What is a SID (Security ID)?

A. SID stands for Security Identifier and is used within NT/2000 as a value to uniquely identify an object such as a user or a group. The SID assigned to a user becomes part of the access token, which is then attached to any action attempted or process executed by that user or group. If a duplicate SID did exist then all users with this SID would authenticate as what would be seen as the same user. It is possible for cloned machines to have the same SID, which would be seen by the authentication mechanism as the same machine. The SID under normal operation will be unique and will identify an individual object such as a user, group or a machine.

A SID contains:

• User and group security descriptors
• 48-bit ID authority
• Revision level
• Variable sub-authority values

For example: S-1-5-21-917267712-1342860078-1792151419-500

Below is a list of the values for SIDs on a default NT 4 installation;

Notice the unique value 500 for Administrator and 501 for Guest.

- Built-In Users

DOMAINNAME\ADMINISTRATOR

S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)

DOMAINNAME\GUEST

S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)

- Built-In Global Groups

DOMAINNAME\DOMAIN ADMINS

S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)

DOMAINNAME\DOMAIN USERS

S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)

DOMAINNAME\DOMAIN GUESTS

S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)

- Built-In Local Groups

BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)

BUILTIN\USERS S-1-5-32-545 (=0x221)

BUILTIN\GUESTS S-1-5-32-546 (=0x222)

BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)

BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)

BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)

BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)

BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)

- Special Groups

\CREATOR OWNER S-1-3-0

\EVERYONE S-1-1-0

NT AUTHORITY\NETWORK S-1-5-2

NT AUTHORITY\INTERACTIVE S-1-5-4

NT AUTHORITY\SYSTEM S-1-5-18

NT AUTHORITY\authenticated users S-1-5-11 *

* For Windows NT 4.0 Service Pack 3 and later only

These values can be displayed by using the utility Getsid.exe from the Windows NT Resource Kit.

C:\>getsid \\MACHINE ACCOUNT \\MACHINE ACCOUNT

The SID for account MACHINE\ ACCOUNT matches account MACHINE\ ACCOUNT

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

For more information, see Q. How can I tell which User has which SID? and Q. What are the problems with workstations having the same SID?

For more other information, see

http://support.microsoft.com/support/kb/articles/Q163/8/46.asp

For information on extracting the SID from an ACE see

http://support.microsoft.com/support/kb/articles/q102/1/01.asp

For information on how to associate a Username with a Security Identifier (SID) see

http://support.microsoft.com/support/kb/articles/Q154/5/99.asp

Contributed by Nathan House