{"id":1001,"date":"2014-12-26T15:17:42","date_gmt":"2014-12-26T20:17:42","guid":{"rendered":"http:\/\/adsecurity.org\/?p=1001"},"modified":"2015-01-11T11:14:02","modified_gmt":"2015-01-11T16:14:02","slug":"interesting-windows-computer-active-directory-well-known-security-identifiers-sids","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=1001","title":{"rendered":"Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)"},"content":{"rendered":"
The Microsoft Knowledge Base article KB243330 lists the well-known security identifiers in Windows operating systems\u00a0<\/a><\/h5>\n

Listed here are the more interesting ones from the article as well as some additional ones.<\/p>\n

Local Computer SIDs
\n<\/strong><\/span><\/h4>\n

SID: S-1-5-2
\nName: Network
\nDescription: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.<\/p>\n

SID: S-1-5-6
\nName: Service
\nDescription: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.<\/p>\n

SID: S-1-5-9
\nName: Enterprise Domain Controllers
\nDescription: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.<\/p>\n

SID: S-1-5-11
\nName: Authenticated Users
\nDescription: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.<\/p>\n

SID: S-1-5-18
\nName: Local System
\nDescription: A service account that is used by the operating system.<\/p>\n

SID: S-1-5-19
\nName: NT Authority
\nDescription: Local Service<\/p>\n

SID: S-1-5-20
\nName: NT Authority
\nDescription: Network Service<\/p><\/blockquote>\n

New Local Computer SIDs in Windows 8.1, Windows 2012 R2, and earlier operating systems (with KB2871997<\/a>):<\/span><\/strong><\/h4>\n

LOCAL_ACCOUNT (S-1-5-113) \u2013 any local account
\nLOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114)<\/p><\/blockquote>\n

 <\/p>\n

Active Directory Domain SIDs’<\/p>\n

<\/strong><\/span><\/h4>\n

<\/p>\n

SID: S-1-5-21<DOMAIN>-500
\nName: Administrator
\nDescription: A user account for the system administrator. By default, it is the only user account that is given full control over the system.<\/p>\n

SID: S-1-5-21<DOMAIN>-501
\nName: Guest
\nDescription: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.<\/p>\n

SID: S-1-5-21<DOMAIN>-502
\nName: KRBTGT
\nDescription: A service account that is used by the Key Distribution Center (KDC) service.<\/p>\n

SID: S-1-5-21<DOMAIN>-512
\nName: Domain Admins
\nDescription: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.<\/p>\n

SID: S-1-5-21<DOMAIN>-513
\nName: Domain Users
\nDescription: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.<\/p>\n

SID: S-1-5-21<DOMAIN>-514
\nName: Domain Guests
\nDescription: A global group that, by default, has only one member, the domain’s built-in Guest account.<\/p>\n

SID: S-1-5-21<DOMAIN>-515
\nName: Domain Computers
\nDescription: A global group that includes all clients and servers that have joined the domain.<\/p>\n

SID: S-1-5-21<DOMAIN>-516
\nName: Domain Controllers
\nDescription: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.<\/p>\n

SID: S-1-5- 21<DOMAIN>-498
\nName: Enterprise Read-only Domain Controllers
\nDescription: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5- 21<DOMAIN>-521
\nName: Read-only Domain Controllers
\nDescription: A Global group. Members of this group are Read-Only Domain Controllers in the domain
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-21<DOMAIN>-517
\nName: Cert Publishers
\nDescription: A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.<\/p>\n

SID: S-1-5-21<ROOTDOMAIN>-518
\nName: Schema Admins
\nDescription: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.<\/p>\n

SID: S-1-5-21<ROOTDOMAIN>-519
\nName: Enterprise Admins
\nDescription: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.<\/p>\n

SID: S-1-5-21<DOMAIN>-520
\nName: Group Policy Creator Owners
\nDescription: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.<\/p>\n

SID: S-1-5-32-544
\nName: Administrators
\nDescription: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.<\/p>\n

SID: S-1-5-32-545
\nName: Users
\nDescription: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.<\/p>\n

SID: S-1-5-32-546
\nName: Guests
\nDescription: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.<\/p>\n

SID: S-1-5-32-548
\nName: Account Operators
\nDescription: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.<\/p>\n

SID: S-1-5-32-549
\nName: Server Operators
\nDescription: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.<\/p>\n

SID: S-1-5-32-550
\nName: Print Operators
\nDescription: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.<\/p>\n

SID: S-1-5-32-551
\nName: Backup Operators
\nDescription: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.<\/p>\n

SID: S-1-5-32-552
\nName: Replicators
\nDescription: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group<\/p>\n

SID: S-1-5-32-557
\nName: BUILTIN\\Incoming Forest Trust Builders
\nDescription: An alias. Members of this group can create incoming, one-way trusts to this forest.<\/p>\n

SID: S-1-5-32-569
\nName: BUILTIN\\Cryptographic Operators
\nDescription: A Builtin Local group. Members are authorized to perform cryptographic operations.
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-21<DOMAIN>-571
\nName: Allowed RODC Password Replication Group
\nDescription: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-21<DOMAIN>-572
\nName: Denied RODC Password Replication Group
\nDescription: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-32-573
\nName: BUILTIN\\Event Log Readers
\nDescription: A Builtin Local group. Members of this group can read event logs from local machine.
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-32-574
\nName: BUILTIN\\Certificate Service DCOM Access
\nDescription: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
\nNew with Windows Server 2008 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-21-<DOMAIN>–522
\nName: Cloneable Domain Controllers
\nDescription: A Global group. Members of this group that are domain controllers may be cloned.
\nNew with Windows Server 2012 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-32-578
\nName: BUILTIN\\Hyper-V Administrators
\nDescription: A Builtin Local group. Members of this group have complete and unrestricted access to all features of Hyper-V.
\nNew with Windows Server 2012 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-32-579
\nName: BUILTIN\\Access Control Assistance Operators
\nDescription: A Builtin Local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.
\nNew with Windows Server 2012 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-32-580
\nName: BUILTIN\\Remote Management Users
\nDescription: A Builtin Local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
\nNew with Windows Server 2012 Active Directory schema (or newer)<\/em><\/p>\n

SID: S-1-5-64-10
\nName: NTLM Authentication
\nDescription: A SID that is used when the NTLM authentication package authenticated the client<\/p>\n

SID: S-1-5-64-14
\nName: SChannel Authentication
\nDescription: A SID that is used when the SChannel authentication package authenticated the client.<\/p>\n

SID: S-1-5-64-21
\nName: Digest Authentication
\nDescription: A SID that is used when the Digest authentication package authenticated the client.<\/p>\n

SID: S-1-5-80
\nName: NT Service
\nDescription: An NT Service account prefix<\/p>\n

SID: S-1-5-80-0
\nNT SERVICES\\ALL SERVICES
\nName: All Services
\nDescription: A group that includes all service processes that are configured on the system. Membership is controlled by the operating system.<\/p><\/blockquote>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

The Microsoft Knowledge Base article KB243330 lists the well-known security identifiers in Windows operating systems\u00a0 Listed here are the more interesting ones from the article as well as some additional ones. Local Computer SIDs SID: S-1-5-2 Name: Network Description: A group that includes all users that have logged on through a network connection. Membership is … <\/p>\n

Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[383,386,384,385,382,381],"class_list":["post-1001","post","type-post","status-publish","format-standard","hentry","category-microsoft-security","category-technical-reference","tag-activedirectorysids","tag-administrators","tag-domainadmins","tag-enterpriseadmins","tag-groupsid","tag-windowssids","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/1001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1001"}],"version-history":[{"count":11,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/1001\/revisions"}],"predecessor-version":[{"id":1239,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/1001\/revisions\/1239"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}