How to extract security identifier from member attribute of a group?

Question

Suppose we have an AD Group with some members as foreign security principals. The format of the values in the member attribute in that case is as follows:

CN=S-1-5-21-XXXX-XXXXXXXX-XXXXXXXXX-XXXX,CN=ForeignSecurityPrincipals,DC=dmc,DC=001,DC=net

We have a translate command to trace the member using SID (S-1-5-21-XXXX-XXXXXXXX-XXXXXXXXX-XXXX);

([System.Security.Principal.SecurityIdentifier] $SID).Translate([System.Security.Principal.NTAccount]).value

Is there a way in powershell to extract out the SID from the member attribute?

Answer 1

You can use regular expressions. Something like this should work:

$targetString = 'CN=S-1-5-21-2440625168-151597401-477403795-1001,CN=ForeignSecurityPrincipals,DC=dmc,DC=001,DC=net'

$regEx = '(?<SID>S-\d-\d+-(\d+-){1,14}\d+)'

if($targetString -match $regEx) {
    ([System.Security.Principal.SecurityIdentifier] $Matches.SID).Translate([System.Security.Principal.NTAccount]).value
}

Answer 2

Easiest will be to use the SubString function:

$CN = 'CN=S-1-5-21-2440625168-151597401-477403795-1001,CN=ForeignSecurityPrincipals,DC=dmc,DC=001,DC=net'

$SID = $CN.SubString(3, 45)

([System.Security.Principal.SecurityIdentifier] $SID).Translate([System.Security.Principal.NTAccount]).value