Recently I was working on an Azure AD joined devices project where a security audit flagged a “security issue” caused by “unknown” members of the Local Administrators group on all Azure AD joined devices.
The issue happens because the name of the object is not listed anywhere and when you open the Administrators group properties or use the whoami /all command line it only brings a SID, that do are not converted to any known object.
In this post I will try explaining how you can discover who those users are in an easy way.
As those machines are Azure AD joined machines, the 1st step in the “investigation” is to convert the SID to Object ID (that is what Azure AD uses). At first you may think this is a difficult task, however, it is trivial and can be achieved with just couple of lines of PowerShell as per my example below:
$SID = ‘S-1-12-1-1934170543-1079698928-1100291729-732628452’
([guid][byte[]]([int[]]$sid.Replace(‘S-1-12-1-‘, ”).Split(‘-‘) | %{ [System.BitConverter]::GetBytes($_) })).Guid
After getting the Azure AD object ID, you now need to discover what object in the Azure AD correspond to the object ID. You may be eager to find out and will probably end up going to https://portal.azure.com and searching for all users and groups but you will not find it. So, the question remains, how do I know who the user is?
A simple to answer, use the Get-AzureADDirectoryRole PowerShell cmdlet from the AzureAD module.
Start by installing the module (if you do not have it installed). Just type Install-Module AzureAD and follow the instructions.
Once the module has been installed, connect to the Azure AD using the cmdlet Connect-AzureAD and enter your credentials.
Finally, you can use the Get-AzureADDirectoryRole
In my environment, these 2 SIDs are converted to the Company Administrator and Device Administrators. However, what are those? I cannot find them under the Roles and Administrators in the Azure AD.
The answer to this question can be found in the documentation https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
“In the Microsoft Graph API and Azure AD PowerShell, this role is identified as “Company Administrator”. It is “Global Administrator” in the Azure portal.”
And what about the Device Administrators? On the same link you get “Users assigned to this role are added to the local administrators group on Azure AD-joined devices.”
Article originally published on LinkedIn.
The big question is WHY does it list these accounts/groups as unkown SID.
I have a situation where I know for sure my DNS/AD is not corrupt, since the majority of systems function 100% ok.
The symptom is i have some computers where GROUPS do not get resolved properly, the USERS do, even thought they also show a partial resolved name. But the users show the account name, and a SID, the GROUPS only show a SID.
The effect it has on the machine is that certain policies do not get applied.
All RPC etc communication is in order, all port checks, ldap queries etc, all function fine, yet whoami /groups, or the user/group managemet console on the client show unresolved/unkown SID type for domain users and mostly domain Groups.
Anyone a clue on what’s going on here?