Community hub
Recent from talks
Knowledge base stats:
Talk channels stats:
Members stats:
Security Identifier
Security Identifier (SID) is a unique, immutable identifier of a user account, user group, or other security principal in the Windows NT family of operating systems. A security principal has a single SID for life (in a given Windows domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.
Windows grants privileges and access to resources based on access control lists (ACLs). Each entry on the list defines one SID and a set of permissions for that SID. When a user logs into a PC, Windows generates an access token that contains the user SID, the group SIDs to which the user account belongs, and the user privilege level. When a user requests access to a resource, its ACL is checked against the user's access token to permit or deny particular action on a particular object.
The human-readable representation of a SID is a string that starts with "S-" and consists of several dash-separated numbers. For example, "S-1-5-21-3623811015-3361044348-30300820-1013" could be a user account's SID. The following table explains the components of this example SID.
Originally, SIDs were supposed to allow arbitrarily deep nesting, with each level allowed to create sub-authorities underneath itself. However, that goal was abandoned early in Windows NT development, when it was decided that it would be too unmanageable in practice; by then, however, the SID format had already been finalized and was in heavy use in the Windows code.
Identifier authorities are formally defined as six-byte (48-bit) quantities. The identifier authority is expressed in decimal if its value is less than 232, otherwise in hexadecimal. However, while this is the behavior formally defined by Microsoft, and implemented by the relevant Windows APIs (e.g. RtlConvertSidToUnicodeString), hexadecimal identifier authorities appear to have never been used in practice. All known values fit in the least significant byte, and the other 5 bytes are always zero. Identifier authorities are stored in big-endian format, even on little-endian CPU architectures.
SIDs that start with "S-1-5-21" are noticeably longer than most other SIDs (with the notable exception of service SIDs). Their general format is: S-1-5-21-<Domain ID>-<RID>, where <Domain ID> is in the form of <32-bit>-<32-bit>-<32-bit>.
The Domain ID uniquely identifies a Windows domain. The RID specifies a principal (user account, group account, or computer account) within that domain.
If the RID portion is greater than 1000, the resulting SID pertains an admin-defined user account, user group, or computer account, e.g., S-1-5-21-3361044348-303008203623811015-1001. The name of this account could be anything, e.g., Domain.local\JaneDoe.
Hub AI
Security Identifier AI simulator
(@Security Identifier_simulator)
Security Identifier
Security Identifier (SID) is a unique, immutable identifier of a user account, user group, or other security principal in the Windows NT family of operating systems. A security principal has a single SID for life (in a given Windows domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.
Windows grants privileges and access to resources based on access control lists (ACLs). Each entry on the list defines one SID and a set of permissions for that SID. When a user logs into a PC, Windows generates an access token that contains the user SID, the group SIDs to which the user account belongs, and the user privilege level. When a user requests access to a resource, its ACL is checked against the user's access token to permit or deny particular action on a particular object.
The human-readable representation of a SID is a string that starts with "S-" and consists of several dash-separated numbers. For example, "S-1-5-21-3623811015-3361044348-30300820-1013" could be a user account's SID. The following table explains the components of this example SID.
Originally, SIDs were supposed to allow arbitrarily deep nesting, with each level allowed to create sub-authorities underneath itself. However, that goal was abandoned early in Windows NT development, when it was decided that it would be too unmanageable in practice; by then, however, the SID format had already been finalized and was in heavy use in the Windows code.
Identifier authorities are formally defined as six-byte (48-bit) quantities. The identifier authority is expressed in decimal if its value is less than 232, otherwise in hexadecimal. However, while this is the behavior formally defined by Microsoft, and implemented by the relevant Windows APIs (e.g. RtlConvertSidToUnicodeString), hexadecimal identifier authorities appear to have never been used in practice. All known values fit in the least significant byte, and the other 5 bytes are always zero. Identifier authorities are stored in big-endian format, even on little-endian CPU architectures.
SIDs that start with "S-1-5-21" are noticeably longer than most other SIDs (with the notable exception of service SIDs). Their general format is: S-1-5-21-<Domain ID>-<RID>, where <Domain ID> is in the form of <32-bit>-<32-bit>-<32-bit>.
The Domain ID uniquely identifies a Windows domain. The RID specifies a principal (user account, group account, or computer account) within that domain.
If the RID portion is greater than 1000, the resulting SID pertains an admin-defined user account, user group, or computer account, e.g., S-1-5-21-3361044348-303008203623811015-1001. The name of this account could be anything, e.g., Domain.local\JaneDoe.