Windows SID
What is a Security Identifier (SID) ?
Last updated
What is a Security Identifier (SID) ?
Last updated
A security identifier (SID) is a unique value of variable length used to identify a or , Security principals can represent any entity that the operating system can authenticate. Examples include a user account, a computer account, or a thread or process that runs in the of a user or computer account.
Each account has a unique SID issued by an authority(Changed based on the network setup that is Work Group or Domain based)That detailed here , ensuring that each SID is unique and never reused.
The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID is used as the unique identifier for a user or group, it can never be used again to identify another user or group.
Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
This uniqueness of SID allows the operating system to manage permissions and access controls effectively for each user and group in windows OS .
Users refer to accounts by the account name,An account name is a human-readable identifier for a user account or computer account in Windows. It serves as the primary way to distinguish one account from another in the Human perspective not the computer perspective.
Account names are part of the security principal in Windows, which includes:
User accounts : Accounts representing individuals (e.g., employees, admins).
Computer accounts : Accounts representing machines (e.g., workstations, servers).
Service accounts : Dedicated accounts used by applications or services.
Examples of Account Names:
For a user: john.doe, admin_user
For a computer: WORKSTATION01, SERVER2023
For a service: SQLServiceAccount
I was describing the different formats or conventions used to write or represent account names in Windows and Active Directory (AD). These formats define how account names are structured and written, depending on the context or environment.
a) SAM Account Name (Pre-Windows 2000)
The SAM Account Name is the older naming convention used in standalone systems or domains prior to Windows 2000.
It is limited to 20 characters and must be unique within the domain or local machine.
Example: jdoe (for John Doe).
Usage:
Used in standalone systems or older Windows environments.
Often seen in local accounts or when referencing accounts in non-UPN contexts.
b) User Principal Name (UPN)
The User Principal Name (UPN) is the modern naming convention used in Active Directory environments.
It follows the format: username@domain.com.
UPNs are designed to resemble email addresses and are easier to remember.
Example: john.doe@company.local.
Usage:
Primarily used in Active Directory environments.
Preferred for logging in because it is intuitive and resembles an email address.
Commonly used in cloud-based or hybrid environments (e.g., Azure AD).
Internally, the operating system refers to accounts and processes that run in the security context of the account by using their SIDs.
The operating system generates a SID that identifies a particular account or group at the time the account or group is created.
For a local account or group, the Local Security Authority (LSA) on the computer generates the SID. The SID is stored with other account information in a secure area of the registry.
For a domain account or group, the domain security authority generates the SID. This type of SID is stored as an attribute of the User or Group object in Active Directory Domain Services.
SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts.
For example
If a user with a user account in a Windows domain leaves their job, an administrator deletes their Active Directory account, including the SID that identifies the account. If they later return to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID doesn't match the old one, so none of the user's access from their old account is transferred to the new account. Both their accounts represent two different security principals.
A SID is structured as follows in string format:
S-R-X-Yβ-Yβ-...-Yβ
Where:
S: Prefix indicating a SID.
R: Revision level (e.g., 1 for current versions).
X: Identifier Authority (IA), a 48-bit value represented as a decimal number.
Yβ-Yβ: Subauthorities (32-bit integers) that define the hierarchy under the IA.
In memory, the SID is stored as:
[Revision][SubAuthorityCount][IA (6 bytes)][SubAuthorities...].
A SID consists of multiple numeric components, separated by hyphens (-), and follows this Current SID Format in Windows :
Description: The string always begins with "S", which stands for "Security Identifier."
Purpose: This prefix is a marker that identifies the string as a SID, distinguishing it from other types of identifiers or data, such as GUIDs or hashes, within the system.
Details:
It is a constant and does not carry any variable information, serving purely as a readability and parsing aid.
It ensures that tools, APIs, and administrators can easily recognize the string as a SID, facilitating proper handling in security contexts.
Description: The first numeric component after the "S", typically set to "1".
Purpose: Indicates the version or revision level of the SID structure, ensuring compatibility across different Windows versions.
Details:
In modern Windows systems, from Windows NT 3.1 (released in 1993) to the latest versions like Windows 11 (as of April 11, 2025), the revision level is always 1, reflecting the current SID format.
This component is stored as an 8-bit field (1 byte) in the binary SID structure, ensuring it is a compact and fixed part of the identifier.
It provides future-proofing; if Microsoft were to introduce a new SID structure (e.g., with additional fields), this number could increment, but it has remained "1" for decades, indicating stability.
Description: The second numeric component, represented as a single number in the string format but stored as a 6-byte (48-bit) value in binary.
Purpose: Specifies the top-level authority that issued the SID, setting the context for the SID's scope and usage, and determining how subsequent sub-authorities are interpreted.
Details:
Common values include:
0: Null Authority (rarely used, theoretical).
1: World Authority ("Everyone," S-1-1-0, representing all users).
2: Local Authority (local logon sessions, S-1-2-0).
3: Creator Authority ("Creator Owner," S-1-3-0, used for ownership-related security).
5: NT Authority (most common in Windows, used for system-generated SIDs like users, groups, and computers,as "S-1-5-18" for Local System).
Stored as six bytes in the binary SID structure, but only the last byte typically varies (e.g., 00-00-00-00-00-05 for 5), making it efficient.
Defined in the Windows API as a SID_IDENTIFIER_AUTHORITY struct, ensuring consistent handling across security subsystems.
Description: A variable number of numeric components following the identifier authority, each represented as a 32-bit integer
Purpose: Provide additional specificity and uniqueness to the SID, ensuring it can uniquely identify a security principal within the context of the identifier authority.
Details:
The number of sub-authorities varies depending on the type of SID, ranging from 1 (e.g., S-1-1-0 for "Everyone") to up to 8 (as defined by the Windows API).
For SIDs issued by the NT Authority (S-1-5-...), the sub-authorities are typically split into two logical parts:
Domain or Machine Identifier: A unique value tied to the system or domain that issued the SID.
Relative Identifier (RID): A number that identifies a specific user, group, or computer within that domain or machine.
Each sub-authority is stored as a 32-bit integer in the binary SID structure, with the count specified in the SubAuthorityCount field (byte 1 of the SID).
The Identifier Authority in a Security Identifier (SID) determines who created the SID and what kind of security principal (user, group, or service) it belongs to. It defines the origin of the security identity.
Description: A set of sub-authorities (typically 4 in total for S-1-5-21-... SIDs) that uniquely identifies the domain or local machine issuing the SID.
Purpose: Ties the SID to a specific security context, ensuring no two SIDs are identical across different systems or domains, preventing collisions.
Details:
For NT Authority SIDs (S-1-5-...), this includes:
First Sub-Authority: A predefined value indicating the type of SID:
21: Used for user and group SIDs on domain-joined or standalone systems ( S-1-5-21-...).
32: Used for built-in groups (e.g., "Administrators," S-1-5-32-544).
18, 19, 20: Used for system accounts ("Local System," S-1-5-18).
Next Three Sub-Authorities: A 48-bit unique identifier (split into three 32-bit numbers for readability, e.g., 1234567890-0987654321-555555555).
Generated during OS installation for standalone machines or domain creation for Active Directory, ensuring uniqueness.
Stored as three DWORDs but treated as one 48-bit value internally for comparison.
Description: The final sub-authority, a 32-bit integer that uniquely identifies a specific security principal within the domain or machine.
Purpose: Distinguishes individual users, groups, or computers within the same domain or machine context, ensuring granular identification.
Details:
Assigned by the Security Account Manager (SAM) for local accounts or Active Directory for domain accounts:
Reserved RIDs: Predefined for built-in accounts and groups:
500: Default Administrator account.
501: Default Guest account.
544: Administrators group (under S-1-5-32).
Dynamic RIDs: Start at 1000 and increment (e.g., 1001, 1002) for new accounts, managed by the RID pool in AD (default size 500, expandable).
The RID is critical for scalability, as it allows for up to 4 billion unique identifiers within a domain (2^32).
The values of certain SIDs are constant across all systems. They're created when the operating system or domain is installed.
They're called well-known SIDs because they identify generic users or generic groups.
There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows.
S-1-0-0
Null SID
A group with no members. This value is often used when a SID value isn't known.
S-1-1-0
World
A group that includes all users.
S-1-2-0
Local
Users who sign in to terminals that are locally (physically) connected to the system.
S-1-2-1
Console Logon
A group that includes users who are signed in to the physical console.
S-1-3-0
Creator Owner ID
A SID to be replaced by the SID of the user who creates a new object. This SID is used in inheritable access control entries (ACEs).
S-1-3-1
Creator Group ID
A SID to be replaced by the primary-group SID of the user who creates a new object. Use this SID in inheritable ACEs.
S-1-3-2
Owner Server
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object's owner server and stores information about who created a given object or file.
S-1-3-3
Group Server
A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object's group server. The system also stores information about the groups that are allowed to work with the object.
S-1-3-4
Owner Rights
A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC standard access rights for the object owner.
S-1-4
Non-unique Authority
A SID that represents an identifier authority.
S-1-5
NT Authority
A SID that represents an identifier authority.
S-1-5-80-0
All Services
A group that includes all service processes configured on the system. The operating system controls the membership of this group.
Reference :
