Overview#

In LDAP (Microsoft Active Directory) the ObjectSID contains the Security Identifier is displayed as a SID string value for the Security Identifier of the LDAP Entry.

Each time a user logs on, the system retrieves the Security Identifier for that user from the database and places it in the access token for that user.

The system uses the Security Identifier in the access token to identify the user in all subsequent interactions with Windows security.

When a Security Identifier has been used as the Unique Identifier for a Security Principal Objects (user or group), it cannot ever be used again to identify another Security Principal Object.

Windows security uses Security Identifiers in the following security elements:

• In security descriptors to identify the owner of an object and primary group
• In Access Control Entries, to identify the trustee for whom access is allowed, denied, or audited
• In access tokens, to identify the user and the groups to which the user belongs
• In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are well-known Security Identifiers that identify generic groups and generic users.

For example, the Well-known Security Identifiers, Everyone and World, identify a group that includes all users.

Most applications never need to work with SIDs.

Because the names of well-known Security Identifiers can vary, you SHOULD use the functions to build the Security Identifier from predefined constants rather than using the name of the well-known SID.

For example, the U.S. English version of the Microsoft Windows has a well-known Security Identifier named "BUILTIN\Administrators" that might have a different name on international versions of the system.

Security Identifier Example [2]#

S-1-5-21-4064627337-2434140041-2375368561-1036

All SID fields have a specific meaning; so, for the above sample SID:

• S - The initial S identifies the following string as a SID.
• 1 - The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
• 5 - The SID identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
• 21-4064627337-2434140041-2375368561 - This section is the AD DOMAIN or local computer identifier (in this example, a AD DOMAIN identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
• 1036 - The Relative IDentifier (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or AD DOMAIN security authority that issued the SID.

The SID of an AD DOMAIN account is created by a domain's security authority that runs on every Windows Domain Controller (DC). The SID of a local account is created by the Local Security Authority (LSA) service that runs on every Windows box.

An important property of a SID is its uniqueness in time and place. A Security Identifier is unique in the environment where it was created (in a domain or on a local computer). It's also unique in time: If you create a user object, delete it, then recreate it with the same name, the new object won't have the same SID as the original object.

Well-known Security Identifiers#

• Access Control Entry
• Common Active Directory Bind Errors
• Infrastructure Master FSMO Role
• Integrity Level
• Local Security Authority
• MSFT Access Token
• NT-Sec-Desc
• ObjectSID
• Primary Access Token
• RID Master FSMO Role
• Relative IDentifier
• SID
• SID identifier authority
• SIDHistory
• Security Descriptor
• Security Principal Objects
• Security Reference Monitor
• TrustedDomain
• Well-known Security Identifiers
• Windows Logon

• [#1] - Security Identifiers - based on information obtained 2014-11-25
• [#1] - What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security? - based on information obtained 2017-08-17-