search
GitHubFacebookLinkedin
Page cover

🏢SID's Authority

What is authority that create SID in windows systems ?

  • The authority the issued the SID in windows systems is rely on the network setup the windows device located on.

  • hashtag
    Who Creates SIDs in Work-group vs Domain ?

Feature
Work-group (Local Accounts)
Domain (Active Directory Accounts)

Authority

Local Security Authority (LSA) on each computer

Active Directory (AD) Domain Controller (DC)

Scope of SID

Valid only on that computer

Valid across the entire domain

Where It’s Stored

Security Account Manager (SAM) database (C:\Windows\System32\Config\SAM)

Active Directory Database (NTDS.dit) on Domain Controller

Account Portability

Cannot be moved to another machine

Can be accessed from any domain-joined machine

How it's created ?

LSA generates a machine-based SID + RID

Domain Controller generates a domain-wide SID + RID

Who controls Account?

Local administrator

Domain Administrator

chevron-rightHow SID Are Created in a Work-group ?hashtag

  • In a Work-group, each computer functions independently. There is no central authentication server like a domain controller.

  • Step-by-Step Process of SID Creation in a Work-group

    1. A user account is created (e.g., saber) using:

      • Control Panel → User Accounts

      • Computer Management (lusrmgr.msc)

      • Command Line (net user)

    2. The Local Security Authority (LSA) generates a new SID, which includes:

      • The computer’s unique machine SID

      • A Relative Identifier (RID) assigned by Windows

    3. The SID is stored in the Security Account Manager (SAM) database locally.

    4. Example of a Work-group SID:

      S-1-5-21-987654321-123456789-543216789-1001

    5. Limitations of Work-group SIDs :

      • Each computer generates its own SIDs independently.

      • If the same username is created on another machine, it will get a different SID.

      • Work-group accounts cannot be used on another machine.

chevron-rightHow SID Are Created in a Domain (Active Directory) ?hashtag

  • In a Domain, accounts are managed centrally by a Domain Controller (DC) using Active Directory (AD).

  • Step-by-Step Process of SID Creation in a Domain

    1. A user account is created in Active Directory Users and Computers (ADUC) or using PowerShell (New-ADUser).

    2. The Domain Controller (DC) assigns a unique SID, which includes:

      • The domain’s unique identifier (instead of a machine SID)

      • A Relative Identifier (RID) assigned by the RID Master role in AD

    3. The SID is stored in the Active Directory Database (NTDS.dit).

    4. Example of a Domain User SID:

    S-1-5-21-321654987-741852963-147258369-1103

    hashtag

  • hashtag
    Advantages of Domain SIDs

  • hashtag
    Consistent across all domain-joined machines

  • hashtag
    Users can log into any machine within the domain

  • hashtag
    Centralized control over permissions and security

PreviousWhat is Security Descriptors in WindowsNextLocal Security Authority (LSA)

Last updated