Overview#Security Identifier (SID) is a unique value of variable length used to identify a trustee within Microsoft Windows.
Each time a user logs on, the system retrieves the Security Identifier for that user from the database and places it in the access token for that user.
The system uses the Security Identifier in the access token to identify the user in all subsequent interactions with Windows security.
When a Security Identifier has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Windows security uses Security Identifiers in the following security elements:
- In security descriptors to identify the owner of an object and primary group
- In Access Control Entries, to identify the trustee for whom access is allowed, denied, or audited
- In access tokens, to identify the user and the groups to which the user belongs
- In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users.
For example, the well-known SIDs, Everyone and World, identify a group that includes all users.
Most applications never need to work with SIDs.
For example, the U.S. English version of the Microsoft Windows has a well-known Security Identifier named "BUILTIN\Administrators" that might have a different name on international versions of the system.example SID that I retrieved from my test Active Directory (AD) system:
All SID fields have a specific meaning; so, for the above sample SID:
- S - The initial S identifies the following string as a SID.
- 1 - The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
- 5 - The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
- 21-4064627337-2434140041-2375368561 - This section is the AD DOMAIN or local computer identifier (in this example, a AD DOMAIN identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
- 1036 - The Relative ID (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or AD DOMAIN security authority that issued the SID.
The SID of an AD DOMAIN account is created by a domain's security authority that runs on every Windows Domain Controller (DC). The SID of a local account is created by the Local Security Authority (LSA) service that runs on every Windows box.
An important property of a SID is its uniqueness in time and place. A SID is unique in the environment where it was created (in a domain or on a local computer). It's also unique in time: If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.
More Information#There might be more information for this subject on one of the following:
- Access Control Entry
- Common Active Directory Bind Errors
- Local Security Authority
- Relative ID
- [#1] - Security Identifiers - based on information obtained 2014-11-25
- [#1] - What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security? - based on information obtained 2017-08-17-