What are Security Principals and SIDs
Introduction to Security Principals and Security Identifiers (SIDs)
Let us learn about Security Principals and Security Identifiers (SIDs) in the lesson. There are two terms in Windows Operating System terminology. One term is Security Principals and the other one is Security Identifiers (SIDs). Security Principals in Windows Server Operating System can be anything that can be authenticated by the Operating System. Examples of Security Principals are User Accounts, Groups, Computer Accounts etc. Windows Server uses SIDs to identify the Security Principals internally. In other words, if there is a local user account with login id Jajish, there is an SID associated with that local user account to uniquely identify that local user account. Windows Server uses SIDs to authenticate Security Principals internally, because every Security Principals have unique SIDs within their scope.
SIDs are so important, so that SIDs are not even reused. For example, when you create a local user account with login id Jajish, Windows Local Security Authority assigns that local user account with a unique SID. If you delete the local user account just created and recreate another local user account with login name Jajish, the new user account will be assigned with a new unique SID, not the previous one. This is true, even if all the parameters for both the accounts are the same, including the login id. You may compare SIDs with any unique identification number your government assigns you to identify you.
Please note that SID values are stored in binary format internally. In all documentations, SIDs are represented as string values for humans to understand and handle easily.
Types of Security Identifiers (SIDs)
There are mainly two types of Security Identifiers (SIDs) in Windows Servers.
- Local Security Identifiers (SIDs) – Local Security Identifiers (SIDs) are generated and assigned to Security Principals locally on a Windows Server by Windows Local Security Authority (LSA), whenever local Security Principals are created. Local Security Identifiers (SIDs) are stored locally in the Security Account Manager (SAM) database on the Windows Server where the local SIDs were created. A local SID is unique in a Windows Server where that local SID was created and not reused again. An example of an Local SID is S-1-5-21-3145586660-3425903922-524180734-500.
- Active Directory Security Identifiers (SIDs) – Active Directory Security Identifiers (SIDs) are generated by Windows Active Directory Domain Security Authority and stored in Active Directory database. SIDs of Active Directory SIDs are stored in the ntds.dit database file in a Active Directory Domain Controller. Active Directory Security Identifiers (SIDs) are unique within an Active Directory Enterprise. An Active Directory Enterprise can span 1000s of computers whole over the world. We will discuss about Active Directory Security Identifiers (SIDs) later, when we learn about Active Directory.
Parts of an SID
The general format of an SID is S-R-X-Y1-Y2-(Yn-1)-Yn.
Where S is the common prefix for all SIDs from early Windows NT based Operating Systems till Windows Server 2025. R denotes the Revision number. X denotes the Authority value. Y1 to Yn denotes a series of subauthority values, where Yn is the last subauthority value.
An example of SID is S-1-5-21-3145586660-3425903922-524180734-500.
Let us try to compare and tabulate the above general SID format with a real SID string value, S-1-5-21-3145586660-3425903922-524180734-500.
| Part of SID | Meaning | Explanation |
|---|---|---|
| S | The starting letter of a SID | All SIDs begins with the letter S |
| R | SID revision number | Till Windows Server 2025, we only have one revision number for all SIDs, that is 1. |
| X | Authority identifier value |
Authority identifier value is used to identify the highest level of authority that can generate SIDs for a particular Security Principal. The value 5 (SECURITY_NT_AUTHORITY) in our SID example identifies the SIDs Authority identifier value as NT authority. The NT authority value is used to denote SIDs generated in Windows NT–based Operating Systems.
Just a note; NT stands for New Technology. Windows NT was an early Network Operating System released late 1990’s. Newer Windows Network Operating Systems from Windows Server 2000 till Windows Server 2025 inherits some components from Windows NT architecture, mainly for backward compatibility. |
| Y1 | First subauthority value | The first subauthority value in our SID example is 21 (SECURITY_NT_NON_UNIQUE). The value 21 in the prefix S-1-5-21 indicates that a domain identifier will follow after 21, till the second last part of the SID (Yn-1). |
| Y2 | Second subauthority value | Second subauthority value, a part of domain identifier, used to identify the domain. In our SID example, the Y2 value is 3145586660. |
| Y3 | Third subauthority value | Third subauthority value, a part of domain identifier, used to identify the domain. In our SID example, the Y3 value is 3425903922. |
| Yn-1 | Fourth subauthority value | Fourth subauthority value, a part of domain identifier, used to identify the domain. In our SID example, the Yn-1 value is 524180734. |
| Yn | 500 | Fifth subauthority value denotes an RID (Relative Identifier). The value 500 is used as the RID value for the local user account Administrator.
Just a note; Administrator local user account is the first user account created when you install a Windows Server Operating System automatically by the Windows Server setup. You cannot delete or disable an Administrator local user account, but you may rename it. |
Please note that the subauthority values 3145586660-3425903922-524180734 (Y2 and Y3 and Yn-1) in our SID example are used to identify the domain who generated this SID.
Written by Jajish Thomas.
Last updated on 20th August, 2024.