The structure of a SID

This excerpt from Chapter 5 of "The definitive guide to Windows 2000 security" describes the fields that make up a SID.

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.

The structure of a SID

As far as Windows 2000 is concerned, a SID is a simple binary data structure that contains a variable number of fields, as shown in Figure 5.4. The first field of the SID defines how large the structure is, while the remaining fields contain the values that make up the SID.

Figure 5.4: The structure of a SID.

Let's take a quick look at each of these fields.

Subauthority Count
Indicates how many subauthority values are contained in the SID.

Indicates the version of the SID structure. Because the SID structure doesn't change after it's created, the value is always 1.

Identifier authority
Indicates the highest level of authority that can generate SIDs for the type of security principal. You should see only the values 0 through 5, where the valid authorities in ascending order are: null authority, world authority, local authority, creator authority, non-unique authority and NT authority. For example, the SID for any account or security group in Windows 2000 has an identifier authority value of 5 (NT authority), and the SID for the Everyone group has a value of 1 (world authority).

Subauthority fields
Contain the really important pieces of the SID. Each subauthority value, up to but not including the last value, identifies the domain from which the SID was issued or, if it's not part of a domain, the local computer. Regardless of whether it identifies a domain or a standalone computer, these subauthority values are known collectively as the domain identifier. The last subauthority value identifies a unique account or security group relative to the domain (or local computer) and is known as the relative identifier (RID).

While Windows 2000 is most comfortable using SIDs in the form of a simple binary data structure, we humans like to see things in a simple string format so that we can more easily recognize them. As a result, you and I never see SIDs in their native format but instead see things like S-1-5-11. This example is the well-known SID for the Authenticated Users security group, and it's presented in a standard string notation, as follows:

    S-R-X-Y⊃1;-Y⊃2;...-Yn-1 - Yn

The format of this "string-ized" SID breaks down as follows:

  • S -- The string is a SID.
  • R -- The revision level.
  • X -- The identifier authority value.
  • Y⊃1;-Yn-1 -- The series of subauthority values that make up the domain identifier. For all SIDs issued by the same security authority, all the values in this field are the same. On the flip side, the domain identifier differentiates SIDs issued by different domains in your enterprise because no two domains share the same domain identifier. An example of a well-known domain identifier is the value 32, which Windows 2000 uses for all the built-in groups such as Administrators, Power Users, and Users.
  • Yn; -- The RID. Remember that this value is what distinguishes one account or security group from all the others issued by the same security authority. For example, the static RID for the Administrators group is always 544, and the RID for the Everyone group is actually NULL.

To better understand how a SID is typically represented in its string format, take a look at the following two SIDs:

  • S-1-5-32-549 -- This is the well-known SID for the built-in Server Operators security group. The string identifies this value as a SID because the string starts with an S and has a revision level of 1, an identifier authority value of 5, a domain identifier of 32, and a RID of 549.
  • S-1-5-12-7723811915-3361004348-033306820-515 -- The first three values of this SID are the same as the one above. The domain identifier is a four-part value, and the RID has a value of 515. The value of the RID is fixed and will never be generated; it's hard-coded and won't be repeated. This is the well-known SID for the Domain Computers security group.

Click for the next excerpt in this series: RIDs and the RID Master Role

Click for the book excerpt series or get the full e-book.

Read more on Data centre hardware