Sometimes when running scripts in the system context with Intune we need to query the local user, whether that is the registry, or the local drive (Requirements scripts, detection scripts where you can’t switch to current user are a good example)
Using the environment variables won’t work at the system level as it will just return the system account. We also can’t use the traditional get-localuser command as the user doesn’t exist in the local users on the machine.
To make things easier, I’ve written a PowerShell function which will grab both the username and the SID of the logged in user for you to populate.
You can grab it from Github here, or copy from below
function getloggedindetails() {
<#
.SYNOPSIS
This function is used to find the logged in user SID and username when running as System
.DESCRIPTION
This function is used to find the logged in user SID and username when running as System
.EXAMPLE
getloggedindetails
Returns the SID and Username in an array
.NOTES
NAME: getloggedindetails
Written by: Andrew Taylor (https://andrewstaylor.com)
#>
##Find logged in username
$user = Get-WmiObject Win32_Process -Filter "Name='explorer.exe'" |
ForEach-Object { $_.GetOwner() } |
Select-Object -Unique -Expand User
##Find logged in user's SID
##Loop through registry profilelist until ProfileImagePath matches and return the path
$path= "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*"
$sid = (Get-ItemProperty -Path $path | Where-Object { $_.ProfileImagePath -like "*$user" }).PSChildName
$return = $sid, $user
return $return
}Usage is like this:
$loggedinuser = getloggedindetails
$sid = $loggedinuser[0]
$user = $loggedinuser[1]Remember when using the registry to stipulate you want to access it as HKU doesn’t exist
$Path = "Registry::HKU\$sid\SOFTWARE\7-Zip"Hopefully you find this useful!
Hello there, just stumbled across this as I was trying to get the SID for a user on an intune device, and the previous AD specific code wasn’t working.
Just to add that sometimes you’ll find users with a slightly different profile path for various reasons, so for example if it would usually be “firstname.surname”, you may find instead its “firstname.surname.domain” if the user has changed domains, or it could be firstname.surname.001 or .002 etc if there’s been issues with the profile folder getting corrupted in the past or whatever in which case your code wouldn’t find the folder.
Anyway, TLDR for these cases you could try:
$sid = (Get-ItemProperty -Path $path | Where-Object { $_.ProfileImagePath -like “*$user*” }).PSChildName
or:
$sid = (Get-ItemProperty -Path $path | Where-Object { $_.ProfileImagePath -match “$user” }).PSChildName
Thank you, always good to know 🙂
Hi, Andrew! I like the script. I was excited to replace some code that has been working inconsistently for me.
But I tested this out on a device that had been migrated previously and found that it might grab the old user/sid in the registry.
So, I tested it with another line of code I had found before:
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Select-Object User
With this I could get the user (Name) and SID (User) from the returned object.
That’s just my 2 cents! It works great if there aren’t other similarly named profiles.
Hi Tim,
Your line of code won’t work in the system context, it will return the SID of the system account, not the logged in user account.
I’d be interested to hear how you migrated the devices?
I’m using a combination of scripts that started with scripts from Sean Bulger (https://www.modernendpoint.com/managed/Migrating-AD-Domain-Joined-Computer-to-Azure-AD-Cloud-only-join/) and also incorporating pieces from Steve Weiner (https://www.getrubix.com/blog/tenant-to-tenant-intune-device-migration-the-beginning-of-a-series) to remove devices from source and add to target tenant.
Ah, I see. You could try replacing the -like to an -eq for a more exact match
HI Andrew, really great snippet, thanks.
Just a quick hint to don’t confuse others 😉
Usage is like this:
$loggedinuser = getloggedindetails
$sid = $loggedinuser[0]
$user = $loggedinuser[1]
Not as mistakenly malformated in your post (without breaks 😉 )
($loggedinuser = getloggedindetails$sid = $loggedinuser[0]$user = $loggedinuser[1])
Thank you, updated now (I blame WordPress 🙂 )