Appendix A -- Windows 2000 Well-Known SIDs

[Previous] [Next]

Appendix A

Windows 2000 Well-Known SIDs

Table A-1 lists some well-known security identifiers (SIDs) on a Microsoft Windows 2000 system. Refer to Chapter 3, "Windows 2000 Security Overview," for more information about SIDs.

Table A-1. Well-known Windows 2000 SIDs.

SID Name Description
S-1-0-0 Null A group with no members. This is often used when a SID value is not known.
S-1-1-0 Everyone A group that includes all users, even anonymous users and guests.
S-1-2-0 Local Users who log on to terminals locally (physically) connected to the system.
S-1-3-0 Creator Owner A SID to be replaced by the SID of the user who created the object.
S-1-5-1 Dialup Users who log on by using a dial-up connection such as a modem.
S-1-5-2 Network Users who log on across a network.
S-1-5-3 Batch Users who log on by using a batch logon.
S-1-5-4 Interactive Users who log on interactively.
S-1-5-5-X-Y Logon Session A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session.
S-1-5-6 Service Accounts authorized to log on as a service.
S-1-5-7 Anonymous A user who has logged on anonymously.
S-1-5-9 Enterprise Controllers A group that includes all Active Directory domain controller computers.
S-1-5-10 Principal Self (or Self) Granting permissions to Principal Self means granting permissions to the principal represented by the object.
S-1-5-11 Authenticated Users A group that includes all users whose identities were authenticated when they logged on. This group does not include the Anonymous or NULL account
S-1-5-13 Terminal Server Users A group that includes all users who have logged on to a Terminal Services server.
S-1-5-18 Local System (System Account) A service account that is used by the operating system.
S-1-5-<domain>-500 Administrator A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group.
S-1-5-<domain>-501 Guest The guest user account in a domain. Users who do not have an account can automatically log on to this account if the account is enabled.
S-1-5-<domain>-502 KRBTGT A service account that is used by the Kerberos Key Distribution Center (KDC) service.
S-1-5-<domain>-512 Domain Admins The domain administrators group.
S-1-5-<domain>-513 Domain Users A group containing all users in the domain.
S-1-5-<domain>-514 Domain Guests The guest group account in a domain.
S-1-5-<domain>-515 Domain Computers All computers in the domain are members of this group.
S-1-5-<domain>-516 Domain Controllers All domain controllers in the domain are added to this group automatically.
S-1-5-<domain>-517 Cert Publishers Computers running Microsoft Certificate Services are members of this group.
S-1-5-<domain>-518 Schema Admins Members of this group can modify the Active Directory schema.
S-1-5-<domain>-519 Enterprise Admins The enterprise administrators group. Members of this group have full access to all domains in Active Directory.
S-1-5-<domain>-520 Group Policy Creators Owners The policy administrators group.
S-1-5-<domain>-553 RAS and IAS Servers A local group representing RAS and Internet Authentication Service servers.
S-1-5-32-544 Administrators A built-in group containing local administrators on a server. By default, this contains the Administrator account.
S-1-5-32-545 Users A built-in group containing local users on a computer.
S-1-5-32-546 Guests A built-in group. By default, the only member is the Guest account.
S-1-5-32-547 Power Users A built-in group containing power users on the computer. By default, the group has no members. Power users have more capability than users in that they can create local users and groups, modify and delete accounts that they have created, and remove users from the Power Users, Users, and Guests groups. Power users also can install many applications and manage printers and file shares.
S-1-5-32-548 Account Operators A built-in group that exists only on domain controllers containing accounts that can manipulate user accounts.
S-1-5-32-549 Server Operators A built-in group that exists only on domain controllers containing accounts that can manipulate the server but not accounts.
S-1-5-32-550 Print Operators A built-in group containing accounts that can manipulate printers and printer queues.
S-1-5-32-551 Backup Operators A built-in group containing accounts that can back up and restore all files on a computer, regardless of the permissions that protect those files.


Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net