In the context of the Microsoft Windows NT
line of operating systems
, a Security Identifier
(commonly abbreviated SID
) is a unique name (an alphanumeric
character string) which is assigned by a Windows Domain controller
during the log on process that is used to identify an object, such as a user or a group of users in a network of NT/2000 systems.
Windows grants or denies access and privileges to resources based on access control lists
(ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token
is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked by the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
SID has format as follows:
- S - The string is a SID.
- 1 - The revision level.
- 5 - The identifier authority value.
- 12-7623811015-3361044348-030300820 - domain or local computer identifier
- 1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.
Possible identifier authority values are:
- 0 - Null Authority
- 1 - World Authority
- 2 - Local Authority
- 3 - Creator Authority
- 4 - Non-unique Authority
- 5 - NT Authority
Well-known security identifiers
A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.
|| Description |
|| Local System, a service account that is used by the operating system. |
|| NT Authority, Local Service |
|| NT Authority, Network Service |
|| A user account for the system administrator. By default, it is the only user account that is given full control over the system. |
|| Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. |
|| Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. |
|| Domain Users. |
|| Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account. |
The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some ACLs (Access control lists) are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide a utility to change a machine SID: NewSID - Microsoft TechNet
But other programs that detect SID might have problems with their security.
The machine SID is stored in the SECURITY
registry hive located at SECURITYSAMDomainsAccount
, this key has two values F
. The V
value is a binary value that has the computer SID embedded within it at the end of its data (Last 96 bits).
- "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
Decoding Machine SID
| 1) Divide the bytes into 3 sections:
| 2) Reverse the bytes of each section:
| 3) Convert each section into decimal:
| 4) Add the machine SID prefix: