diff --git a/Resolve SID in Event Logs.ps1 b/Resolve SID in Event Logs.ps1 new file mode 100644 index 0000000..85c66ac --- /dev/null +++ b/Resolve SID in Event Logs.ps1 @@ -0,0 +1,5 @@ +# When you have a security principal +((Get-WinEvent -FilterHashtable @{LogName = 'System'; ID=1501} -MaxEvents 1).UserId).Translate([System.Security.Principal.NTAccount]).Value + +# When you have a SID as a string +[System.Security.Principal.SecurityIdentifier]::new($sid).Translate([System.Security.Principal.NTAccount]).value