Table A-1 lists some well-known security identifiers (SIDs) on a Microsoft Windows 2000 system. Refer to Chapter 3, "Windows 2000 Security Overview," for more information about SIDs.
Table A-1. Well-known Windows 2000 SIDs.
SID | Name | Description |
---|---|---|
S-1-0-0 | Null | A group with no members. This is often used when a SID value is not known. |
S-1-1-0 | Everyone | A group that includes all users, even anonymous users and guests. |
S-1-2-0 | Local | Users who log on to terminals locally (physically) connected to the system. |
S-1-3-0 | Creator Owner | A SID to be replaced by the SID of the user who created the object. |
S-1-5-1 | Dialup | Users who log on by using a dial-up connection such as a modem. |
S-1-5-2 | Network | Users who log on across a network. |
S-1-5-3 | Batch | Users who log on by using a batch logon. |
S-1-5-4 | Interactive | Users who log on interactively. |
S-1-5-5-X-Y | Logon Session | A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. |
S-1-5-6 | Service | Accounts authorized to log on as a service. |
S-1-5-7 | Anonymous | A user who has logged on anonymously. |
S-1-5-9 | Enterprise Controllers | A group that includes all Active Directory domain controller computers. |
S-1-5-10 | Principal Self (or Self) | Granting permissions to Principal Self means granting permissions to the principal represented by the object. |
S-1-5-11 | Authenticated Users | A group that includes all users whose identities were authenticated when they logged on. This group does not include the Anonymous or NULL account |
S-1-5-13 | Terminal Server Users | A group that includes all users who have logged on to a Terminal Services server. |
S-1-5-18 | Local System (System Account) | A service account that is used by the operating system. |
S-1-5-<domain>-500 | Administrator | A user account for the system administrator. This account is the first account created during operating system installation. The account cannot be deleted or locked out. It is a member of the Administrators group and cannot be removed from that group. |
S-1-5-<domain>-501 | Guest | The guest user account in a domain. Users who do not have an account can automatically log on to this account if the account is enabled. |
S-1-5-<domain>-502 | KRBTGT | A service account that is used by the Kerberos Key Distribution Center (KDC) service. |
S-1-5-<domain>-512 | Domain Admins | The domain administrators group. |
S-1-5-<domain>-513 | Domain Users | A group containing all users in the domain. |
S-1-5-<domain>-514 | Domain Guests | The guest group account in a domain. |
S-1-5-<domain>-515 | Domain Computers | All computers in the domain are members of this group. |
S-1-5-<domain>-516 | Domain Controllers | All domain controllers in the domain are added to this group automatically. |
S-1-5-<domain>-517 | Cert Publishers | Computers running Microsoft Certificate Services are members of this group. |
S-1-5-<domain>-518 | Schema Admins | Members of this group can modify the Active Directory schema. |
S-1-5-<domain>-519 | Enterprise Admins | The enterprise administrators group. Members of this group have full access to all domains in Active Directory. |
S-1-5-<domain>-520 | Group Policy Creators Owners | The policy administrators group. |
S-1-5-<domain>-553 | RAS and IAS Servers | A local group representing RAS and Internet Authentication Service servers. |
S-1-5-32-544 | Administrators | A built-in group containing local administrators on a server. By default, this contains the Administrator account. |
S-1-5-32-545 | Users | A built-in group containing local users on a computer. |
S-1-5-32-546 | Guests | A built-in group. By default, the only member is the Guest account. |
S-1-5-32-547 | Power Users | A built-in group containing power users on the computer. By default, the group has no members. Power users have more capability than users in that they can create local users and groups, modify and delete accounts that they have created, and remove users from the Power Users, Users, and Guests groups. Power users also can install many applications and manage printers and file shares. |
S-1-5-32-548 | Account Operators | A built-in group that exists only on domain controllers containing accounts that can manipulate user accounts. |
S-1-5-32-549 | Server Operators | A built-in group that exists only on domain controllers containing accounts that can manipulate the server but not accounts. |
S-1-5-32-550 | Print Operators | A built-in group containing accounts that can manipulate printers and printer queues. |
S-1-5-32-551 | Backup Operators | A built-in group containing accounts that can back up and restore all files on a computer, regardless of the permissions that protect those files. |