The Windows 2000/NT SID explained

SID stands for Security Identifier and is used within NT/2000 as a value to uniquely identify an object such as a user or a group. The SID assigned to a user becomes part of the access token, which is then attached to any action attempted or process executed by that user or group. If a duplicate SID did exist then all users with this SID would authenticate as what would be seen as the same user. It is possible for cloned machines to have the same SID, which would be seen by the authentication mechanism as the same machine. The SID under normal operation will be unique and will identify an individual object such as a user, group or a machine.

A SID contains:

User and group security descriptors
48-bit ID authority
Revision level
Variable sub-authority values
For example: S-1-5-21-917267712-1342860078-1792151419-500

Below is a list of the values for SIDs on a default NT 4 installation;

Notice the unique value 500 for Administrator and 501 for Guest.

- Built-In Users

DOMAINNAME\ADMINISTRATOR

S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)

DOMAINNAME\GUEST

S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)

- Built-In Global Groups

DOMAINNAME\DOMAIN ADMINS

S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)

DOMAINNAME\DOMAIN USERS

S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)

DOMAINNAME\DOMAIN GUESTS

S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)

- Built-In Local Groups

BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)

BUILTIN\USERS S-1-5-32-545 (=0x221)

BUILTIN\GUESTS S-1-5-32-546 (=0x222)

BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)

BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)

BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)

BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)

BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)

- Special Groups

\CREATOR OWNER S-1-3-0

\EVERYONE S-1-1-0

NT AUTHORITY\NETWORK S-1-5-2

NT AUTHORITY\INTERACTIVE S-1-5-4

NT AUTHORITY\SYSTEM S-1-5-18

NT AUTHORITY\authenticated users S-1-5-11 *

* For Windows NT 4.0 Service Pack 3 and later only

These values can be displayed by using the utility Getsid.exe from the Windows NT Resource Kit.

C:\>getsid \\MACHINE ACCOUNT \\MACHINE ACCOUNT

The SID for account MACHINE\ ACCOUNT matches account MACHINE\ ACCOUNT

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

For more information, see Q. How can I tell which User has which SID? and Q. What are the problems with
workstations having the same SID? - www.ntfaq.com

For more other information, see

http://support.microsoft.com/support/kb/articles/Q163/8/46.asp

For information on extracting the SID from an ACE see

http://support.microsoft.com/support/kb/articles/q102/1/01.asp

For information on how to associate a Username with a Security Identifier (SID) see

http://support.microsoft.com/support/kb/articles/Q154/5/99.asp

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

>

StationX Accelerator Pro

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

StationX Accelerator Premium

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

StationX Master's Program

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!