Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
Just as in NT 4.0, Windows 2000 uses a construct known as a SID to uniquely identify all security principals and security groups. SIDs are very important in this respect because they're Windows 2000's internal representation of security principals and security groups. So although you think of a domain user account as being identifiable by the human-readable string somedomainsomeuser, Windows 2000 thinks of a domain user account as a simple SID. Because Windows 2000 cares quite a bit about the SIDs that it uses, you should know three important things about SIDs: they're generated by the system, not by you or me; they're unique; and they're never reused.
Whenever a new account or security group is created, Windows 2000 generates a unique SID to associate with the new object. In cases in which the new account or security group is local to a particular computer, the Local Security Authority (LSA) on the local computer actually generates the SID. The LSA then stores the SID with the newly created object in the Security Accounts Manager (SAM) database in a secure portion of the system's Registry. In cases in which the domain account or security group is new, the LSA on the targeted domain controller actually generates the SID and stores it in an attribute of the new object in Active Directory (AD).
When the LSA creates a SID, it's guaranteed to be unique within its own scope. So the SID for each local account or group is unique to the computer on which the SID was created. As a result, no two accounts, no two security groups, and no account and security group combination will ever have the same SID on that computer. In the same way, the SID for each domain account or security group is unique to the domain in which it was created. This uniqueness is carried through your enterprise so that the SID for an account or security group created in one domain is different than any of the SIDs in any other domains.
Not only are SIDs unique across your enterprise, they're also kept unique for all time because the LSA never issues the same SID twice and never recycles a SID. For example, let's say that you have an account on a standalone Windows 2000 computer somewhere in your enterprise. For whatever reason, you no longer need access to this computer, so you delete your account. A couple of months go by, and something else happens that requires you to regain access to this standalone Windows 2000 computer, so you create a new account. You then receive a new SID, guaranteed. Your old account isn't reassigned to you—or to anyone else, for that matter! As far as Windows 2000 is concerned, you're two different security principals, even if your logon name is still the same as it used to be.
Click for the next excerpt in this series: SIDs versus GUIDs
Click for the book excerpt series or get the full e-book.
This was first published in November 2004