<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([ObjectSID], Well-known [SIDs]) are a group of [SIDs] that provide [Identification] of generic users or generic groups and the [Security Identifier] values remain constant across all [Microsoft Windows] [Operating Systems].

We refer you to the source: [Well-known security identifiers in Windows operating systems|https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems|target='_blank']%%zebra-table
%%sortable
%%table-filter
||SID||NAME||Description||FSMO Role
|S-1-0-0|Nobody|No security principal.| 
|S-1-0|Null Authority|An identifier authority.| 
|S-1-1-0|Everyone|A [group|Group-AD] that includes all users, even [anonymous] users and guests. Membership is controlled by the [Operating System]. \\Note By default, the Everyone [group|Group-AD] no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2).| 
|S-1-1|World Authority|An identifier authority.
|S-1-2-0|Local|A [group|Group-AD] that includes all users who have logged on locally.
|S-1-2-1|Console Logon|A [group|Group-AD] that includes users who are logged on to the physical console. \\Note Added in [Windows 7] and [Windows Server 2008 R2]
|S-1-2|Local Authority|An identifier authority.
|S-1-3-0|Creator Owner|A placeholder in an inheritable access control entry ([ACE]). When the [ACE] is inherited, the system replaces this [SID] with the [SID] for the object's creator.
|S-1-3-1|Creator [group|Group-AD]|A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary [group|Group-AD] of the object's creator. The primary [group|Group-AD] is used only by the [POSIX] subsystem.
|S-1-3-2|Creator Owner Server|This SID is not used in [Windows Server 2000].
|S-1-3-3|Creator [group|Group-AD] Server|This [SID] is not used in [Windows Server 2000].
|S-1-3-4|Owner Rights|A [group|Group-AD] that represents the current owner of the object. When an [ACE] that carries this [SID] is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
|S-1-3|Creator Authority|An identifier authority.
|S-1-4|Non-unique Authority|An identifier authority.
|S-1-5- 21 domain -572|Denied RODC Password Replication [group|Group-AD]|A [Domain Local Group] [group|Group-AD]. Members in this [group|Group-AD] cannot have their [passwords] replicated to any read-only domain controllers in the domain|[PDC Emulator FSMO Role]
|S-1-5- 21domain -498|Enterprise Read-only Domain Controllers|A [Universal Group]. Members of this [group|Group-AD] are Read-Only Domain Controllers in the enterprise|[PDC Emulator FSMO Role]
|S-1-5- 21domain -521|[Read-only Domain Controllers]|A [Global Group]. Members of this [group|Group-AD] are [Read-Only Domain Controllers] in the domain|[PDC Emulator FSMO Role]
|S-1-5-1|Dialup|A [group|Group-AD] that includes all users who have logged on through a dial-up connection. Membership is controlled by the [Operating System].
|S-1-5-10|Principal Self|A placeholder in an inheritable [ACE] on an account object or [group|Group-AD] object in Active Directory. When the [ACE] is inherited, the system replaces this [SID] with the [SID] for the security principal who holds the account.
|S-1-5-11|Authenticated Users|A [group|Group-AD] that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
|S-1-5-12|Restricted Code|This [SID] is reserved for future use.
|S-1-5-13|Terminal Server Users|A [group|Group-AD] that includes all users that have logged on to a Terminal Services server. Membership is controlled by the [Operating System]
|S-1-5-14|Remote Interactive Logon|A [group|Group-AD] that includes all users who have logged on through a terminal services logon.
|S-1-5-15|This Organization|A [group|Group-AD] that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
|S-1-5-17|This Organization|An account that is used by the default Internet Information Services (IIS) user.
|S-1-5-18|Local System|A service account that is used by the operating system.
|S-1-5-19|NT Authority|Local Service
|S-1-5-2|Network|A [group|Group-AD] that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
|S-1-5-20|NT Authority|Network Service
|S-1-5-21 domain -571|Allowed [RODC] Password Replication [group|Group-AD]|A Domain Local [group|Group-AD]. Members in this [group|Group-AD] can have their passwords replicated to all read-only domain controllers in the domain.|[PDC Emulator FSMO Role]
|S-1-5-21-domain-522|Cloneable [Domain Controllers]|A Global [group|Group-AD]. Members of this [group|Group-AD] that are [Domain Controller] may be cloned.|[PDC Emulator FSMO Role]
|S-1-5-21domain-500|Administrator|A user account for the system administrator. By default, it is the only user account that is given full control over the system.
|S-1-5-21domain-501|Guest|A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
|S-1-5-21domain-502|KRBTGT|A service account that is used by the [Key Distribution Center] ([KDC]) service.
|S-1-5-21domain-512|Domain Admins|A [Global Group] whose members are authorized to administer the domain. By default, the Domain Admins [group|Group-AD] is a member of the Administrators [group|Group-AD] on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the [group|Group-AD].
|S-1-5-21domain-513|Domain Users|A [Global Group] that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this [group|Group-AD] by default.
|S-1-5-21domain-514|Domain Guests|A [Global Group] that, by default, has only one member, the domain's built-in Guest account.
|S-1-5-21domain-515|Domain Computers|A [Global Group] that includes all clients and servers that have joined the domain.
|S-1-5-21domain-516|Domain Controllers|A [Global Group] that includes all domain controllers in the domain. New domain controllers are added to this [group|Group-AD] by default.
|S-1-5-21domain-517|Cert Publishers|A [Global Group] that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
|S-1-5-21domain-520|[group|Group-AD] Policy Creator Owners|A [Global Group] that is authorized to create new [group|Group-AD] Policy objects in [Microsoft Active Directory]. By default, the only member of the [group|Group-AD] is Administrator.
|S-1-5-21domain-526|Key Admins|A security [group|Group-AD]. The intention for this [group|Group-AD] is to have delegated write access on the msdsKeyCredentialLink attribute only. The [group|Group-AD] is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this [group|Group-AD].
|S-1-5-21domain-527|Enterprise Key Admins|A security [group|Group-AD]. The intention for this [group|Group-AD] is to have delegated write access on the msdsKeyCredentialLink attribute only. The [group|Group-AD] is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this [group|Group-AD].
|S-1-5-21domain-553|RAS and IAS Servers|A [Domain Local Group] . By default, this [group|Group-AD] has no members. Servers in this [group|Group-AD] have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local [group|Group-AD].
|S-1-5-21root domain-518|Schema Admins|A universal [group|Group-AD] in a native-mode domain; a [Global Group] in a mixed-mode domain. The [group|Group-AD] is authorized to make schema changes in Active Directory. By default, the only member of the [group|Group-AD] is the Administrator account for the forest root domain.
|S-1-5-21root domain-519|Enterprise Admins|A universal [group|Group-AD] in a native-mode domain; a global [group|Group-AD] in a mixed-mode domain. The [group|Group-AD] is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the [group|Group-AD] is the Administrator account for the forest root domain.
|S-1-5-3|Batch|A [group|Group-AD] that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
|S-1-5-32-544|Administrators|A built-in [group|Group-AD]. After the initial installation of the operating system, the only member of the [group|Group-AD] is the Administrator account. When a computer joins a domain, the Domain Admins [group|Group-AD] is added to the Administrators [group|Group-AD]. When a server becomes a domain controller, the Enterprise Admins [group|Group-AD] also is added to the Administrators [group|Group-AD].
|S-1-5-32-545|Users|A built-in [group|Group-AD]. After the initial installation of the operating system, the only member is the Authenticated Users [group|Group-AD]. When a computer joins a domain, the Domain Users [group|Group-AD] is added to the Users [group|Group-AD] on the computer.
|S-1-5-32-546|Guests|A built-in [group|Group-AD]. By default, the only member is the Guest account. The Guests [group|Group-AD] allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
|S-1-5-32-547|Power Users|A built-in [group|Group-AD]. By default, the [group|Group-AD] has no members. Power users can create local users and [group|Group-AD]s; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests [group|Group-AD]s. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
|S-1-5-32-548|Account Operators|A built-in [group|Group-AD] that exists only on domain controllers. By default, the [group|Group-AD] has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, [group|Group-AD]s, and computers in all containers and organizational units of Active Directory except the Built-in container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins [group|Group-AD]s, nor do they have permission to modify the accounts for members of those [group|Group-AD]s.
|S-1-5-32-549|Server Operators|A built-in [group|Group-AD] that exists only on domain controllers. By default, the [group|Group-AD] has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
|S-1-5-32-550|Print Operators|A built-in [group|Group-AD] that exists only on domain controllers. By default, the only member is the Domain Users [group|Group-AD]. Print Operators can manage printers and document queues.
|S-1-5-32-551|Backup Operators|A built-in [group|Group-AD]. By default, the [group|Group-AD] has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
|S-1-5-32-552|Replicators|A built-in [group|Group-AD] that is used by the File Replication service on domain controllers. By default, the [group|Group-AD] has no members. Do not add users to this [group|Group-AD].
|S-1-5-32-554|BUILTIN\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility [group|Group-AD] which allows read access on all users and [group|Group-AD]s in the domain.|[PDC Emulator FSMO Role]
|S-1-5-32-555|BUILTIN\Remote Desktop Users|An alias. Members in this [group|Group-AD] are granted the right to logon remotely.|[PDC Emulator FSMO Role]
|S-1-5-32-556|BUILTIN\Network Configuration Operators|An alias. Members in this [group|Group-AD] can have some administrative privileges to manage configuration of networking features.|[PDC Emulator FSMO Role]
|S-1-5-32-557|BUILTIN\Incoming Forest Trust Builders|An alias. Members of this [group|Group-AD] can create incoming, one-way trusts to this forest.|[PDC Emulator FSMO Role]
|S-1-5-32-558|BUILTIN\Performance Monitor Users|An alias. Members of this [group|Group-AD] have remote access to monitor this computer.|[PDC Emulator FSMO Role]
|S-1-5-32-559|BUILTIN\Performance Log Users|An alias. Members of this [group|Group-AD] have remote access to schedule logging of performance counters on this computer.|[PDC Emulator FSMO Role]
|S-1-5-32-560|BUILTIN\Windows Authorization Access [group|Group-AD]|An alias. Members of this [group|Group-AD] have access to the computed token[group|Group-AD]sGlobalAndUniversal attribute on User objects.|[PDC Emulator FSMO Role]
|S-1-5-32-561|BUILTIN\Terminal Server License Servers|An alias. A [group|Group-AD] for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local [group|Group-AD] is created.|[PDC Emulator FSMO Role]
|S-1-5-32-562|BUILTIN\Distributed COM Users|An alias. A [group|Group-AD] for COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer.|[PDC Emulator FSMO Role]
|S-1-5-32-569|BUILTIN\Cryptographic Operators|A Builtin Local [group|Group-AD]. Members are authorized to perform cryptographic operations.|[PDC Emulator FSMO Role]
|S-1-5-32-573|BUILTIN\Event Log Readers|A Builtin Local [group|Group-AD]. Members of this [group|Group-AD] can read event logs from local machine.|[PDC Emulator FSMO Role]
|S-1-5-32-574|BUILTIN\Certificate Service DCOM Access|A Builtin Local [group|Group-AD]. Members of this [group|Group-AD] are allowed to connect to Certification Authorities in the enterprise.|[PDC Emulator FSMO Role]
|S-1-5-32-575|BUILTIN\RDS Remote Access Servers|A Builtin Local [group|Group-AD]. Servers in this [group|Group-AD] enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This [group|Group-AD] needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this [group|Group-AD].|[PDC Emulator FSMO Role]
|S-1-5-32-576|BUILTIN\RDS Endpoint Servers|A Builtin Local [group|Group-AD]. Servers in this [group|Group-AD] run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This [group|Group-AD] needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this [group|Group-AD].|[PDC Emulator FSMO Role]
|S-1-5-32-577|BUILTIN\RDS Management Servers|A Builtin Local [group|Group-AD]. Servers in this [group|Group-AD] can perform routine administrative actions on servers running Remote Desktop Services. This [group|Group-AD] needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this [group|Group-AD].|[PDC Emulator FSMO Role]
|S-1-5-32-578|BUILTIN\Hyper-V Administrators|A Builtin Local [group|Group-AD]. Members of this [group|Group-AD] have complete and unrestricted access to all features of Hyper-V.|[PDC Emulator FSMO Role]
|S-1-5-32-579|BUILTIN\Access Control Assistance Operators|A Builtin Local [group|Group-AD]. Members of this [group|Group-AD] can remotely query authorization attributes and permissions for resources on this computer.|[PDC Emulator FSMO Role]
|S-1-5-32-580|BUILTIN\Remote Management Users|A Builtin Local [group|Group-AD]. Members of this [group|Group-AD] can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.|[PDC Emulator FSMO Role]
|S-1-5-4|Interactive|A [group|Group-AD] that includes all users that have logged on interactively. Membership is controlled by the operating system.
|S-1-5-5-X-Y|Logon Session|A logon session. The X and Y values for these [SIDs] are different for each session.
|S-1-5-6|Service|A [group|Group-AD] that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
|S-1-5-64-10|NTLM Authentication|A SID that is used when the NTLM authentication package authenticated the client
|S-1-5-64-14|SChannel Authentication|A SID that is used when the SChannel authentication package authenticated the client.
|S-1-5-64-21|Digest Authentication|A SID that is used when the Digest authentication package authenticated the client.
|S-1-5-7|Anonymous|A [group|Group-AD] that includes all users that have logged on anonymously. Membership is controlled by the operating system.
|S-1-5-8|Proxy|This SID is not used in Windows 2000.
|S-1-5-80-0|All Services|A [group|Group-AD] that includes all service processes configured on the system. Membership is controlled by the operating system. \\Note Added in Windows Vista and Windows Server 2008
|S-1-5-80-0|NT SERVICES\ALL SERVICES|A [group|Group-AD] that includes all service processes that are configured on the system. Membership is controlled by the operating system.  \\Note Added in Windows Server 2008 R2
|S-1-5-80|NT Service|An NT Service account prefix
|S-1-5-83-0|NT VIRTUAL MACHINE\Virtual Machines|A built-in [group|Group-AD]. The [group|Group-AD] is created when the Hyper-V role is installed. Membership in the [group|Group-AD] is maintained by the Hyper-V Management Service (VMMS). This [group|Group-AD] requires the &quot;Create Symbolic Links&quot; right (SeCreateSymbolicLinkPrivilege), and also the &quot;Log on as a Service&quot; right (SeServiceLogonRight).\\ Note Added in Windows 8 and Windows Server 2012
|S-1-5-9|Enterprise Domain Controllers|A [group|Group-AD] that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
|S-1-5|NT Authority|An identifier authority.
|S-1-16-0|Untrusted Mandatory Level|An untrusted integrity level. Note Added in Windows Vista and Windows Server 2008 \\Note Added in Windows Vista and Windows Server 2008
|S-1-16-12288|High Mandatory Level|A high integrity level. \\ Note Added in Windows Vista and [Windows Server 2008]
|S-1-16-16384|System Mandatory Level|A system integrity level. \\Note Added in Windows Vista and [Windows Server 2008]
|S-1-16-20480|Protected Process Mandatory Level|A protected-process integrity level. \\Note Added in Windows Vista and [Windows Server 2008]
|S-1-16-28672|Secure Process Mandatory Level|A secure process integrity level. \\ Note Added in [Windows Vista] and [Windows Server 2008]
|S-1-16-4096|Low Mandatory Level|A low integrity level. \\Note Added in [Windows Vista] and [Windows Server 2008]
|S-1-16-8192|Medium Mandatory Level|A medium integrity level. \\ Note Added in [Windows Vista] and [Windows Server 2008]
|S-1-16-8448|Medium Plus Mandatory Level|A medium plus integrity level. \\Note Added in [Windows Vista] and [Windows Server 2008]
/%
/%
/%

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Well-known security identifiers in Windows operating systems|https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems|target='_blank'] - based on information obtained 2018-03-28- 
</pre>