Overview#Security Identifier (SID) is a unique value of variable length used to identify a trustee within Microsoft Windows.
Every Security Principal Object has a unique Security Identifier issued by an authority, such as a Microsoft Active Directory Domain Controller, or the Microsoft Windows Operating Systems when it is created. and stored in a security database.
Each time a user logs on, the system retrieves the Security Identifier for that user from the database and places it in the access token for that user.
The system uses the Security Identifier in the access token to identify the user in all subsequent interactions with Windows security.
When a Security Identifier has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Windows security uses Security Identifiers in the following security elements:
- In security descriptors to identify the owner of an object and primary group
- In Access Control Entries, to identify the trustee for whom access is allowed, denied, or audited
- In access tokens, to identify the user and the groups to which the user belongs
- In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are well-known Security Identifiers that identify generic groups and generic users.
Because the names of well-known Security Identifiers can vary, you SHOULD use the functions to build the Security Identifier from predefined constants rather than using the name of the well-known SID.
For example, the U.S. English version of the Microsoft Windows has a well-known Security Identifier named "BUILTIN\Administrators" that might have a different name on international versions of the system.example SID that I retrieved from my test Active Directory (AD) system:
All SID fields have a specific meaning; so, for the above sample SID:
- S - The initial S identifies the following string as a SID.
- 1 - The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
- 5 - The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
- 21-4064627337-2434140041-2375368561 - This section is the AD DOMAIN or local computer identifier (in this example, a AD DOMAIN identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
- 1036 - The Relative IDentifier (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or AD DOMAIN security authority that issued the SID.
The SID of an AD DOMAIN account is created by a domain's security authority that runs on every Windows Domain Controller (DC). The SID of a local account is created by the Local Security Authority (LSA) service that runs on every Windows box.
An important property of a SID is its uniqueness in time and place. A Security Identifier is unique in the environment where it was created (in a domain or on a local computer). It's also unique in time: If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.
More Information#There might be more information for this subject on one of the following:
- Access Control Entry
- Access Token
- Common Active Directory Bind Errors
- Local Security Authority
- Relative IDentifier
- Security Principal Objects
- Well-known Security Identifiers
- Windows Logon
- [#1] - Security Identifiers - based on information obtained 2014-11-25
- [#1] - What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security? - based on information obtained 2017-08-17-