Security Identifier

From Wikipedia, the free encyclopedia

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify an object, such as a user or a group of users in a network of NT/2000 systems. SIDs are not portable.

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked by the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

SID has format as follows: S-1-5-12–7623811015-3361044348-030300820-1013

S - The string is a SID.

1 - The revision level.

5 - The identifier authority value.

12–7623811015-3361044348-030300820 - domain or local computer identifier

1013 – a Relative ID (RID)

Any group or user that is not created by default will have a Relative ID of 1000 or greater.

[edit] Well known SIDs

• SID: S-1-5-18

Local System. A service account that is used by the operating system.

• SID: S-1-5-19

NT Authority. Local Service.

• SID: S-1-5-20

NT Authority. Network Service.

• SID: S-1-5-21-domain-500

A user account for the system administrator. By default, it is the only user account that is given full control over the system.

• SID: S-1-5-21-domain-501

Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.

• SID: S-1-5-21-domain-512

Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

• SID: S-1-5-21-domain-514

Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account.

[edit] See also

• Access control
• Access Control Matrix
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
• Capability-based security
• Token (Windows NT architecture)
• Disk cloning (especially Post-cloning operations)

[edit] External links

• Well-known security identifiers in Windows operating systems
• How to Associate a Username with a Security Identifier
• NewSID - How to change SID on cloned system
• Why Understanding SIDs is Important
• support tools for Windows Server 2003 and Windows XP