looking for the *original* one, before it got changed.

mdiglio:
Creating a list of names is suitable as long as only a small number of different languages is affected. I am looking for an approach that works independent of the system language, maybe even on a japanese system :)
0
 
mdiglioCommented:
I don't know if there is a way to do what you want, this is the closest I can get

(This script will give you the sid and then you'll have to look up  the name
This is the part where I said we could have it look through a list of names)

Copy and paste the code below into notepad and save it with a .vbs extension
This can also go into a vb6 project if you have Visual Basic
We can hard code the strComputer and strName if you would like


'Begin Copy
'to only look at your local machine enter the name of your local machine when prompted
'to enumerate your domain enter the domain name here when prompted

strComputer = InputBox("Enter the Name of your Computer, or domain name", "Computer Name")

'strName is the name to search for, it can be a User or Group
strName = InputBox("Enter the Name of the account, User or Group to find their SID","User or Group Name")

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select name, sid from Win32_Account where name = '" & strName & "' and  domain =  '" & strComputer & "'", , 48)
For Each objItem In colItems

msgbox objItem.SID

Next

'End Copy
0
 
Andre_TertlingAuthor Commented:
I eventually found out that samsrv.dll contains all the strings I'm looking for. Thanks though.
0
 
GranModCommented:
Closed, 500 points refunded.

GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now