This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Security Identifier
Security Identifier

Version management

Difference between version and

At line 1 added 51 lines
!!! Overview
[{$pagename}] ([SID], [ObjectSID]) is a unique value of variable length used to identify a [trustee] within [Microsoft Windows].Every [Security Principal Object] has a unique [{$pagename}] issued by an authority, such as a [Microsoft Active Directory] [Domain Controller], or the [Microsoft Windows] [Operating Systems] when it is created. and stored in a security database.
In [LDAP] ([Microsoft Active Directory]) the [ObjectSID] contains the [{$pagename}] is displayed as a [SID string] value for the [{$pagename}] of the [LDAP Entry].
Each time a user logs on, the system retrieves the [{$pagename}] for that user from the database and places it in the access token for that user.
The system uses the [{$pagename}] in the access token to identify the user in all subsequent interactions with Windows security.
When a [{$pagename}] has been used as the [Unique Identifier] for a [Security Principal Objects] (user or group), it cannot ever be used again to identify another [Security Principal Object].
Windows security uses [{$pagename}]s in the following security elements:
* In security descriptors to identify the owner of an object and primary group
* In [Access Control Entries|Access Control Entry], to identify the trustee for whom access is allowed, denied, or audited
* In access tokens, to identify the user and the groups to which the user belongs
* In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are [well-known Security Identifiers] that identify generic groups and generic users.
For [example], the [Well-known Security Identifiers], Everyone and World, identify a group that includes all users.
Most [applications] never need to work with [SIDs].
Because the names of [well-known Security Identifiers] can vary, you [SHOULD] use the functions to build the [{$pagename}] from predefined constants rather than using the name of the well-known [SID].
For [example], the U.S. English version of the [Microsoft Windows] has a well-known [{$pagename}] named "BUILTIN\Administrators" that might have a different name on international versions of the system.
!! [{$pagename}] [Example] [2]
To illustrate, let us analyze an [example] [SID] that I retrieved from my test [Microsoft Active Directory]:
%%prettify
{{{
S-1-5-21-4064627337-2434140041-2375368561-1036
}}}
/%
All SID fields have a specific meaning; so, for the above sample SID:
* S - The initial S identifies the following string as a SID.
* 1 - The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
* 5 - The [SID identifier authority] value. This is a predefined identifier for the top-level authority that issued the [SID]. This is typically 5, which represents the [SECURITY_NT_AUTHORITY].
* 21-4064627337-2434140041-2375368561 - This section is the [AD DOMAIN] or local computer identifier (in this example, a [AD DOMAIN] identifier). This is a 48-[bit] [string] that identifies the authority (the computer or domain) that created the [SID].
* 1036 - The [Relative IDentifier] ([RID]) is the last part of a [SID]. The [RID] uniquely identifies a security principal relative to the local or [AD DOMAIN] security authority that issued the [SID].
The SID of an [AD DOMAIN] account is created by a domain's security authority that runs on every Windows [Domain Controller] (DC). The [SID] of a local account is created by the [Local Security Authority] ([LSA]) service that runs on every Windows box.
An important property of a SID is its uniqueness in time and place. A [{$pagename}] is unique in the environment where it was created (in a domain or on a local computer). It's also unique in [time]: If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.
!! [Well-known Security Identifiers]
[Well-known Security Identifiers] are predefined [SID identifier authority] produces SIDs that are not universal but are meaningful only on [Microsoft Windows] installations.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Security Identifiers|http://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx|target='_blank'] - based on information obtained 2014-11-25
* [#1] - [What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security?|http://windowsitpro.com/security/q-what-are-exact-roles-windows-accounts-sid-and-more-specifically-its-rid-windows-security|target='_blank'] - based on information obtained 2017-08-17-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop