{
	"id": "c981fb9b-b151-469c-a7c3-389c4477cc51",
	"created_at": "2026-04-06T00:22:25.422016Z",
	"updated_at": "2026-04-10T03:21:55.757196Z",
	"deleted_at": null,
	"sha1_hash": "226ec4a92eaa2191d1292d730e000e00402fc673",
	"title": "Security Identifiers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109247,
	"plain_text": "Security Identifiers\r\nBy robinharwood\r\nArchived: 2026-04-05 16:46:19 UTC\r\nThis article describes how security identifiers (SIDs) work with accounts and groups in the Windows Server operating\r\nsystem.\r\nWhat are SIDs?\r\nA SID is used to uniquely identify a security principal or security group. Security principals can represent any entity that the\r\noperating system can authenticate. Examples include a user account, a computer account, or a thread or process that runs in\r\nthe security context of a user or computer account.\r\nEach account or group, or each process that runs in the security context of the account, has a unique SID that's issued by an\r\nauthority, such as a Windows domain controller. The SID is stored in a security database. The system generates the SID that\r\nidentifies a particular account or group at the time the account or group is created. When a SID is used as the unique\r\nidentifier for a user or group, it can never be used again to identify another user or group.\r\nEach time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user\r\nrights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the\r\nuser performs on that computer.\r\nIn addition to the uniquely created domain-specific SIDs that are assigned to specific users and groups, there are well-known\r\nSIDs that identify generic groups and generic users. For example, the Everyone and World SIDs each identify a group that\r\nincludes all users. Well-known SIDs have values that remain constant across all operating systems.\r\nSIDs are a fundamental building block of the Windows security model. They work with specific components of the\r\nauthorization and access control technologies in the security infrastructure of the Windows Server operating systems. This\r\ndesign helps protect access to network resources and provides a more secure computing environment.\r\nNote\r\nThis content pertains only to the Windows versions in the \"Applies to\" list at the beginning of the article.\r\nHow SIDs work\r\nUsers refer to accounts by the account name. Internally, the operating system refers to accounts and processes that run in the\r\nsecurity context of the account by using their SIDs. For domain accounts, the SID of a security principal is created by\r\nconcatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope\r\n(domain or local), and they're never reused.\r\nThe operating system generates a SID that identifies a particular account or group at the time the account or group is created.\r\nFor a local account or group, the Local Security Authority (LSA) on the computer generates the SID. The SID is stored with\r\nother account information in a secure area of the registry. For a domain account or group, the domain security authority\r\ngenerates the SID. This type of SID is stored as an attribute of the User or Group object in Active Directory Domain\r\nServices.\r\nFor every local account and group, the SID is unique for the computer where it's created. No two accounts or groups on the\r\ncomputer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise.\r\nAs a result, the SID of an account or group in one domain never matches the SID of an account or group in any other\r\ndomain in the enterprise.\r\nSIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted\r\naccounts. For example, if a user with a user account in a Windows domain leaves their job, an administrator deletes their\r\nActive Directory account, including the SID that identifies the account. If they later return to a different job at the same\r\ncompany, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 1 of 14\n\nSID doesn't match the old one, so none of the user's access from their old account is transferred to the new account. Both\r\ntheir accounts represent two different security principals.\r\nSID architecture\r\nA SID is a data structure in binary format that contains a variable number of values. The first values in the structure contain\r\ninformation about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and\r\nthey identify the SID-issuing authority (for example, NT Authority), the SID-issuing domain, and a particular security\r\nprincipal or group. The following image illustrates the structure of a SID.\r\nDiagram that shows the architecture of a security identifier and illustrates the domain identifier and relative identifier\r\ncomponents.\r\nThe individual values of a SID are described in the following table:\r\nComponent Description\r\nRevision Indicates the version of the SID structure that's used in a particular SID.\r\nIdentifier\r\nauthority\r\nIdentifies the highest level of authority that can issue SIDs for a particular type of security principal.\r\nFor example, the identifier authority value in the SID for the Everyone group is 1 (World Authority).\r\nThe identifier authority value in the SID for a specific Windows Server account or group is 5 (NT\r\nAuthority).\r\nSubauthorities\r\nHolds the most important information in a SID, which is contained in a series of one or more\r\nsubauthority values. All values up to, but not including, the last value in the series collectively\r\nidentify a domain in an enterprise. This part of the series is called the domain identifier. The last\r\nvalue in the series, the RID, identifies a particular account or group relative to a domain.\r\nThe components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard\r\nnotation:\r\nS-R-X-Y1-Y2-Yn-1-Yn\r\nIn this notation, the components of a SID are described in the following table:\r\nComponent Description\r\nS Indicates that the string is a SID\r\nR Indicates the revision level\r\nX Indicates the identifier authority value\r\nY Represents a series of subauthority values, where n is the number of values\r\nThe SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-\r\nYn-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains.\r\nSpecifically, the domain identifier differentiates SIDs that one domain issues from SIDs that all other domains in the\r\nenterprise issue. No two domains in an enterprise share the same domain identifier.\r\nThe last item in the series of subauthority values (-Yn) is the RID. It distinguishes one account or group from all other\r\naccounts and groups in the domain. No two accounts or groups in any domain share the same RID.\r\nFor example, the SID for the built-in Administrators group is represented in standardized SID notation as the following\r\nstring:\r\nS-1-5-32-544\r\nThis SID has four components:\r\nA revision level (1)\r\nAn identifier authority value (5, NT Authority)\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 2 of 14\n\nA domain identifier (32, Builtin)\r\nAn RID (544, Administrators)\r\nSIDs for built-in accounts and groups always have the same domain identifier value, 32. This value identifies the domain,\r\nBuiltin, which exists on every computer that's running a version of the Windows Server operating system. It's never\r\nnecessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups,\r\nbecause they're local in scope. They're local to a single computer or, with domain controllers for a network domain, they're\r\nlocal to several computers that are acting as one.\r\nBuilt-in accounts and groups need to be distinguished from one another within the scope of the Builtin domain. Therefore,\r\nthe SID for each account and group has a unique RID. An RID value of 544 is unique to the built-in Administrators group.\r\nNo other account or group in the Builtin domain has a SID with a final value of 544.\r\nIn another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain\r\nAdmins group, and the SID for each group is different. The following example represents the SID for the Domain Admins\r\ngroup in the Contoso, Ltd. domain (Contoso\\Domain Admins):\r\nS-1-5-21-1004336348-1177238915-682003330-512\r\nThe SID for Contoso\\Domain Admins has the following components:\r\nA revision level (1)\r\nAn identifier authority (5, NT Authority)\r\nA domain identifier (21-1004336348-1177238915-682003330, Contoso)\r\nAn RID (512, Domain Admins)\r\nThe SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same\r\nenterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this\r\nvalue as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and\r\ngroups that are created in the Contoso domain by its RID, 512. No other account or group in the domain has a SID with a\r\nfinal value of 512.\r\nRID allocation\r\nWhen accounts and groups are stored in an account database that a local Security Accounts Manager (SAM) manages, it's\r\nfairly easy for the system to generate a unique RID for each account and group that it creates on a standalone computer. The\r\nSAM on a standalone computer can track the RID values that it has used and make sure that it never uses them again.\r\nIn a network domain, however, generating unique RIDs is a more complex process. Windows Server network domains can\r\nhave several domain controllers. Each domain controller stores Active Directory account information. As a result, in a\r\nnetwork domain, there are as many copies of the account database as there are domain controllers. In addition, every copy of\r\nthe account database is a master copy.\r\nNew accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one\r\ndomain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one\r\nmaster copy of the account database to all other master copies is called a multimaster operation.\r\nThe process of generating unique RIDs is a single-master operation. One domain controller is assigned the role of RID\r\nmaster, and it allocates a sequence of RIDs to each domain controller in the domain. When a new domain account or group\r\nis created in one domain controller's replica of Active Directory, it's assigned a SID. The RID for the new SID is taken from\r\nthe domain controller's allocation of RIDs. When its supply of RIDs begins to run low, the domain controller requests\r\nanother block from the RID master.\r\nEach domain controller uses each value in a block of RIDs only once. The RID master allocates each block of RID values\r\nonly once. This process ensures that every account and group created in the domain has a unique RID.\r\nSIDs and globally unique identifiers\r\nWhen a new domain user or group account is created, Active Directory stores the account's SID in the ObjectSID property\r\nof a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that's\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 3 of 14\n\nunique not only in the enterprise, but also across the world. A GUID is assigned to every object that Active Directory\r\ncreates, not only User and Group objects. Each object's GUID is stored in its ObjectGUID property.\r\nActive Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that's\r\npublished in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an\r\naccount somewhere in the enterprise. In fact, searching for any object by ObjectGUID might be the most reliable way of\r\nfinding the object you want to locate. The values of other object properties can change, but the ObjectGUID property never\r\nchanges. When an object is assigned a GUID, it keeps that value for life.\r\nIf a user moves from one domain to another, the user gets a new SID. The SID for a Group object doesn't change, because\r\ngroups stay in the domain where they're created. However, if people move, their accounts can move with them. If an\r\nemployee moves from North America to Europe but stays in the same company, an administrator for the enterprise can move\r\nthe employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. In this case, the User object for the\r\naccount needs a new SID. The domain identifier portion of a SID that's issued in NoAm is unique to NoAm, so the SID for\r\nthe user's account in Europe has a different domain identifier. The RID portion of a SID is unique relative to the domain, so\r\nif the domain changes, the RID also changes.\r\nWhen a User object moves from one domain to another, a new SID must be generated for the user account and stored in the\r\nObjectSID property. Before the new value is written to the property, the previous value is copied to another property of a\r\nUser object, SIDHistory . This property can hold multiple values. Each time a User object moves to another domain, a new\r\nSID is generated and stored in the ObjectSID property, and another value is added to the list of old SIDs in the\r\nSIDHistory value. When a user signs in and is successfully authenticated, the domain authentication service queries Active\r\nDirectory for all the SIDs that are associated with the user. The query includes the user's current SID, the user's old SIDs,\r\nand the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they're included in the user's\r\naccess token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the\r\nSIDs in the SIDHistory property), can allow or deny the user access.\r\nYou can allow or deny users access to a resource based on their jobs. But you should allow or deny access to a group, not to\r\nan individual. That way, when users change jobs or move to other departments, you can easily adjust their access by\r\nremoving them from certain groups and adding them to others.\r\nHowever, if you allow or deny an individual user access to resources, you probably want that user's access to remain the\r\nsame no matter how many times the user's account domain changes. The SIDHistory property makes it possible for the\r\naccess to remain the same. When a user changes domains, there's no need to change the access control list (ACL) on any\r\nresource. An ACL might have the user's old SID but not the new one. But the old SID is still in the user's access token. It's\r\nlisted among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.\r\nWell-known SIDs\r\nThe values of certain SIDs are constant across all systems. They're created when the operating system or domain is installed.\r\nThey're called well-known SIDs because they identify generic users or generic groups.\r\nThere are universal well-known SIDs that are meaningful on all secure systems that use this security model, including\r\noperating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows\r\noperating systems.\r\nThe following table lists the universal well-known SIDs:\r\nUniversal\r\nwell-known\r\nSID\r\nName Identifies\r\nS-1-0-0 Null SID A group with no members. This value is often used when a SID value isn't known.\r\nS-1-1-0 World A group that includes all users.\r\nS-1-2-0 Local Users who sign in to terminals that are locally (physically) connected to the system.\r\nS-1-2-1\r\nConsole\r\nLogon\r\nA group that includes users who are signed in to the physical console.\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 4 of 14\n\nUniversal\r\nwell-known\r\nSID\r\nName Identifies\r\nS-1-3-0\r\nCreator\r\nOwner ID\r\nA SID to be replaced by the SID of the user who creates a new object. This SID is\r\nused in inheritable access control entries (ACEs).\r\nS-1-3-1\r\nCreator\r\nGroup ID\r\nA SID to be replaced by the primary-group SID of the user who creates a new\r\nobject. Use this SID in inheritable ACEs.\r\nS-1-3-2\r\nOwner\r\nServer\r\nA placeholder in an inheritable ACE. When the ACE is inherited, the system\r\nreplaces this SID with the SID for the object's owner server and stores information\r\nabout who created a given object or file.\r\nS-1-3-3\r\nGroup\r\nServer\r\nA placeholder in an inheritable ACE. When the ACE is inherited, the system\r\nreplaces this SID with the SID for the object's group server. The system also stores\r\ninformation about the groups that are allowed to work with the object.\r\nS-1-3-4\r\nOwner\r\nRights\r\nA group that represents the current owner of the object. When an ACE that carries\r\nthis SID is applied to an object, the system ignores the implicit READ_CONTROL\r\nand WRITE_DAC standard access rights for the object owner.\r\nS-1-4\r\nNon-unique\r\nAuthority\r\nA SID that represents an identifier authority.\r\nS-1-5 NT Authority A SID that represents an identifier authority.\r\nS-1-5-80-0 All Services\r\nA group that includes all service processes configured on the system. The operating\r\nsystem controls the membership of this group.\r\nThe following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in the Windows operating systems in the \"Applies to\"\r\nlist at the beginning of the article.\r\nIdentifier authority Value SID string prefix\r\nSECURITY_NULL_SID_AUTHORITY 0 S-1-0\r\nSECURITY_WORLD_SID_AUTHORITY 1 S-1-1\r\nSECURITY_LOCAL_SID_AUTHORITY 2 S-1-2\r\nSECURITY_CREATOR_SID_AUTHORITY 3 S-1-3\r\nSECURITY_NT_AUTHORITY 5 S-1-5\r\nSECURITY_AUTHENTICATION_AUTHORITY 18 S-1-18\r\nThe following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of\r\nthe identifier authority with which you can combine the RID to create a universal well-known SID.\r\nRID authority Value Identifier authority\r\nSECURITY_NULL_RID 0 S-1-0\r\nSECURITY_WORLD_RID 0 S-1-1\r\nSECURITY_LOCAL_RID 0 S-1-2\r\nSECURITY_CREATOR_OWNER_RID 0 S-1-3\r\nSECURITY_CREATOR_GROUP_RID 1 S-1-3\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 5 of 14\n\nThe SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that aren't universal. These SIDs\r\nare meaningful only in installations of the Windows operating systems in the \"Applies to\" list at the beginning of this article.\r\nThe following table lists the well-known SIDs:\r\nSID Display name Description\r\nS-1-5-1 Dialup\r\nA group that includes all users who are signed in to the system via dial-up\r\nconnection.\r\nS-1-5-113 Local account\r\nA SID that you can use when you restrict network sign-in to local accounts\r\ninstead of administrator or equivalent accounts. This SID can be effective in\r\nblocking network sign-in for local users and groups by account type\r\nregardless of their name.\r\nS-1-5-114\r\nLocal account and\r\nmember of\r\nAdministrators group\r\nA SID that you can use when you restrict network sign-in to local accounts\r\ninstead of administrator or equivalent accounts. This SID can be effective in\r\nblocking network sign-in for local users and groups by account type\r\nregardless of their name.\r\nS-1-5-2 Network\r\nA group that includes all users who are signed in via a network connection.\r\nAccess tokens for interactive users don't contain the Network SID.\r\nS-1-5-3 Batch\r\nA group that includes all users who are signed in via batch queue facility,\r\nsuch as task scheduler jobs.\r\nS-1-5-4 Interactive\r\nA group that includes all users who sign in interactively. A user can start an\r\ninteractive sign-in session by opening a Remote Desktop Services\r\nconnection from a remote computer, or by using a remote shell such as\r\nTelnet. In each case, the user's access token contains the Interactive SID. If\r\nthe user signs in by using a Remote Desktop Services connection, the user's\r\naccess token also contains the Remote Interactive Logon SID.\r\nS-1-5-5- X-Y Logon Session\r\nA particular sign-in session. The X and Y values for SIDs in this format are\r\nunique for each sign-in session.\r\nS-1-5-6 Service A group that includes all security principals that are signed in as a service.\r\nS-1-5-7 Anonymous Logon\r\nA user who connects to the computer without supplying a user name and\r\npassword.\r\nThe Anonymous Logon identity is different from the identity that's used by\r\nInternet Information Services (IIS) for anonymous web access. IIS uses an\r\nactual account—by default, IUSR_computer-name, for anonymous access\r\nto resources on a website. Strictly speaking, such access isn't anonymous,\r\nbecause the security principal is known even though unidentified people are\r\nusing the account. IUSR_computer-name (or whatever you name the\r\naccount) has a password, and IIS signs in to the account when the service\r\nstarts. As a result, the IIS anonymous user is a member of Authenticated\r\nUsers, but Anonymous Logon isn't.\r\nS-1-5-8 Proxy A SID that's not currently used.\r\nS-1-5-9\r\nEnterprise Domain\r\nControllers\r\nA group that includes all domain controllers in a forest of domains.\r\nS-1-5-10 Self\r\nA placeholder in an ACE for a user, group, or computer object in Active\r\nDirectory. When you grant permissions to Self, you grant them to the\r\nsecurity principal that the object represents. During an access check, the\r\noperating system replaces the SID for Self with the SID for the security\r\nprincipal that the object represents.\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 6 of 14\n\nSID Display name Description\r\nS-1-5-11 Authenticated Users\r\nA group that includes all users and computers with identities that have been\r\nauthenticated. Authenticated Users doesn't include the Guest account even if\r\nthat account has a password.\r\nThis group includes authenticated security principals from any trusted\r\ndomain, not only the current domain.\r\nS-1-5-12 Restricted Code\r\nAn identity that's used by a process that's running in a restricted security\r\ncontext. In Windows and Windows Server operating systems, a software\r\nrestriction policy can assign one of three security levels to code:\r\nUnrestricted\r\nRestricted\r\nDisallowed\r\nWhen code runs at the restricted security level, the Restricted SID is added\r\nto the user's access token.\r\nS-1-5-13 Terminal Server User\r\nA group that includes all users who sign in to a server with Remote Desktop\r\nServices enabled.\r\nS-1-5-14\r\nRemote Interactive\r\nLogon\r\nA group that includes all users who sign in to the computer by using a\r\nremote desktop connection. This group is a subset of the Interactive group.\r\nAccess tokens that contain the Remote Interactive Logon SID also contain\r\nthe Interactive SID.\r\nS-1-5-15 This Organization\r\nA group that includes all users from the same organization. This group is\r\nincluded only with Active Directory accounts and added only by a domain\r\ncontroller.\r\nS-1-5-17 IUSR An account that's used by the default IIS user.\r\nS-1-5-18\r\nSystem (or\r\nLocalSystem)\r\nAn identity that's used locally by the operating system and by services that\r\nare configured to sign in as LocalSystem.\r\nSystem is a hidden member of Administrators. That is, any process that's\r\nrunning as System has the SID for the built-in Administrators group in its\r\naccess token.\r\nWhen a process that's running locally as System accesses network\r\nresources, it does so by using the computer's domain identity. Its access\r\ntoken on the remote computer includes the SID for the local computer's\r\ndomain account plus SIDs for security groups that the computer is a\r\nmember of, such as Domain Computers and Authenticated Users.\r\nS-1-5-19\r\nNT Authority\r\n(LocalService)\r\nAn identity that's used by services that are local to the computer, have no\r\nneed for extensive local access, and don't need authenticated network\r\naccess. Services that run as LocalService can access local resources as\r\nordinary users, and they access network resources as anonymous users. As a\r\nresult, a service that runs as LocalService has significantly less authority\r\nthan a service that runs as LocalSystem locally and on the network.\r\nS-1-5-20 NetworkService\r\nAn identity that's used by services that have no need for extensive local\r\naccess but do need authenticated network access. Services that are running\r\nas NetworkService can access local resources as ordinary users and access\r\nnetwork resources by using the computer's identity. As a result, a service\r\nthat runs as NetworkService has the same network access as a service that\r\nruns as LocalSystem, but its local access is significantly reduced.\r\nS-1-5-\r\ndomain-500\r\nAdministrator A user account for the system administrator. Every computer has a local\r\nAdministrator account, and every domain has a domain Administrator\r\naccount.\r\nThe Administrator account is the first account created during operating\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 7 of 14\n\nSID Display name Description\r\nsystem installation. The account can't be deleted, disabled, or locked out,\r\nbut it can be renamed.\r\nBy default, the Administrator account is a member of the Administrators\r\ngroup, and it can't be removed from that group.\r\nS-1-5-\r\ndomain-501\r\nGuest\r\nA user account for people who don't have individual accounts. Every\r\ncomputer has a local Guest account, and every domain has a domain Guest\r\naccount.\r\nBy default, Guest is a member of the Everyone and the Guests groups. The\r\ndomain Guest account is also a member of the Domain Guests and Domain\r\nUsers groups.\r\nUnlike Anonymous Logon, Guest is a real account, and it can be used to\r\nsign in interactively. The Guest account doesn't require a password, but it\r\ncan have one.\r\nS-1-5-\r\ndomain-502\r\nKRBTGT\r\nA user account that's used by the Key Distribution Center (KDC) service.\r\nThe account exists only on domain controllers.\r\nS-1-5-\r\ndomain-512\r\nDomain Admins\r\nA global group with members that are authorized to administer the domain.\r\nBy default, the Domain Admins group is a member of the Administrators\r\ngroup on all computers that are joined to the domain, including domain\r\ncontrollers.\r\nDomain Admins is the default owner of any object that's created in the\r\ndomain's Active Directory by any member of the group. If members of the\r\ngroup create other objects, such as files, the default owner is the\r\nAdministrators group.\r\nS-1-5-\r\ndomain-513\r\nDomain Users\r\nA global group that includes all users in a domain. When you create a new\r\nUser object in Active Directory, the user is automatically added to this\r\ngroup.\r\nS-1-5-\r\ndomain-514\r\nDomain Guests\r\nA global group that, by default, has only one member: the domain's built-in\r\nGuest account.\r\nS-1-5-\r\ndomain-515\r\nDomain Computers\r\nA global group that includes all computers that are joined to the domain,\r\nexcluding domain controllers.\r\nS-1-5-\r\ndomain-516\r\nDomain Controllers\r\nA global group that includes all domain controllers in the domain. New\r\ndomain controllers are added to this group automatically.\r\nS-1-5-\r\ndomain-517\r\nCert Publishers\r\nA global group that includes all computers that host an enterprise\r\ncertification authority.\r\nCert Publishers are authorized to publish certificates for User objects in\r\nActive Directory.\r\nS-1-5-root\r\ndomain-518\r\nSchema Admins\r\nA group that exists only in the forest root domain. It's a universal group if\r\nthe domain is in native mode, and it's a global group if the domain is in\r\nmixed mode. The Schema Admins group is authorized to make schema\r\nchanges in Active Directory. By default, the only member of the group is\r\nthe Administrator account for the forest root domain.\r\nS-1-5-root\r\ndomain-519\r\nEnterprise Admins A group that exists only in the forest root domain. It's a universal group if\r\nthe domain is in native mode, and it's a global group if the domain is in\r\nmixed mode.\r\nThe Enterprise Admins group is authorized to make changes to the forest\r\ninfrastructure. Examples include adding child domains, configuring sites,\r\nauthorizing Dynamic Host Configuration Protocol (DHCP) servers, and\r\ninstalling enterprise certification authorities.\r\nBy default, the only member of Enterprise Admins is the Administrator\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 8 of 14\n\nSID Display name Description\r\naccount for the forest root domain. The group is a default member of every\r\nDomain Admins group in the forest.\r\nS-1-5-\r\ndomain-520\r\nGroup Policy Creator\r\nOwners\r\nA global group that's authorized to create new Group Policy Objects in\r\nActive Directory. By default, the only member of the group is\r\nAdministrator.\r\nWhen a member of Group Policy Creator Owners creates an object, that\r\nmember owns the object. In this way, the Group Policy Creator Owners\r\ngroup is unlike other administrative groups (such as Administrators and\r\nDomain Admins). When a member of these groups creates an object, the\r\ngroup owns the object, not the individual.\r\nS-1-5-\r\ndomain-521\r\nRead-only Domain\r\nControllers\r\nA global group that includes all read-only domain controllers.\r\nS-1-5-\r\ndomain-522\r\nClonable Controllers\r\nA global group that includes all domain controllers in the domain that can\r\nbe cloned.\r\nS-1-5-\r\ndomain-525\r\nProtected Users\r\nA global group that's afforded extra protections against authentication\r\nsecurity threats.\r\nS-1-5-root\r\ndomain-526\r\nKey Admins\r\nA group that's intended for use in scenarios where trusted external\r\nauthorities are responsible for modifying this attribute. Only trusted\r\nadministrators should be made a member of this group.\r\nS-1-5-\r\ndomain-527\r\nEnterprise Key Admins\r\nA group that's intended for use in scenarios where trusted external\r\nauthorities are responsible for modifying this attribute. Only trusted\r\nenterprise administrators should be made a member of this group.\r\nS-1-5-32-\r\n544\r\nAdministrators\r\nA built-in group. After the initial installation of the operating system, the\r\nonly member of the group is the Administrator account. When a computer\r\njoins a domain, the Domain Admins group is added to the Administrators\r\ngroup. When a server becomes a domain controller, the Enterprise Admins\r\ngroup also is added to the Administrators group.\r\nS-1-5-32-\r\n545\r\nUsers\r\nA built-in group. After the initial installation of the operating system, the\r\nonly member is the Authenticated Users group.\r\nS-1-5-32-\r\n546\r\nGuests\r\nA built-in group. By default, the only member is the Guest account. The\r\nGuests group allows occasional or one-time users to sign in with limited\r\nprivileges to a computer's built-in Guest account.\r\nS-1-5-32-\r\n547\r\nPower Users\r\nA built-in group. By default, the group has no members. Power users can:\r\nCreate local users and groups.\r\nModify and delete accounts that they create.\r\nRemove users from the Power Users, Users, and Guests groups.\r\nInstall programs.\r\nCreate, manage, and delete local printers.\r\nCreate and delete file shares.\r\nS-1-5-32-\r\n548\r\nAccount Operators\r\nA built-in group that exists only on domain controllers. By default, the\r\ngroup has no members. By default, Account Operators have permission to\r\ncreate, modify, and delete accounts for users, groups, and computers in all\r\ncontainers and organizational units (OUs) of Active Directory except the\r\nBuiltin container and the Domain Controllers OU. Account Operators don't\r\nhave permission to modify the Administrators and Domain Admins groups.\r\nThey also don't have permission to modify the accounts for members of\r\nthose groups.\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 9 of 14\n\nSID Display name Description\r\nS-1-5-32-\r\n549\r\nServer Operators\r\nA built-in group that exists only on domain controllers. By default, the\r\ngroup has no members. Server Operators can:\r\nSign in to a server interactively.\r\nCreate and delete network shares.\r\nStart and stop services.\r\nBack up and restore files.\r\nFormat the hard disk of the computer.\r\nShut down the computer.\r\nS-1-5-32-\r\n550\r\nPrint Operators\r\nA built-in group that exists only on domain controllers. By default, the only\r\nmember is the Domain Users group. Print Operators can manage printers\r\nand document queues.\r\nS-1-5-32-\r\n551\r\nBackup Operators\r\nA built-in group. By default, the group has no members. Backup Operators\r\ncan back up and restore all files on a computer, regardless of the\r\npermissions that protect those files. Backup Operators also can sign in to the\r\ncomputer and shut it down.\r\nS-1-5-32-\r\n552\r\nReplicators\r\nA built-in group that supports file replication in a domain. By default, the\r\ngroup has no members. Don't add users to this group.\r\nS-1-5-\r\ndomain-553\r\nRAS and IAS Servers\r\nA local domain group. By default, this group has no members. Computers\r\nthat are running the Routing and Remote Access Service are added to the\r\ngroup automatically.\r\nMembers of this group have access to certain properties of User objects,\r\nsuch as Read Account Restrictions, Read Logon Information, and Read\r\nRemote Access Information.\r\nS-1-5-32-\r\n554\r\nBuiltin\\Pre-Windows\r\n2000 Compatible\r\nAccess\r\nA backward compatibility group that allows read access on all users and\r\ngroups in the domain.\r\nS-1-5-32-\r\n555\r\nBuiltin\\Remote\r\nDesktop Users\r\nAn alias. Members of this group are granted the right to sign in remotely.\r\nS-1-5-32-\r\n556\r\nBuiltin\\Network\r\nConfiguration\r\nOperators\r\nAn alias. Members of this group can have some administrative privileges to\r\nmanage configuration of networking features.\r\nS-1-5-32-\r\n557\r\nBuiltin\\Incoming Forest\r\nTrust Builders\r\nAn alias. Members of this group can create incoming, one-way trusts to the\r\nforest.\r\nS-1-5-32-\r\n558\r\nBuiltin\\Performance\r\nMonitor Users\r\nAn alias. Members of this group have remote access to monitor the\r\ncomputer.\r\nS-1-5-32-\r\n559\r\nBuiltin\\Performance\r\nLog Users\r\nAn alias. Members of this group have remote access to schedule logging of\r\nperformance counters on the computer.\r\nS-1-5-32-\r\n560\r\nBuiltin\\Windows\r\nAuthorization Access\r\nGroup\r\nAn alias. Members of this group have access to the computed\r\ntokenGroupsGlobalAndUniversal attribute on User objects.\r\nS-1-5-32-\r\n561\r\nBuiltin\\Terminal Server\r\nLicense Servers\r\nAn alias. A group for Terminal Server license servers.\r\nS-1-5-32-\r\n562\r\nBuiltin\\Distributed\r\nCOM Users\r\nAn alias. A group for Component Object Model (COM) users to provide\r\ncomputer-wide access controls that govern access to all call, activation, or\r\nlaunch requests on the computer.\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 10 of 14\n\nSID Display name Description\r\nS-1-5-32-\r\n568\r\nBuiltin\\IIS_IUSRS An alias. A built-in group account for IIS users.\r\nS-1-5-32-\r\n569\r\nBuiltin\\Cryptographic\r\nOperators\r\nA built-in local group. Members are authorized to perform cryptographic\r\noperations.\r\nS-1-5-\r\ndomain-571\r\nAllowed RODC\r\nPassword Replication\r\nGroup\r\nA group with members who can have their passwords replicated to all read-only domain controllers in the domain.\r\nS-1-5-\r\ndomain-572\r\nDenied RODC\r\nPassword Replication\r\nGroup\r\nA group with members who can't have their passwords replicated to all\r\nread-only domain controllers in the domain.\r\nS-1-5-32-\r\n573\r\nBuiltin\\Event Log\r\nReaders\r\nA built-in local group. Members of this group can read event logs from a\r\nlocal computer.\r\nS-1-5-32-\r\n574\r\nBuiltin\\Certificate\r\nService DCOM Access\r\nA built-in local group. Members of this group are allowed to connect to\r\ncertification authorities in the enterprise.\r\nS-1-5-32-\r\n575\r\nBuiltin\\RDS Remote\r\nAccess Servers\r\nA built-in local group. Servers in this group give users of RemoteApp\r\nprograms and personal virtual desktops access to these resources. In\r\ninternet-facing deployments, these servers are typically deployed in an edge\r\nnetwork. This group needs to be populated on servers that are running\r\nRemote Desktop Connection Broker (RD Connection Broker). Remote\r\nDesktop Gateway (RD Gateway) servers and Remote Desktop Web Access\r\n(RD Web Access) servers used in the deployment need to be in this group.\r\nS-1-5-32-\r\n576\r\nBuiltin\\RDS Endpoint\r\nServers\r\nA built-in local group. Servers in this group run virtual machines and host\r\nsessions where users' RemoteApp programs and personal virtual desktops\r\nrun. This group needs to be populated on servers that are running RD\r\nConnection Broker. Remote Desktop Session Host (RD Session Host)\r\nservers and Remote Desktop Virtualization Host (RD Virtualization Host)\r\nservers used in the deployment need to be in this group.\r\nS-1-5-32-\r\n577\r\nBuiltin\\RDS\r\nManagement Servers\r\nA built-in local group. Servers in this group can perform routine\r\nadministrative actions on servers that are running Remote Desktop Services.\r\nThis group needs to be populated on all servers in a Remote Desktop\r\nServices deployment. The servers that are running the Remote Desktop\r\nServices central management service must be included in this group.\r\nS-1-5-32-\r\n578\r\nBuiltin\\Hyper-V\r\nAdministrators\r\nA built-in local group. Members of this group have complete and\r\nunrestricted access to all features of Hyper-V.\r\nS-1-5-32-\r\n579\r\nBuiltin\\Access Control\r\nAssistance Operators\r\nA built-in local group. Members of this group can remotely query\r\nauthorization attributes and permissions for resources on the computer.\r\nS-1-5-32-\r\n580\r\nBuiltin\\Remote\r\nManagement Users\r\nA built-in local group. Members of this group can access Windows\r\nManagement Instrumentation (WMI) resources over management protocols\r\nsuch as Web Services for Management (WS-Management) via the Windows\r\nRemote Management service. This access applies only to WMI namespaces\r\nthat grant access to the user.\r\nS-1-5-64-10 NTLM Authentication\r\nA SID that's used when the New Technology LAN Manager (NTLM)\r\nauthentication package authenticates the client.\r\nS-1-5-64-14\r\nSChannel\r\nAuthentication\r\nA SID that's used when the Secure Channel (Schannel) authentication\r\npackage authenticates the client.\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 11 of 14\n\nSID Display name Description\r\nS-1-5-64-21 Digest Authentication\r\nA SID that's used when the Digest authentication package authenticates the\r\nclient.\r\nS-1-5-80 NT Service\r\nA SID that's used as a New Technology Service (NT Service) account\r\nprefix.\r\nS-1-5-80-0 All Services\r\nA group that includes all service processes that are configured on the\r\nsystem. The operating system controls the membership of this group. The S-1-5-80-0 SID represents NT SERVICES\\ALL SERVICES.\r\nS-1-5-83-0\r\nNT VIRTUAL\r\nMACHINE\\Virtual\r\nMachines\r\nA built-in group. The group is created when the Hyper-V role is installed.\r\nThe Hyper-V Management Service (VMMS) maintains the membership of\r\nthis group. This group requires the Create Symbolic Links right\r\n(SeCreateSymbolicLinkPrivilege) and the Log on as a Service right\r\n(SeServiceLogonRight).\r\nThe following RIDs are relative to each domain:\r\nRID\r\nDecimal\r\nvalue\r\nIdentifies\r\nDOMAIN_USER_RID_ADMIN 500 The administrative user account in a domain.\r\nDOMAIN_USER_RID_GUEST 501\r\nThe guest-user account in a domain. Users who\r\ndon't have an account can automatically sign in to\r\nthis account.\r\nDOMAIN_GROUP_RID_USERS 513\r\nA group that contains all user accounts in a\r\ndomain. All users are automatically added to this\r\ngroup.\r\nDOMAIN_GROUP_RID_GUESTS 514 The group Guest account in a domain.\r\nDOMAIN_GROUP_RID_COMPUTERS 515\r\nThe Domain Computer group. All computers in\r\nthe domain are members of this group.\r\nDOMAIN_GROUP_RID_CONTROLLERS 516\r\nThe Domain Controller group. All domain\r\ncontrollers in the domain are members of this\r\ngroup.\r\nDOMAIN_GROUP_RID_CERT_ADMINS 517\r\nThe certificate publishers group. Computers that\r\nare running Active Directory Certificate Services\r\nare members of this group.\r\nDOMAIN_GROUP_RID_SCHEMA_ADMINS 518\r\nThe schema administrators group. Members of\r\nthis group can modify the Active Directory\r\nschema.\r\nDOMAIN_GROUP_RID_ENTERPRISE_ADMINS 519\r\nThe enterprise administrators group. Members of\r\nthis group have full access to all domains in the\r\nActive Directory forest. Enterprise administrators\r\nare responsible for forest-level operations such as\r\nadding or removing new domains.\r\nDOMAIN_GROUP_RID_POLICY_ADMINS 520 The policy administrators group.\r\nThe following table lists examples of domain-relative RIDs that are used to form well-known SIDs for local groups:\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 12 of 14\n\nRID\r\nDecimal\r\nvalue\r\nIdentifies\r\nDOMAIN_ALIAS_RID_ADMINS 544 Administrators of the domain.\r\nDOMAIN_ALIAS_RID_USERS 545 All users in the domain.\r\nDOMAIN_ALIAS_RID_GUESTS 546 Guests of the domain.\r\nDOMAIN_ALIAS_RID_POWER_USERS 547\r\nA user or a set of users who expect to treat a system as if it\r\nwere their personal computer rather than as a workstation\r\nfor multiple users.\r\nDOMAIN_ALIAS_RID_BACKUP_OPS 551\r\nA local group that's used to control the assignment of file\r\nbackup-and-restore user rights.\r\nDOMAIN_ALIAS_RID_REPLICATOR 552\r\nA local group that's responsible for copying security\r\ndatabases from the primary domain controller to the\r\nbackup domain controllers. These accounts are used only\r\nby the system.\r\nDOMAIN_ALIAS_RID_RAS_SERVERS 553\r\nA local group that represents remote access and servers\r\nthat are running Internet Authentication Service (IAS).\r\nThis group permits access to various attributes of User\r\nobjects.\r\nChanges in SID functionality\r\nThe following table describes changes in SID implementation in the Windows operating systems:\r\nChange\r\nOperating\r\nsystem version\r\nDescription and resources\r\nThe TrustedInstaller SID\r\nowns most of the\r\noperating system files\r\nWindows Server\r\n2008, Windows\r\nVista\r\nThe purpose of this change is to prevent a process that's running as\r\nan administrator or under the LocalSystem account from\r\nautomatically replacing the operating system files.\r\nRestricted SID checks are\r\nimplemented\r\nWindows Server\r\n2008, Windows\r\nVista\r\nWhen restricting SIDs are present, Windows performs two access\r\nchecks. The first is the normal access check, and the second is the\r\nsame access check against the restricting SIDs in the token. Both\r\naccess checks must pass to allow the process to access the object.\r\nCapability SIDs\r\nCapability SIDs serve as unique and immutable identifiers for capabilities. A capability represents an unforgeable token of\r\nauthority that grants Universal Windows Applications access to resources (for example, documents, cameras, and locations).\r\nAn app that has a capability is granted access to the resource that the capability is associated with. An app that doesn't have\r\na capability is denied access to the resource.\r\nAll capability SIDs that the operating system is aware of are stored in the Windows registry in the\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities path. Any\r\ncapability SID that's added to Windows by Microsoft or partner applications is added to this location.\r\nExamples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition\r\nYou might see the following registry keys under AllCachedCapabilities:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_DevU\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_DevU\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Enterp\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 13 of 14\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Gener\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Restri\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Wind\r\nThe prefix of all capability SIDs is S-1-15-3.\r\nExamples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition\r\nYou might see the following registry keys under AllCachedCapabilities:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_DevU\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_DevU\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Enterp\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Gener\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Restri\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SecurityManager\\CapabilityClasses\\AllCachedCapabilities\\capabilityClass_Wind\r\nThe prefix of all capability SIDs is S-1-15-3.\r\nRelated content\r\nAccess control overview\r\nSource: https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nhttps://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems"
	],
	"report_names": [
		"well-known-security-identifiers-in-windows-operating-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/226ec4a92eaa2191d1292d730e000e00402fc673.pdf",
		"text": "https://archive.orkl.eu/226ec4a92eaa2191d1292d730e000e00402fc673.txt",
		"img": "https://archive.orkl.eu/226ec4a92eaa2191d1292d730e000e00402fc673.jpg"
	}
}