I also wrote a quick script to run through a list of hostnames. It can be found on my GitHub.
# From System (Needs to be on the network, or can use runas as domain user to spawn a CMD PS C:\> whoami eric PS C:\> hostname VM-host1 PS C:\> reg query \\VM-host2\HKEY_USERS HKEY_USERS\.DEFAULT HKEY_USERS\S-1-5-19 HKEY_USERS\S-1-5-20 HKEY_USERS\S-1-5-21-<string> HKEY_USERS\S-1-5-21-<string> HKEY_USERS\S-1-5-18 # strSID is the SID found in the above > PS C:\> $strSID="S-1-5-21-<string>" PS C:\> $uSid = [ADSI]"LDAP://<SID=$strSID>" PS C:\> echo $uSid distinguishedName : {CN=bob,OU=Technical User,OU=Managed,OU=Domain Users,DC=<domain>DC=<domainMore>} Path : LDAP://<SID=<SIDSTRING>>
# bob is logged into that machine