Security Identifier values, [a.k.a. SIDs] are used to identify users, groups, workstations, domains, generic groups, generic users, logon sessions and well-known users & groups. Consider a SID to be a unique key, and that any given process that is logged on to a WinNT/Win2K system holds one or more of these SIDs that can be used to determine which resources the process is allowed to access.
A SID is normally stored in a binary format when used internally by WinNT/Win2K. However, SIDs can be converted to/from a particular string format to make them easily readable. This string format for a SID value consists of a leading "S" character that indicates that the string represents a SID, followed by several numbers separated by dashes "-". The very first value after the "S" is the version number of the SID, which is "1" at this time. This means that all SID strings begin with "S-1-". The remaining components of the SID string are the authority value [first component after the version], followed by the sub-authority values and ending with the very last component, which is known as a RID [a.k.a. Relative Identifier]. There are many RID values that have special meaning, such as being used to identify a well-known group or built-in group or built-in user such as "Everyone", "Administrators" or "Guest", respectively. The sub-authority values that precede the RID value serve to uniquely identify the domain, workstation or standalone server to which the RID belongs. This allows for any given user or group account to have a unique SID value, regardless of whether it be a user, group or built-in group/user account and regardless of what domain/workstation it belongs to.
The following table defines the major authority values that are used as the prefixes of all the SID values that are likely to be encountered. The first 4 values are used with universal well-known SIDs, and the last one is used with WinNT/Win2K well-known SIDs.
Identifier authority name
|
Value
|
SID string prefix
|
SECURITY_NULL_SID_AUTHORITY
|
0
|
"S-1-0"
|
SECURITY_WORLD_SID_AUTHORITY
|
1
|
"S-1-1"
|
SECURITY_LOCAL_SID_AUTHORITY
|
2
|
"S-1-2"
|
SECURITY_CREATOR_SID_AUTHORITY
|
3
|
"S-1-3"
|
SECURITY_NT_AUTHORITY
|
5
|
"S-1-5"
|
Universal well-known SID values are SID values that are recognized by any system that uses this model for its security, including but not limited to WinNT/Win2K. For example, Samba is a software package that runs on Unix systems that allows LAN Manager clients to access file systems on Unix systems as if they were shares on a WinNT/Win2K system. In this example, Samba would also recognize the universal well-known SID values.
Here is a list of the universal well-known SIDs. Universal SID values do not have any domain names associated with their corresponding account names.
Universal well-known SID
|
Value
|
Identifies
|
Null SID
|
"S-1-0-0"
|
A group with no members. This is often used when a SID value is not known.
|
World
|
"S-1-1-0"
|
A group that includes all users. This is the universal group "Everyone"
|
Local
|
"S-1-2-0"
|
Users who log on to terminals locally [e.g. physically] connected to the system.
|
Creator Owner ID
|
"S-1-3-0"
|
Identifies a SID to be replaced by the SID of the user who created a new object. This SID is used in inheritable ACEs. This is the universal group "CREATOR OWNER".
|
Creator Group ID
|
"S-1-3-1"
|
Identifies a SID to be replaced by the primary group SID of the user who created a new object. This SID is used in inheritable ACEs. This is the universal group "CREATOR GROUP".
|
The following RID values are used with universal well-known SIDs. The Identifier Authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
Relative identifier
|
Value
|
Identifier Authority
|
SECURITY_NULL_RID
|
0
|
"S-1-0"
|
SECURITY_WORLD_RID
|
0
|
"S-1-1"
|
SECURITY_LOCAL_RID
|
0
|
"S-1-2"
|
SECURITY_CREATOR_OWNER_RID
|
0
|
"S-1-3"
|
SECURITY_CREATOR_GROUP_RID
|
1
|
"S-1-3"
|
The SECURITY_NT_AUTORITY ["S-1-5"] pre-defined identifier authority produces SIDs that are not universal and are meaningful only on WinNT/Win2K installations. You can use the following RID values with SECURITY_NT_AUTHORITY to create well-known SIDs. All accounts that have a SID value that begins with "S-1-5-" will be associated with the domain "NT AUTHORITY" unless noted otherwise.
Relative identifier name & SID value
|
Identifies
|
SECURITY_DIALUP_RID
"S-1-5-1"
|
Users who log on to terminals using a dial-up modem. This is a group identifier.
|
SECURITY_NETWORK_RID
"S-1-5-2"
|
Users who can log on across a network. This is a group identifier.
|
SECURITY_BATCH_RID
"S-1-5-3"
|
Users who can log on using a batch queue facility. This is the "BATCH" group identifier.
|
SECURITY_INTERACTIVE_RID
"S-1-5-4"
|
Users who can log on for interactive operation. This is the "INTERACTIVE" group identifier.
|
SECURITY_LOGON_IDS_RID
"S-1-5-5-x-y"
|
A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The "x" and "y" values for these SIDs are different for each logon session.
|
SECURITY_SERVICE_RID
"S-1-5-6"
|
Accounts authorized to log on as a service. This is the "SERVICE" group identifier.
|
SECURITY_ANONYMOUS_LOGON_RID
"S-1-5-7"
|
Anonymous logon, or null session logon. This is the "ANONYMOUS LOGON" group identifier.
|
SECURITY_PROXY_RID
"S-1-5-8"
|
n/a
|
SECURITY_ENTERPRISE_CONTROLLERS_RID
"S-1-5-9"
|
n/a
|
SECURITY_PRINCIPAL_SELF_RID
"S-1-5-10"
|
The PRINCIPLE_SELF security identifier can be used in the ACL of a user or group object. During an access check, the system replaced this SID with the SID of the object. The PRINCIPLE_SELF_RID is useful for specifying an inheritable ACE that applies to the user or group object that inherits the ACE. It is the only way of representing the SID of a created object in the default security descriptor in the schema.
|
SECURITY_AUTHENTICATED_USER_RID
"S-1-5-11"
|
All authenticated users. This is the "Authenticated Users" identifier.
|
SECURITY_RESTRICTED_CODE_RID
"S-1-5-12"
|
Restricted code. This is the "RESTRICTED" identifier.
|
SECURITY_TERMINAL_SERVER_RID
"S-1-5-13"
|
Terminal Services: Automatically added to the security token of a user who logs on to a terminal server system. This is the "TERMINAL SERVER USER" identifier.
|
SECURITY_LOCAL_SYSTEM_RID
"S-1-5-18"
|
A special account used by the operating system. This is the "SYSTEM" identifier.
|
SECURITY_NT_NON_UNIQUE
"S-1-5-21"
|
This serves as the base portion of the SID for all domain accounts and for all non-alias local accounts. Typically, the domain or workstation is uniquely identified by 3 additional sub-authority values which get appended on to the end of this value, followed then by a RID value that identifies a specific account within that domain or on that particular workstation. For example, the domain global group "Domain Users" has the SID value "S-1-5-21-a-b-c-513", where "S-1-5-21-a-b-c" is the domain SID and "513" is the RID portion of the SID.
|
SECURITY_BUILTIN_DOMAIN_RID
"S-1-5-32"
|
The built-in system domain. Local groups [e.g. aliases] have this as the base portion of their SIDs. For example, the "Administrators" group has the SID value "S-1-5-32-544". All accounts that have a SID value that begins with "S-1-5-32-" will be associated with the domain "BUILTIN" unless noted otherwise.
|
Other SID values that are commonly encountered contain RIDs that are relative to either a domain SID or a local workstation SID. Certain RID values are used to build well-known SID values that identify built-in domain users, built-in global groups, built-in local users and built-in local groups.
The following RIDs are relative to each domain. To obtain a domain SID value for use with the following RIDs, use the wntLsaPolGet() function with class "AccountDomain" and element #2. Be sure to specify the 'server-name' parameter's value as the name of a domain controller in the domain for which a domain SID is to be obtained. A workstation or server that is not part of a domain is considered to be in its own private security domain. In this case, the workstation's or server's name is also the domain name.
RID
|
Value
|
Identifies
|
DOMAIN_USER_RID_ADMIN
|
500
|
The administrative user account in a domain. This is the "Administrator" account in both a domain and on a local workstation.
|
DOMAIN_USER_RID_GUEST
|
501
|
The guest-user account in a domain. Users who do not have an account can automatically log on with this account [if it has not been disabled]. This is the "Guest" account in both a domain and on a local workstation.
|
DOMAIN_USER_RID_KRBTGT
|
502
|
n/a
|
DOMAIN_GROUP_RID_ADMINS
|
512
|
The domain administrator's group. This account exists only on systems running server versions of WinNT/Win2K. This is the "Domain Admins" group.
|
DOMAIN_GROUP_RID_USERS
|
513
|
A group containing all user accounts in a domain. All users are automatically added to this group when they are created, but they may be manually removed from this group later on. This is the "Domain Users" group.
|
DOMAIN_GROUP_RID_GUESTS
|
514
|
The guest-group account in the domain. This is the "Domain Guests" group.
|
DOMAIN_GROUP_RID_COMPUTERS
|
515
|
The domain computers' group. All computer accounts in the domain are members of this group.
|
DOMAIN_GROUP_RID_CONTROLLERS
|
516
|
The domain controllers' group. All domain controller computer accounts are members of this group.
|
DOMAIN_GROUP_RID_CERT_ADMINS
|
517
|
The certificate publishers' group. The computer accounts of computers running Certificate Services are members of this group.
|
DOMAIN_GROUP_RID_SCHEMA_ADMINS
|
518
|
The schema administrators' group. Members of this group can modify the Active Directory schema.
|
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS
|
519
|
The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing domains.
|
DOMAIN_GROUP_RID_POLICY_ADMINS
|
520
|
The policy administrators' group.
|
The following RIDs are relative to the built-in domain [e.g. SID "S-1-5-32"]. These RIDs are used to build the SID values for the built-in local groups [e.g. aliases] such as "Administrators", "Users", "Power Users", "Backup Operators", etc& Not all of these local groups will exist on all variants of WinNT/Win2K. For example, "Server Operators" does not exist on WinNT Workstation or on Win2K Professional, while "Power Users" does not exist WinNT Server or on Win2K Server & Advanced Server.
Global domain groups and domain users may be given membership in these local groups [e.g. aliases] on each workstation or server that is a member of a domain. Typically this is done to give the "Domain Admins" group membership in the local "Administrators" group so that domain administrative accounts can manage the local workstation.
Relative identifier
|
Value
|
Identifies
|
DOMAIN_ALIAS_RID_ADMINS
|
544
|
A local group used for administration of the domain [or workstation]. This is the local "Administrators" group.
|
DOMAIN_ALIAS_RID_USERS
|
545
|
A local group representing all users in the domain [or on the workstation]. This is the local "Users" group.
|
DOMAIN_ALIAS_RID_GUESTS
|
546
|
A local group representing guests of the domain. This is the local "Guests" group.
|
DOMAIN_ALIAS_RID_POWER_USERS
|
547
|
A local group used to represent a user or set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. This is the local "Power Users" group.
|
DOMAIN_ALIAS_RID_ACCOUNT_OPS
|
548
|
A local group existing only on systems running WinNT Server or Win2K Server & Adv. Server. This local group permits control over non-administrator accounts. This is the local "Account Operators" group.
|
DOMAIN_ALIAS_RID_SYSTEM_OPS
|
549
|
A local group existing only on systems running WinNT Server or Win2K Server & Adv. Server. This local group performs system administrative functions, not including security functions. It establishes network shares, controls printers, unlocks workstations and performs other operations. This is the local "Server Operators" group.
|
DOMAIN_ALIAS_RID_PRINT_OPS
|
550
|
A local group existing only on systems running WinNT Server or Win2K Server & Adv. Server. This local group controls printers and print queues. This is the local "Print Operators" group.
|
DOMAIN_ALIAS_RID_BACKUP_OPS
|
551
|
A local group used for controlling assignment of file backup-and-restore privileges. This is the local "Backup Operators" group.
|
DOMAIN_ALIAS_RID_REPLICATOR
|
552
|
A local group responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system. This is the local "Replicator" group.
|
DOMAIN_ALIAS_RID_RAS_SERVERS
|
553
|
A local group representing RAS and IAS servers. This group permits access to various attributes of user objects.
|
DOMAIN_ALIAS_RID_PREW2KCOMPACCESS
|
554
|
A local group existing only on systems running Win2K Server or Adv. Server. It provides access rights and privileges equal to anonymous access under WinNT, which is "Everyone" access. This is the local "Pre-Windows 2000 Compatible Access" group.
|
|