SID's Authority

What is authority that create SID in windows systems ?

The authority the issued the SID in windows systems is rely on the network setup the windows device located on.
Who Creates SIDs in Work-group vs Domain ?

Feature

Work-group (Local Accounts)

Domain (Active Directory Accounts)

Authority

Local Security Authority (LSA) on each computer

Active Directory (AD) Domain Controller (DC)

Scope of SID

Valid only on that computer

Valid across the entire domain

Where It’s Stored

Security Account Manager (SAM) database (C:\Windows\System32\Config\SAM)

Active Directory Database (NTDS.dit) on Domain Controller

Account Portability

Cannot be moved to another machine

Can be accessed from any domain-joined machine

How it's created ?

LSA generates a machine-based SID + RID

Domain Controller generates a domain-wide SID + RID

Who controls Account?

Local administrator

Domain Administrator

How SID Are Created in a Work-group ?

In a Work-group, each computer functions independently. There is no central authentication server like a domain controller.
Step-by-Step Process of SID Creation in a Work-group
1. A user account is created (e.g., saber) using:
  - Control Panel → User Accounts
  - Computer Management (lusrmgr.msc)
  - Command Line (net user)
2. The Local Security Authority (LSA) generates a new SID, which includes:
  - The computer’s unique machine SID
  - A Relative Identifier (RID) assigned by Windows
3. The SID is stored in the Security Account Manager (SAM) database locally.
4. Example of a Work-group SID:
  S-1-5-21-987654321-123456789-543216789-1001
5. Limitations of Work-group SIDs :
  - Each computer generates its own SIDs independently.
  - If the same username is created on another machine, it will get a different SID.
  - Work-group accounts cannot be used on another machine.

How SID Are Created in a Domain (Active Directory) ?

In a Domain, accounts are managed centrally by a Domain Controller (DC) using Active Directory (AD).
Step-by-Step Process of SID Creation in a Domain
1. A user account is created in Active Directory Users and Computers (ADUC) or using PowerShell (New-ADUser).
2. The Domain Controller (DC) assigns a unique SID, which includes:
  - The domain’s unique identifier (instead of a machine SID)
  - A Relative Identifier (RID) assigned by the RID Master role in AD
3. The SID is stored in the Active Directory Database (NTDS.dit).
4. Example of a Domain User SID:
```
S-1-5-21-321654987-741852963-147258369-1103
```
Advantages of Domain SIDs

✅ Consistent across all domain-joined machines
✅ Users can log into any machine within the domain
✅ Centralized control over permissions and security

PreviousWhat is Security Descriptors in Windows NextLocal Security Authority (LSA)

Last updated 1 month ago

SID's Authority

What is authority that create SID in windows systems ?

The authority the issued the SID in windows systems is rely on the network setup the windows device located on.
Who Creates SIDs in Work-group vs Domain ?

Feature

Work-group (Local Accounts)

Domain (Active Directory Accounts)

Authority

Local Security Authority (LSA) on each computer

Active Directory (AD) Domain Controller (DC)

Scope of SID

Valid only on that computer

Valid across the entire domain

Where It’s Stored

Security Account Manager (SAM) database (C:\Windows\System32\Config\SAM)

Active Directory Database (NTDS.dit) on Domain Controller

Account Portability

Cannot be moved to another machine

Can be accessed from any domain-joined machine

How it's created ?

LSA generates a machine-based SID + RID

Domain Controller generates a domain-wide SID + RID

Who controls Account?

Local administrator

Domain Administrator

How SID Are Created in a Work-group ?

In a Work-group, each computer functions independently. There is no central authentication server like a domain controller.
Step-by-Step Process of SID Creation in a Work-group
1. A user account is created (e.g., saber) using:
  - Control Panel → User Accounts
  - Computer Management (lusrmgr.msc)
  - Command Line (net user)
2. The Local Security Authority (LSA) generates a new SID, which includes:
  - The computer’s unique machine SID
  - A Relative Identifier (RID) assigned by Windows
3. The SID is stored in the Security Account Manager (SAM) database locally.
4. Example of a Work-group SID:
  S-1-5-21-987654321-123456789-543216789-1001
5. Limitations of Work-group SIDs :
  - Each computer generates its own SIDs independently.
  - If the same username is created on another machine, it will get a different SID.
  - Work-group accounts cannot be used on another machine.

How SID Are Created in a Domain (Active Directory) ?

In a Domain, accounts are managed centrally by a Domain Controller (DC) using Active Directory (AD).
Step-by-Step Process of SID Creation in a Domain
1. A user account is created in Active Directory Users and Computers (ADUC) or using PowerShell (New-ADUser).
2. The Domain Controller (DC) assigns a unique SID, which includes:
  - The domain’s unique identifier (instead of a machine SID)
  - A Relative Identifier (RID) assigned by the RID Master role in AD
3. The SID is stored in the Active Directory Database (NTDS.dit).
4. Example of a Domain User SID:
```
S-1-5-21-321654987-741852963-147258369-1103
```
Advantages of Domain SIDs

✅ Consistent across all domain-joined machines
✅ Users can log into any machine within the domain
✅ Centralized control over permissions and security

PreviousWhat is Security Descriptors in Windows NextLocal Security Authority (LSA)

Last updated 1 month ago

SID's Authority

Who Creates SIDs in Work-group vs Domain ?

Advantages of Domain SIDs

✅ Consistent across all domain-joined machines

✅ Users can log into any machine within the domain

✅ Centralized control over permissions and security

SID's Authority

Who Creates SIDs in Work-group vs Domain ?

Advantages of Domain SIDs

✅ Consistent across all domain-joined machines

✅ Users can log into any machine within the domain

✅ Centralized control over permissions and security