PowerShell Get-ADGroup SID

The Bulk-Replace Macro & Decoding the SID Matrix | LazyAdminBlog.com

Posted on Updated on

Why manually edit 1,000 rows when a 10-line script can do it for you?

As an admin, you’re constantly dealing with data. Sometimes it’s a list of server names in Excel that need updating, and other times it’s a cryptic string of numbers in a security log. Today, we’re tackling both.

1. Excel Bulk-Replace: The “Set and Forget” Macro

We’ve all been there: You have a list of old server names and a list of new ones. Running Ctrl+H fifty times is not the “Lazy Admin” way. Instead, use this VBA macro to map an entire range of changes in one go.

How to use it:

  1. Open your Excel sheet and hit Alt + F11 to open the VBA Editor.
  2. Go to Insert > Module and paste the code below.
  3. Hit F5 to run.
  4. Select the Original Range: The data you want to change.
  5. Select the Replace Range: A two-column list where Column A is the “Find” and Column B is the “Replace.”
VBScript
Sub MultiFindNReplace()
' The Lazy Admin's Bulk Tool
Dim Rng As Range
Dim InputRng As Range, ReplaceRng As Range
xTitleId = "LazyAdminReplace"
Set InputRng = Application.Selection
Set InputRng = Application.InputBox("Range to search in:", xTitleId, InputRng.Address, Type:=8)
Set ReplaceRng = Application.InputBox("Mapping Range (Col A: Old, Col B: New):", xTitleId, Type:=8)
Application.ScreenUpdating = False
For Each Rng In ReplaceRng.Columns(1).Cells
    InputRng.Replace what:=Rng.Value, replacement:=Rng.Offset(0, 1).Value, Lookat:=xlWhole
Next
Application.ScreenUpdating = True
End Sub

2. Decoding the SID: Who is ‘S-1-5-21…’?

When you see a SID (Security Identifier) in a log, it’s not just a random string. It’s a structured ID that tells you exactly where that user came from.

The Anatomy of a SID:

  • S: Identifies this as a SID.
  • 1: The revision number (still at revision 1).
  • 5: The Identifier Authority. ‘5’ means NT Authority (Standard Windows accounts).
  • 21: Specifies that the following sub-authorities identify a Domain or Local Machine.
  • 1000+: The RID (Relative Identifier). Any user-created object starts at 1000. 500 is always the built-in Administrator.

Quick Lookup Commands:

Need to find the name behind a SID right now? Use these:

Command Prompt (WMIC):

VBScript
wmic useraccount where sid='S-1-5-21-xxxx' get name

PowerShell (AD Module):

VBScript
Get-ADGroup -Identity S-1-5-32-544

(This specific one is the local Administrators group!)

🛡️ Lazy Admin Verdict:

Keep a “Mapping Table” in a separate Excel tab for all your bulk naming changes. Use the macro to apply them to your master inventory. For SIDs, memorize the “5-21” part—it’s the most common string you’ll see in enterprise environments.

This entry was posted in Excel, Scripts and tagged , , , , , , , , , .