Administrators, of course, refer to user names and group names by their easy-to-remember verbal names. Internally, the operating system refers to each account by a number that uniquely identifies that account. Every account on the network is issued a unique SID when the account is first created. If you create an account, delete it, and then create another account with the same name, the new account will not have the rights or permissions previously granted to the old account because the accounts' SIDs will be different.
A SID has the following format:
S-R-A-S-S-S-S |
Table 3-2 explains this format.
Table 3-2. SID structure.
Section | Name | Comments |
---|---|---|
S | SID | This means we are referring to a SID. |
R | Revision | Think of this as the SID format version number. Windows 2000 creates version 1 SIDs. |
A | Authority | This is a 48-bit identifier authority value that identifies the authority, such as a Windows NT/Windows 2000 domain, that issued the SID. Example authorities include Everyone/World (1) and Windows NT/2000 (5). |
S | Subauthority | This is a series of numbers that uniquely identify the principal. |
Two types of SIDs exist in Windows 2000: created SIDs and well-known SIDs. Created SIDs are created by Windows 2000 itself or by Windows 2000 administrators. The format of these SIDs is the same as that defined in Table 3-2, but the subauthority numbers have a special meaning. Take, for example, the following SID, which Table 3-3 translates:
S-1-5-21-397661181-626881882-18441761-1009 |
Table 3-3. The makeup of a created SID.
Section | Comments |
---|---|
S | This is a SID. |
1 | Version level 1. |
5 | Identifier authority value of 5 (NT authority). |
21 | First subauthority—this is a domain or workgroup. |
397661181-626881882-18441761 | Second, third, and fourth subauthorities—these uniquely identify the domain or workgroup. |
1009 | The last subauthority, a counter starting from 1000, which identifies the account in the domain. This number is incremented whenever a new account is created. |
Well-known SIDs identify generic groups and generic users. For example, well-known SIDs exist to identify the following groups and users:
Refer to Appendix A, "Windows 2000 Well-Known SIDs," for a list of well-known SIDs.