Well-known SIDs

This excerpt from Chapter 5 of "The definitive guide to Windows 2000 security" offers examples of constant SIDs.

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.




Well-known SIDs

As you're probably already aware, a number of SIDs identify generic users and generic groups that don't change. These constant SIDs are typically referred to as well-known SIDs, and they're recognized on every Windows 2000 system. There are over 40 types of well-known SIDs; some examples are shown in Table 5.1.

Well-known SID value Well-known SID name Description
S-1-1-0 Everyone A security group that includes all users, even anonymous users and guests.
S-1-3-0 Creator Owner A placeholder for an inheritable ACE. When the ACE is inherited, this SID is replaced on the fly with the SID for the object's current owner.
S-1-5-2 Network A security group that includes all users who are logged on using a network connection. Windows 2000 controls the membership of this group.
S-1-5-11 Authenticated Users A security group that includes all users who were authenticated when they logged on. Windows 2000 controls the membership of this group.
S-1-5- -502 Domain Admins A global security group whose members are authorized to administer the entire domain. The Domain Admins group is a default member of the Administrators group on all computers that have joined a domain, including the domain controllers.
S-1-5- -515 Domain Computers A global security group that includes all computers that have joined the domain but not domain controllers, which get their own security group.
S-1-5-32-544 Administrators A built-in security group that gives its members full control over the system. After the OS is installed, the only member of this group is the Administrator account; when a computer joins a domain, the Domain Admins group is added to this group on the local computer.
S-1-5-32-545 Users A built-in security group that lets typical users perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. After the OS is installed, the only member of this group is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to this group on the local computer.
S-1-5-32-546 Guests A built-in security group that lets occasional or one-time users log on with limited privileges. By default, the only member of this security group is the Guest account.

One of the interesting things to note about these well-known SIDs is that some of them aren't fully qualified and have a variable component. Two examples are the Domain Admins and Domain Computers security groups. Although these security groups are well-known and universally recognized by Windows 2000 systems, groups in different domains won't have the same effective SIDs.

Click for the next excerpt in this series: Access rights


Click for the book excerpt series or get the full e-book.
This was first published in November 2004
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close