<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([SID], [ObjectSID]) is a unique value of variable length used to identify a [trustee] within [Microsoft Windows].Every [Security Principal Object] has a unique [{$pagename}] issued by an authority, such as a [Microsoft Active Directory] [Domain Controller], or the [Microsoft Windows] [Operating Systems] when it is created. and stored in a security database. 

In [LDAP] ([Microsoft Active Directory]) the [ObjectSID] contains the [{$pagename}] is displayed as a [SID string] value for the [{$pagename}] of the [LDAP Entry].

Each time a user logs on, the system retrieves the [{$pagename}] for that user from the database and places it in the access token for that user. 

The system uses the [{$pagename}] in the access token to identify the user in all subsequent interactions with Windows security. 

When a [{$pagename}] has been used as the [Unique Identifier] for a [Security Principal Objects] (user or group), it cannot ever be used again to identify another [Security Principal Object].

Windows security uses [{$pagename}]s in the following security elements:
* In security descriptors to identify the owner of an object and primary group
* In [Access Control Entries|Access Control Entry], to identify the trustee for whom access is allowed, denied, or audited
* In access tokens, to identify the user and the groups to which the user belongs
* In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are [well-known Security Identifiers] that identify generic groups and generic users. 

For [example], the [Well-known Security Identifiers], Everyone and World, identify a group that includes all users.

Most [applications] never need to work with [SIDs]. 

Because the names of [well-known Security Identifiers] can vary, you [SHOULD] use the functions to build the [{$pagename}] from predefined constants rather than using the name of the well-known [SID]. 

For [example], the U.S. English version of the [Microsoft Windows] has a well-known [{$pagename}] named &quot;BUILTIN\Administrators&quot; that might have a different name on international versions of the system. 

!! [{$pagename}] [Example] [2]
To illustrate, let us analyze an [example] [SID] that I retrieved from my test [Microsoft Active Directory]: 
%%prettify 
{{{
S-1-5-21-4064627337-2434140041-2375368561-1036
}}} 
/%

All SID fields have a specific meaning; so, for the above sample SID:
* S - The initial S identifies the following string as a SID.
* 1 - The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
* 5 - The [SID identifier authority] value. This is a predefined identifier for the top-level authority that issued the [SID]. This is typically 5, which represents the [SECURITY_NT_AUTHORITY].
* 21-4064627337-2434140041-2375368561 - This section is the [AD DOMAIN] or local computer identifier (in this example, a [AD DOMAIN] identifier). This is a 48-[bit] [string] that identifies the authority (the computer or domain) that created the [SID].
* 1036 - The [Relative IDentifier] ([RID]) is the last part of a [SID]. The [RID] uniquely identifies a security principal relative to the local or [AD DOMAIN] security authority that issued the [SID]. 

The SID of an [AD DOMAIN] account is created by a domain's security authority that runs on every Windows [Domain Controller] (DC). The [SID] of a local account is created by the [Local Security Authority] ([LSA]) service that runs on every Windows box.

An important property of a SID is its uniqueness in time and place. A [{$pagename}] is unique in the environment where it was created (in a domain or on a local computer). It's also unique in [time]: If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.

!!  [Well-known Security Identifiers]
[Well-known Security Identifiers] are predefined [SID identifier authority] produces SIDs that are not universal but are meaningful only on [Microsoft Windows] installations.!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Security Identifiers|http://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx|target='_blank'] - based on information obtained 2014-11-25
* [#1] - [What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security?|http://windowsitpro.com/security/q-what-are-exact-roles-windows-accounts-sid-and-more-specifically-its-rid-windows-security|target='_blank'] - based on information obtained 2017-08-17-
</pre>