Security Identifier

Security Identifier

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify an object, such as a user or a group of users in a network of NT/2000 systems.


Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked by the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013

S - The string is a SID.
1 - The revision level.
5 - The identifier authority value.
12-7623811015-3361044348-030300820 - domain or local computer identifier
1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are:

  • 0 - Null Authority
  • 1 - World Authority
  • 2 - Local Authority
  • 3 - Creator Authority
  • 4 - Non-unique Authority
  • 5 - NT Authority

Well-known security identifiers

A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.

SID Description
Local System, a service account that is used by the operating system.
NT Authority, Local Service
NT Authority, Network Service
A user account for the system administrator. By default, it is the only user account that is given full control over the system.
Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
Domain Users.
Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account.

Duplicated SIDs

The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some ACLs (Access control lists) are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.

Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.

In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide a utility to change a machine SID: NewSID - Microsoft TechNet

But other programs that detect SID might have problems with their security.

Machine SIDs

The machine SID is stored in the SECURITY registry hive located at SECURITYSAMDomainsAccount, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (Last 96 bits).

  • "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
    • From NewSID readme.

Decoding Machine SID

1) Divide the bytes into 3 sections:
2) Reverse the bytes of each section:
3) Convert each section into decimal:
4) Add the machine SID prefix:

See also


External links

Search another word or see Security Identifieron Dictionary | Thesaurus |Spanish
Copyright © 2015, LLC. All rights reserved.
  • Please Login or Sign Up to use the Recent Searches feature