Identifying Name of Local Administrator Account

by Dec 24, 2020

Occasionally, PowerShell scripts need to access or use the built-in Administrator account or the built-in Administrators group. Unfortunately, their names are localized, so their names can change based on the language of your Windows operating system.

They do use constant (well-known) SIDs (security identifiers), though. By using the SID, you can get the name. For the local Administrator group, this is trivial because here the SID is always known: S-1-5-32-544. With a one-liner, the SID can be translated. This is the result taken from a German system:

PS> ([Security.Principal.SecurityIdentifier]'S-1-5-32-544').Translate([System.Security.Principal.NTAccount]).Value

With accounts like the built-in Administrator, it’s not as simple as that. Here, only the RID (relative identifier) is known: -500.

With a simple WMI query, you get the account that matches your filter:

PS> Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount = TRUE and SID like 'S-1-5-%-500'"

Name          Caption                AccountType SID                                           Domain  
----          -------                ----------- ---                                           ------  
Administrator DELL7390\Administrator 512         S-1-5-21-2770831484-2260150476-2133527644-500 DELL7390 

Twitter This Tip! ReTweet this Tip!