Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: “S-1-5-21-3623811015-3361044348-30300820-1013″;
| S | 1 | 5 | 21-3623811015-3361044348-30300820 | 1013 |
|---|---|---|---|---|
| The string is a SID. | The revision level (the version of the SID specification). | The identifier authority value. | domain or local computer identifier | a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater. |
Possible identifier authority values are:
- 0 – Null Authority
- 1 – World Authority
- 2 – Local Authority
- 3 – Creator Authority
- 4 – Non-unique Authority
- 5 – NT Authority
- 9 – Resource Manager Authority
Well-known security identifiers
A number of “well-known” security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.
| SID | Description |
|---|---|
| S-1-1-0 | Everyone. |
| S-1-5-14 | Remote Interactive Logon. |
| S-1-5-18 | Local System, a service account that is used by the operating system. |
| S-1-5-19 | NT Authority, Local Service |
| S-1-5-20 | NT Authority, Network Service |
| S-1-5-29 | Network Service |
| S-1-5-domain-500 | A user account for the system administrator. By default, it is the only user account that is given full control over the system. |
| S-1-5-domain-501 | Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. |
| S-1-5-domain-512 | Domain Admins – a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. |
| S-1-5-domain-513 | Domain Users. |
| S-1-5-domain-514 | Domain Guests – A global group that, by default, has only one member, the domain’s built-in Guest account. |
| S-1-6 | Site Server Authority. |
| S-1-7 | Internet Site Authority. |
| S-1-8 | Exchange Authority. |
| S-1-9 | Resource Manager Authority. |
References:
Filed under: new Tagged: access control, active directory, sysadmin, windows
