Hello Me, and others that might stumble over this some day. This is a short description of Security Principals and their SIDs.
In Windows we work with Security Principals. A Security Principal is a user, group, computer or a service that is stored as objects in Active Directory for central management or in the computers local Security Account Manager (SAM) database.
One way to identify a Security Principal is that is has a Security Identifier (SID).
When a Security Principal is created in Active Directory it is assigned a Security Identifier (SID). The SID is used to uniquely identify the Security Principal in its forest and domain. It enables us to allow or deny users and systems access to resources in our forest/domain.
The SID is built in a hierarchy structure of four parts:
- Revision – the version of a SID structure. Windows NT and later starts with 1.
- Identifier Authority – Identifies the Authority that can issue SID for this type of Security Principal. The value for Windows NT and later is 5 (NT Authority).
- Subauthorities – Identifies the domain in the forest. Usually called the Domain Identifier.
- Relative Identifier (RID) – The last part that identifies the particular account or group in the domain.
If we take a look at a user object in the attribute editor we can see the users SID stored in the objectSid attribute (the same goes for computers and groups).
S-1-5-21-1004336348-1177238915-682003330-1001
S – Indicates it is a SID string.
1 – The version of the SID structure. Windows NT and later starts with 1.
5 – Identifier Authority. 5 = NT Authority.
21-1004336348-1177238915-682003330 – Domain identifier.
1001 – RID. Identifies the particular account or group.
In Active Directory user and computer objects are accounts that can be authenticated. If authentication is a success the user will get an access token containing its SID. The token will be used in an access control subsystem of the operating system (AccessCheck) to evaluate against Access Control Lists (ACLs) if the Security Principal (the user) is allowed access to e.g. a folder.
Security groups is a collection of user accounts, computer accounts and even other nested groups. With groups we can set permissions for multiple users, when a user gets his access token the SID list contain the users SID (Primary SID) and all the SIDs of the security groups the user is member of.
(Side note. With groups we get the benefits to create Role Based Access Control (RBAC), minimize ACL lists and speed up security checking, the administration gets simplified.)
Windows and Active Directory comes with a set of predefined Builtin groups and accounts which differentiates in its SID structure.
If we look at the builtin Administrators group:
S-1-5-32-544
S – Indicates it is a SID string.
1 – The version of the SID structure. Windows NT and later starts with 1.
5 – Identifier Authority. 5 = NT Authority.
32 – Domain identifier. Builtin.
544 – RID. Administrators.
This SID is local and exist in every Windows computer and on domain controllers. Since they are local they don’t need to be unique in the domain.
Domain admins group however is global and also exists in all domains. When the domain admins group is created when the domain is created it uses the same subauthority (domain identifier) as its corresponding domain, which makes it unique in the forest.
S-1-5-21-1004336348-1177238915-682003330-512
The part that reveals to us that it is the domain admins group is the RID: 512. That is a reserved RID that all domain admins group gets. It’s the domain that makes it unique in a forest. That goes for the administrator account as well, so we don’t need to rename it to some random name for security reasons, it will always be possible to resolve it by its SID (hint, the RID is 500).
The RIDs is given out by the Domain Controller that has the FSMO role RID Master. It gives all domain controllers a pool of RIDs that is used when a Security Principal is created on a domain controller. For new Security Principals it starts at 1000.
The RIDs below 1000 is reserved for special accounts.
Here is a list of well-known Security Identifiers:
http://support.microsoft.com/kb/243330/sv
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx