Security Identifiers (SIDs)

Previous page
Table of content
Next page
[Previous] [Next]

Administrators, of course, refer to user names and group names by their easy-to-remember verbal names. Internally, the operating system refers to each account by a number that uniquely identifies that account. Every account on the network is issued a unique SID when the account is first created. If you create an account, delete it, and then create another account with the same name, the new account will not have the rights or permissions previously granted to the old account because the accounts' SIDs will be different.

A SID has the following format:

 S-R-A-S-S-S-S

Table 3-2 explains this format.

Table 3-2. SID structure.

Section Name Comments
S SID This means we are referring to a SID.
R Revision Think of this as the SID format version number. Windows 2000 creates version 1 SIDs.
A Authority This is a 48-bit identifier authority value that identifies the authority, such as a Windows NT/Windows 2000 domain, that issued the SID. Example authorities include Everyone/World (1) and Windows NT/2000 (5).
S Subauthority This is a series of numbers that uniquely identify the principal.

Two types of SIDs exist in Windows 2000: created SIDs and well-known SIDs. Created SIDs are created by Windows 2000 itself or by Windows 2000 administrators. The format of these SIDs is the same as that defined in Table 3-2, but the subauthority numbers have a special meaning. Take, for example, the following SID, which Table 3-3 translates:

 S-1-5-21-397661181-626881882-18441761-1009

Table 3-3. The makeup of a created SID.

Section Comments
S This is a SID.
1 Version level 1.
5 Identifier authority value of 5 (NT authority).
21 First subauthority—this is a domain or workgroup.
397661181-626881882-18441761 Second, third, and fourth subauthorities—these uniquely identify the domain or workgroup.
1009 The last subauthority, a counter starting from 1000, which identifies the account in the domain. This number is incremented whenever a new account is created.

Well-known SIDs identify generic groups and generic users. For example, well-known SIDs exist to identify the following groups and users:

  • The Everyone group, which is a group that includes all users. You do not need to add users to this group—everyone is a member of the group by default.

  • The Administrators group for the built-in domain on the local computer.

  • The Interactive group, which includes all users that have logged on to the system interactively. Like the Everyone group, there's no need to add users to this group; all authenticated users are automatically a member of this group.

Refer to Appendix A, "Windows 2000 Well-Known SIDs," for a list of well-known SIDs.


Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
Java I/O
VBScript Programmers Reference
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
The Java Tutorial: A Short Course on the Basics, 4th Edition
An Introduction to Design Patterns in C++ with Qt 4
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy