A 48-bit identifier authority value
The functions in the Security category handle the security identifiers (SIDs) of the user accounts.
|
Function |
Description |
|
Accepts the name of a system and an account as input. Retrieves a security identifier (SID) for the account and the name of the domain on which the account was found. |
|
|
Accepts a security (SID) as input. Retrieves the name of the account for this SID and the name of the domain on which the SID was found. |
A security identifier (SID) is a unique value of variable length used to identify a user or group. The SID assigned to a user when he or she logs on becomes part of the access token that accompanies any process begun by that user. Except for the logon SID, an SID is always unique.
When a SID has been used to identify a user or group, it cannot be used again, at any time, to identify another user or group.
SIDs identify several separate elements. These include the owner and group in security descriptors, the recipient of the access being granted by access-control entries (ACEs), and the user, as well as groups of which the user is a member in access tokens.
An SID also contains the following information:
A 48-bit identifier authority value
A revision level
A variable number of sub authority values (relative identifiers)
The identifier authority value actually contains two values and is the most important piece of information in an SID. It contains a value identifying the agency that issued the SID, usually representing an Advanced Server domain, and a 32-bit relative identifier (RID) value, to uniquely identify the user or group in that agency.
Joining these values ensures that no two SIDs will be the same, even if two different SID-issuing authorities issue the same RID. Each SID-issuing authority issues a given RID only once.
The standardized shorthand notation for SIDs makes it simpler to visualize their components: S-R-I-S-S...
In this notation, S identifies the series of digits as an SID, R is the revision level, I is the identifier-authority value, and S is the sub authority value. A SID could be written in this notation as follows: S-1-4138-86
In this example, the SID has a revision level of 1, an identifier-authority value of 4138, and one sub authority value of 86.
An application is never required to manipulate a SID directly. The following Win32 functions provide all the functionality required to work with SIDs. Some identifier authorities are predefined, as shown in the following table.
|
Identifier Authority |
SID Value |
|
SECURITY_NULL_SID_AUTHORITY |
0 |
|
SECURITY_WORLD_SID_AUTHORITY |
1 |
|
SECURITY_LOCAL_SID_AUTHORITY |
2 |
|
SECURITY_CREATOR_SID_AUTHORITY |
3 |
|
SECURITY_NT_AUTHORITY |
5 |
The following RID values also are defined:
|
Relative Identifier Authority |
Value |
Superior Authority |
|
SECURITY_NULL_RID |
0 |
S-1-0 |
|
SECURITY_WORLD_RID |
0 |
S-1-1 |
|
SECURITY_LOCAL_RID |
0 |
S-1-2 |
|
SECURITY_CREATOR_OWNER_RID |
0 |
S-1-3 |
|
SECURITY_CREATOR_GROUP_RID |
1 |
S-1-3 |
An application can combine an identifier authority and one of these RID values to create an SID that is meaningful on all installations. For example, S-1-1-0 (SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID) always identifies the special group representing all users.
These security identifiers are universal, well-known SIDs. A universal, well-known SID is meaningful on all secure systems using this security model, including systems not running Windows NT.
The following are some universal, well-known SIDs:
|
Universal Well-Known SID |
Value |
Identifies |
|
Null SID |
(S-1-0-0) |
A group with no members. This is often used when an SID value is not known. |
|
World |
(S-1-1-0) |
A group that includes all users. |
|
Local |
(S-1-2-0) |
Users who log on to terminals locally (physically) connected to the system. |
|
Creator Owner ID |
(S-1-3-0) |
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACLs. |
|
Creator Group ID |
(S-1-3-1) |
Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACLs. |
NetLookupAccountName function retrieves the SID for the given account name and the name of the domain where this account was found.
NetLookupAccountSid retrieves the name of the account for the given SID and the name of the domain where this SID was found. Both functions also return the NameUse value, indicating the type of the account.
NetLookupAccountName and NetLookupAccountSid functions return the NameUse parameter, which specifies the type of a security identifier(SID).
The values for the NameUse parameter are defined as follows:
typedef enum _SID_NAME_USE {
SidTypeUser = 1,
SidTypeGroup,
SidTypeDomain,
SidTypeAlias,
SidTypeWellKnownGroup,
SidTypeDeletedAccount,
SidTypeInvalid,
SidTypeUnknown
} SID_NAME_USE;
|
Parameter |
Meaning |
|
SidTypeUser |
Indicates a user SID. |
|
SidTypeGroup |
Indicates a group SID. |
|
SidTypeDomain |
Indicates a domain SID. |
|
SidTypeAlias |
Indicates an alias SID. |
|
SidTypeWellKnownGroup |
Indicates an SID for a well-known group. |
|
SidTypeDeletedAccount |
Indicates an SID for a deleted account. |
|
SidTypeInvalid |
Indicates an invalid SID. |
|
SidTypeUnknown |
Indicates an unknown SID type. |
