A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows NT server domain, and stored in a security database. Each time a user logs on, the system retrieves the user's SID from the database and places it in the user's access token. The system uses the SID in the user's access token to identify the user in all subsequent interactions with Windows NT security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Windows NT security uses SIDs in the following security elements:
In addition to the uniquely-created, domain-specific SIDs assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, there is a well-known SID used to identify Everyone or World, which is a group that includes all users.
Most applications never need to work with SIDs. For example, in Windows NT versions 4.0 and later, the security functions for getting and setting the ACEs in an ACL allow you to use names rather than SIDs to identify users and groups. However, when you are working with well-known SIDs, you should use the Win32 functions to build the SID from predefined constants rather than using the name of the well-known SID. This is because the names of well-known SIDs can vary. For example, the U.S. English version of Windows NT has a well-known SID named "BUILTIN\Administrators" that might have a different name on international versions of Windows NT. For sample code that builds a well-known SID, see Searching for a SID in an Access Token.
If you do need to work with SIDs, do not manipulate them directly. Instead, use the following Win32 functions.
| Function | Description |
|---|---|
| AllocateAndInitializeSid | Allocates and initializes a SID with the specified number of subauthorities. |
| CopySid | Copies a source SID to a buffer. |
| EqualPrefixSid | Tests two SID prefix values for equality. A SID prefix is the entire SID except for the last subauthority value. |
| EqualSid | Tests two SIDs for equality. They must match exactly to be considered equal. |
| FreeSid | Frees a SID previously allocated by using the AllocateAndInitializeSid function. |
| GetLengthSid | Retrieves the length of a SID. |
| GetSidIdentifierAuthority | Retrieves a pointer to a SID's identifier authority. |
| GetSidLengthRequired | Retrieves the size of the buffer required to store a SID with a specified number of subauthorities. |
| GetSidSubAuthority | Retrieves a pointer to a specified subauthority in a SID. |
| GetSidSubAuthorityCount | Retrieves the number of subauthorities in a SID. |
| InitializeSid | Initializes a SID structure. |
| IsValidSid | Tests the validity of a SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum. |
| LookupAccountName | Retrieves the SID corresponding to a specified account name. |
| LookupAccountSid | Retrieves the account name corresponding to a specified SID. |