bill-long/Find-Sid.ps1

## Find-Sid.ps1
<#
.SYNOPSIS
    Searches the forest for a SID match in objectSid, sidHistory, or msExchMasterAccountSid.
.EXAMPLE
    PS C:\> .\Find-Sid.ps1 -Sid "S-1-5-21-408950988-2208783158-1246939005-2158"
    Shows all objects matching the specified SID.
#>
[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
    [string]
    $Sid
)

process {
    $securityIdentifier = New-Object System.Security.Principal.SecurityIdentifier($Sid)
    $bytes = New-Object byte[] $securityIdentifier.BinaryLength
    $securityIdentifier.GetBinaryForm($bytes, 0)
    $byteString = ""
    foreach ($byte in $bytes) {
        $byteString += "\" + $byte.ToString("X2")
    }

    $forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
    $gc = $forest.FindGlobalCatalog()
    $searcher = $gc.GetDirectorySearcher()
    $searcher.Filter = "(|(objectSid=$byteString)(sidHistory=$byteString)(msExchMasterAccountSid=$byteString))"
    $results = $searcher.FindAll()

    foreach ($result in $results) {
        $dn = $result.Properties["distinguishedName"][0].ToString()
        $searcher.SearchRoot = $result.GetDirectoryEntry()
        $searcher.SearchScope = "Base"

        $searcher.Filter = "(objectSid=$byteString)"
        $objectSidMatch = ($null -ne $searcher.FindOne())

        $searcher.Filter = "(sidHistory=$byteString)"
        $sidHistoryMatch = ($null -ne $searcher.FindOne())

        $searcher.Filter = "(msExchMasterAccountSid=$byteString)"
        $masterAccountSidMatch = ($null -ne $searcher.FindOne())

        [PSCustomObject]@{
            DistinguishedName     = $dn
            ObjectSidMatch        = $objectSidMatch
            SidHistoryMatch       = $sidHistoryMatch
            MasterAccountSidMatch = $masterAccountSidMatch
        }
    }
}
	<#
	.SYNOPSIS
	Searches the forest for a SID match in objectSid, sidHistory, or msExchMasterAccountSid.
	.EXAMPLE
	PS C:\> .\Find-Sid.ps1 -Sid "S-1-5-21-408950988-2208783158-1246939005-2158"
	Shows all objects matching the specified SID.
	#>
	[CmdletBinding()]
	param (
	[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
	[string]
	$Sid
	)

	process {
	$securityIdentifier = New-Object System.Security.Principal.SecurityIdentifier($Sid)
	$bytes = New-Object byte[] $securityIdentifier.BinaryLength
	$securityIdentifier.GetBinaryForm($bytes, 0)
	$byteString = ""
	foreach ($byte in $bytes) {
	$byteString += "\" + $byte.ToString("X2")
	}

	$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
	$gc = $forest.FindGlobalCatalog()
	$searcher = $gc.GetDirectorySearcher()
	$searcher.Filter = "(\|(objectSid=$byteString)(sidHistory=$byteString)(msExchMasterAccountSid=$byteString))"
	$results = $searcher.FindAll()

	foreach ($result in $results) {
	$dn = $result.Properties["distinguishedName"][0].ToString()
	$searcher.SearchRoot = $result.GetDirectoryEntry()
	$searcher.SearchScope = "Base"

	$searcher.Filter = "(objectSid=$byteString)"
	$objectSidMatch = ($null -ne $searcher.FindOne())

	$searcher.Filter = "(sidHistory=$byteString)"
	$sidHistoryMatch = ($null -ne $searcher.FindOne())

	$searcher.Filter = "(msExchMasterAccountSid=$byteString)"
	$masterAccountSidMatch = ($null -ne $searcher.FindOne())

	[PSCustomObject]@{
	DistinguishedName = $dn
	ObjectSidMatch = $objectSidMatch
	SidHistoryMatch = $sidHistoryMatch
	MasterAccountSidMatch = $masterAccountSidMatch
	}
	}
	}