Get the members of a local security group

Extract SID's for AzureAD objects in local Windows groups.

Get the members of a local security group
Photo by Austin Distel / Unsplash

I recently had to restore the local administrators on our devices back to default, turns out that getting the SID's and group names for objects that come from AzureAD isn't as simple as it probably could (should?) be.

Getting the members of a local security group should be easy right? Just run:

net localgroup Administrators

Unfortunately for Windows devices that AAD joined (not hybrid), this won't return the members that only have a SID (these will be groups and roles that come from AzureAD).

Looking in the Local Users & Groups snap-in, we can see the following:

How do we extract these SID's? We don't want to manually copy them into an InTune policy. Would be much easier if we could simply copy and paste them.

Doing some searching, I came across the solution at Any (documented) ADSI changes in PowerShell 5.0? | >_ (wordpress.com)

@(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { 
 $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null) 
 }
) -match '^WinNT'

Running this command will return similar to the following:

WinNT://S-1-12-1-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx
WinNT://S-1-12-1-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx

These are the SID's that relate to AzureAD groups and roles.

By running this script on a known good machine, I was able to extract the SID's and apply them to an InTune policy to redeploy them to all devices.