Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
As you're probably already aware, a number of SIDs identify generic users and generic groups that don't change. These constant SIDs are typically referred to as well-known SIDs, and they're recognized on every Windows 2000 system. There are over 40 types of well-known SIDs; some examples are shown in Table 5.1.
|Well-known SID value||Well-known SID name||Description|
|S-1-1-0||Everyone||A security group that includes all users, even anonymous users and guests.|
|S-1-3-0||Creator Owner||A placeholder for an inheritable ACE. When the ACE is inherited, this SID is replaced on the fly with the SID for the object's current owner.|
|S-1-5-2||Network||A security group that includes all users who are logged on using a network connection. Windows 2000 controls the membership of this group.|
|S-1-5-11||Authenticated Users||A security group that includes all users who were authenticated when they logged on. Windows 2000 controls the membership of this group.|
||Domain Admins||A global security group whose members are authorized to administer the entire domain. The Domain Admins group is a default member of the Administrators group on all computers that have joined a domain, including the domain controllers.|
||Domain Computers||A global security group that includes all computers that have joined the domain but not domain controllers, which get their own security group.|
|S-1-5-32-544||Administrators||A built-in security group that gives its members full control over the system. After the OS is installed, the only member of this group is the Administrator account; when a computer joins a domain, the Domain Admins group is added to this group on the local computer.|
|S-1-5-32-545||Users||A built-in security group that lets typical users perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. After the OS is installed, the only member of this group is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to this group on the local computer.|
|S-1-5-32-546||Guests||A built-in security group that lets occasional or one-time users log on with limited privileges. By default, the only member of this security group is the Guest account.|
One of the interesting things to note about these well-known SIDs is that some of them aren't fully qualified and have a variable component. Two examples are the Domain Admins and Domain Computers security groups. Although these security groups are well-known and universally recognized by Windows 2000 systems, groups in different domains won't have the same effective SIDs.
Click for the next excerpt in this series: Access rights
Click for the book excerpt series or get the full e-book.
This was first published in November 2004