Security Identifiers (SIDs)

A security identifier (SID) is a unique value of variable length used to identify a user or group. The SID assigned to a user when he or she logs on becomes part of the access token that accompanies any process begun by that user. Except for the logon SID, an SID is always unique. When it has been used to identify a user or group, it cannot be used again, at any time, to identify another user or group.

SIDs identify several separate elements. These include the owner and group in security descriptors, the recipient of the access being granted by access-control entries (ACEs), and the user, as well as groups of which the user is a member in access tokens.

An SID also contains the following information.

·A 48-bit identifier authority value

·A revision level

·A variable number of subauthority values (relative identifiers)

The identifier authority value actually contains two values and is the most important piece of information in an SID. It contains a value identifying the agency that issued the SID, usually representing a Microsoft® Server™ domain, and a 32-bit relative identifier (RID) value, to uniquely identify the user or group in that agency. Joining these values ensures that no two SIDs will be the same, even if two different SID-issuing authorities issue the same RID. Each SID-issuing authority issues a given RID only once.

A standardized shorthand notation for SIDs makes it simpler to visualize their components:

S-R-I-S-S...

In the notation shown above, S identifies the series of digits as an SID, R is the revision level, I is the identifier-authority value, and S is the subauthority value. An SID could be written in this notation as follows:

S-1-4138-86

In this example, the SID has a revision level of 1, an identifier-authority value of 4138, and one subauthority value of 86.

An application is never required to manipulate an SID directly. The following Win32 functions provide all the functionality required to work with SIDs.

Function Description
AllocateAndInitializeSid Allocates and initializes an SID with the specified number of subauthorities.
CopySid Copies a source SID to a buffer.
EqualPrefixSid Tests two SID prefix values for equality. An SID prefix is the entire SID except for the last subauthority value.
EqualSid Tests two SIDs for equality. They must match exactly to be considered equal.
FreeSid Frees an SID previously allocated by using the AllocateAndInitializeSid function.
GetLengthSid Retrieves the length of an SID.
GetSidIdentifierAuthority Retrieves a pointer to an SID's identifier authority.
GetSidLengthRequired Retrieves the size of the buffer required to store an SID with a specified number of subauthorities.
GetSidSubAuthority Retrieves a pointer to a specified subauthority in an SID.
GetSidSubAuthorityCount Retrieves the number of subauthorities in an SID.
InitializeSid Initializes an SID structure.
IsValidSid Tests the validity of an SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum.
LookupAccountName Retrieves the SID corresponding to a specified account name. Use the GetUserName function to retrieve the user name for the current thread.
LookupAccountSid Retrieves the account name corresponding to a specified SID.

Some identifier authorities are predefined, as shown in the following table.

Identifier authority SID Value
SECURITY_NULL_SID_AUTHORITY 0
SECURITY_WORLD_SID_AUTHORITY 1
SECURITY_LOCAL_SID_AUTHORITY 2
SECURITY_CREATOR_SID_AUTHORITY 3
SECURITY_NT_AUTHORITY 5

The following RID values are also defined.

Relative identifier authority Value Superior authority
SECURITY_NULL_RID 0 S-1-0
SECURITY_WORLD_RID 0 S-1-1
SECURITY_LOCAL_RID 0 S-1-2
SECURITY_CREATOR_OWNER_RID 0 S-1-3
SECURITY_CREATOR_GROUP_RID 1 S-1-3

An application can combine an identifier authority and one of these RID values to create an SID that is meaningful on all installations. For example, S-1-1-0 (SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID) always identifies the special group representing all users. These security identifiers are universal well-known SIDs. A universal well-known SID is meaningful on all secure systems using this security model, including systems not running Windows NT. The AllocateAndInitializeSid function provides a simple method of combining an identifier authority and an RID.

The following are some universal well-known SIDs.

Universal well-known SID Value Identifies
Null SID (S-1-0-0) A group with no members. This is often used when an SID value is not known.
World (S-1-1-0) A group that includes all users.
Local (S-1-2-0) Users who log on to terminals locally (physically) connected to the system.
Creator Owner ID (S-1-3-0) A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACLs.
Creator Group ID (S-1-3-1) Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACLs.

Another predefined identifier authority is SECURITY_NT_AUTHORITY (S-1-5). This identifier authority produces SIDs that are not universal but are meaningful only on Windows NT installations. An application can use the following RID values with SECURITY_NT_AUTHORITY to create well-known SIDs.

Constant Identifies
SECURITY_DIALUP_RID (S-1-5-1)  
  Users who log on to terminals using a dialup modem. This is a group identifier.
SECURITY_NETWORK_RID (S-1-5-2)  
  Users who log on across a network. This is a group identifier.
SECURITY_BATCH_RID (S-1-5-3)  
  Users who log on using a batch queue facility. This is a group identifier.
SECURITY_INTERACTIVE_RID (S-1-5-4)  
  Users who log on for interactive operation. This is a group identifier.
SECURITY_LOGON_IDS_RID (S-1-5-5-X-Y)  
  A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y).
SECURITY_SERVICE_RID (S-1-5-6)  
  An account authorized to perform security services.
SECURITY_LOCAL_SYSTEM_RID (S-1-5-0x12)  
  The user account used by the operating system.
SECURITY_BUILTIN_DOMAIN_RID (S-1-5-0x20)  
  The built-in system domain.

The following RIDs are relative to each domain.

RID Identifies
DOMAIN_USER_RID_ADMIN The administrative user account in a domain.
DOMAIN_USER_RID_GUEST The guest-user account in a domain. This account can be logged onto automatically by users who do not have an account.
DOMAIN_GROUP_RID_ADMINS The domain administrator's group. This account exists only on systems running Microsoft® LAN Manager for Windows NT®, not Windows NT systems.
DOMAIN_GROUP_RID_USERS A group containing all user accounts in a domain. All users are automatically added to this group.

An alias is a local group and is similar to a global group, but it can contain members from other domains. Its members can be users or other groups. Some domain-relative RIDs, such as the following, can be used to form well-known SIDs used as local groups.

RID Identifies
DOMAIN_ALIAS_RID_ADMINS A local group used for administration of the domain.
DOMAIN_ALIAS_RID_USERS A local group representing all users in the domain.
DOMAIN_ALIAS_RID_GUESTS A local group representing guests of the domain.
DOMAIN_ALIAS_RID_POWER_USERS A local group used to represent a user or set of users that expect to treat a system as if it were their personal computer rather than a multiuser workstation.
DOMAIN_ALIAS_RID_ACCOUNT_OPS A local group existing only on systems running Microsoft LAN Manager for Windows NT. This local group permits control over non-administrator accounts.
DOMAIN_ALIAS_RID_SYSTEM_OPS A local group existing only on systems running Microsoft LAN Manager for Windows NT. This local group performs system administrative functions, not including security functions. It establishes network shares, controls printers, unlocks workstations, and performs other operations.
DOMAIN_ALIAS_RID_PRINT_OPS A local group existing only on systems running Microsoft LAN Manager for Windows NT. This local group controls printers and print queues.
DOMAIN_ALIAS_RID_BACKUP_OPS A local group used for controlling assignment of file backup-and-restore privileges.
DOMAIN_ALIAS_RID_REPLICATOR A local group responsible for copying security databases from the primary domain controller to the backup domain controllers.