Security Identifiers (SIDs)
A security identifier (SID) is a unique value of variable length used to
identify a user or group. The SID assigned to a user when he or she logs on becomes
part of the access token that accompanies any process begun by that user.
Except for the logon SID, an SID is always unique. When it has been used to identify
a user or group, it cannot be used again, at any time, to identify another
user or group.
SIDs identify several separate elements. These include the owner and group in
security descriptors, the recipient of the access being granted by
access-control entries (ACEs), and the user, as well as groups of which the user is a
member in access tokens.
An SID also contains the following information.
- A 48-bit identifier authority value
- A revision level
- A variable number of subauthority values (relative identifiers)
The identifier authority value actually contains two values and is the most
important piece of information in an SID. It contains a value identifying the
agency that issued the SID, usually representing a Microsoft® Server™ domain, and a 32-bit relative identifier (RID) value, to uniquely identify
the user or group in that agency. Joining these values ensures that no two SIDs
will be the same, even if two different SID-issuing authorities issue the same
RID. Each SID-issuing authority issues a given RID only once.
A standardized shorthand notation for SIDs makes it simpler to visualize their
components:
S-
R-
I-
S-
S...
In the notation shown above,
S identifies the series of digits as an SID,
R is the revision level,
I is the identifier-authority value, and
S is the subauthority value. An SID could be written in this notation as
follows:
S-1
4138
86
In this example, the SID has a revision level of 1, an identifier-authority
value of 4138, and one subauthority value of 86.
An application is never required to manipulate an SID directly. The following
Win32 functions provide all the functionality required to work with SIDs.
Function
| Description
|
AllocateAndInitializeSid
| Allocates and initializes an SID with the specified number of subauthorities.
|
CopySid
| Copies a source SID to a buffer.
|
EqualPrefixSid
| Tests two SID prefix values for equality. An SID prefix is the entire SID
except for the last subauthority value.
|
EqualSid
| Tests two SIDs for equality. They must match exactly to be considered equal.
|
FreeSid
| Frees an SID previously allocated by using the AllocateAndInitializeSid function.
|
GetLengthSid
| Retrieves the length of an SID.
|
GetSidIdentifierAuthority
| Retrieves a pointer to an SID's identifier authority.
|
GetSidLengthRequired
| Retrieves the size of the buffer required to store an SID with a specified
number of subauthorities.
|
GetSidSubAuthority
| Retrieves a pointer to a specified subauthority in an SID.
|
GetSidSubAuthorityCount
| Retrieves the number of subauthorities in an SID.
|
InitializeSid
| Initializes an SID structure.
|
IsValidSid
| Tests the validity of an SID by verifying that the revision number is within a
known range and that the number of subauthorities is less than the maximum.
|
LookupAccountName
| Retrieves the SID corresponding to a specified account name. Use the GetUserName function to retrieve the user name for the current thread.
|
LookupAccountSid
| Retrieves the account name corresponding to a specified SID.
|
Some identifier authorities are predefined, as shown in the following table.
Identifier authority
| SID Value
|
SECURITY_NULL_SID_AUTHORITY
| 0
|
SECURITY_WORLD_SID_AUTHORITY
| -
|
SECURITY_LOCAL_SID_AUTHORITY
| -
|
SECURITY_CREATOR_SID_AUTHORITY
| -
|
SECURITY_NT_AUTHORITY
| 5
|
The following RID values are also defined.
Relative identifier authority
| Value
| Superior authority
|
SECURITY_NULL_RID
| 0
| S-10
|
SECURITY_WORLD_RID
| 0
| S-11
|
SECURITY_LOCAL_RID
| 0
| S-12
|
SECURITY_CREATOR_OWNER_RID
| 0
| S-13
|
SECURITY_CREATOR_GROUP_RID
| -
| S-13
|
An application can combine an identifier authority and one of these RID values
to create an SID that is meaningful on all installations. For example, S-1
1
0 (SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID) always identifies the
special group representing all users. These security identifiers are
universal well-known SIDs. A universal well-known SID is meaningful on all secure systems using this
security model, including systems not running Windows NT. The
AllocateAndInitializeSid function provides a simple method of combining an identifier authority and an
RID.
The following are some universal well-known SIDs.
Universal well-known SID
| Value
| Identifies
|
Null SID
| (S-100)
| A group with no members. This is often used when an SID value is not known.
|
World
| (S-110)
| A group that includes all users.
|
Local
| (S-120)
| Users who log on to terminals locally (physically) connected to the system.
|
Creator Owner ID
| (S-130)
| A security identifier to be replaced by the security identifier of the user
who created a new object. This SID is used in inheritable ACLs.
|
Creator Group ID
| (S-131)
| Identifies a security identifier to be replaced by the primary-group SID of
the user who created a new object. Use this SID in inheritable ACLs.
|
Another predefined identifier authority is SECURITY_NT_AUTHORITY (S-1
5). This identifier authority produces SIDs that are not universal but are
meaningful only on Windows NT installations. An application can use the following
RID values with SECURITY_NT_AUTHORITY to create well-known SIDs.
SECURITY_DIALUP_RID (S-151)
|
|
| Users who log on to terminals using a dialup modem. This is a group identifier.
|
SECURITY_NETWORK_RID (S-152)
|
|
| Users who log on across a network. This is a group identifier.
|
SECURITY_BATCH_RID (S-153)
|
|
| Users who log on using a batch queue facility. This is a group identifier.
|
SECURITY_INTERACTIVE_RID (S-154)
|
|
| Users who log on for interactive operation. This is a group identifier.
|
SECURITY_LOGON_IDS_RID (S-155-X-Y)
|
|
| A logon session. This is used to ensure that only processes in a given logon
session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value
SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y).
|
SECURITY_SERVICE_RID (S-156)
|
|
| An account authorized to perform security services.
|
SECURITY_LOCAL_SYSTEM_RID (S-150x12)
|
|
| The user account used by the operating system.
|
SECURITY_BUILTIN_DOMAIN_RID (S-150x20)
|
|
| The built-in system domain.
|
The following RIDs are relative to each domain.
RID
| Identifies
|
DOMAIN_USER_RID_ADMIN
| The administrative user account in a domain.
|
DOMAIN_USER_RID_GUEST
| The guest-user account in a domain. This account can be logged onto
automatically by users who do not have an account.
|
DOMAIN_GROUP_RID_ADMINS
| The domain administrator's group. This account exists only on systems running
Microsoft® LAN Manager for Windows NT®, not Windows NT systems.
|
DOMAIN_GROUP_RID_USERS
| A group containing all user accounts in a domain. All users are automatically
added to this group.
|
An alias is a local group and is similar to a global group, but it can contain
members from other domains. Its members can be users or other groups. Some
domain-relative RIDs, such as the following, can be used to form well-known SIDs
used as local groups.
RID
| Identifies
|
DOMAIN_ALIAS_RID_ADMINS
| A local group used for administration of the domain.
|
DOMAIN_ALIAS_RID_USERS
| A local group representing all users in the domain.
|
DOMAIN_ALIAS_RID_GUESTS
| A local group representing guests of the domain.
|
DOMAIN_ALIAS_RID_POWER_USERS
| A local group used to represent a user or set of users that expect to treat a
system as if it were their personal computer rather than a multiuser
workstation.
|
DOMAIN_ALIAS_RID_ACCOUNT_OPS
| A local group existing only on systems running Microsoft LAN Manager for
Windows NT. This local group permits control over non-administrator accounts.
|
DOMAIN_ALIAS_RID_SYSTEM_OPS
| A local group existing only on systems running Microsoft LAN Manager for
Windows NT. This local group performs system administrative functions, not including
security functions. It establishes network shares, controls printers, unlocks
workstations, and performs other operations.
|
DOMAIN_ALIAS_RID_PRINT_OPS
| A local group existing only on systems running Microsoft LAN Manager for
Windows NT. This local group controls printers and print queues.
|
DOMAIN_ALIAS_RID_BACKUP_OPS
| A local group used for controlling assignment of file backup-and-restore
privileges.
|
DOMAIN_ALIAS_RID_REPLICATOR
| A local group responsible for copying security databases from the primary
domain controller to the backup domain controllers.
|
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
