Tuesday, 15 October 2013

Difference between a RID and a SID in Active Directory

SID (Security Identifier)

- An SID is a Security Identifier. It's the "primary key" for any object in an Active Directory.
   For example, users have SIDs, as do Printer objects, Group objects, etc. SID's are unique to a Domain.
- In Active Directory users refer to accounts by using the account name, but the operating system internally refers to accounts by their security identifiers (SIDs).
- For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local) and are never reused.
- For every local account and group, the SID is unique for the computer where it was created; no two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group created in one domain will never match the SID for an account or group created in any domain in the enterprise.

User SID structure:

SID vs RID

RID (Relative Identifier)

- The relative identifier (RID) Is a variable length number that is assigned to objects at creation and becomes part of the object's security identifier.
- Generating unique relative identifiers is a more complex process in a network domain Windows 2000 network domains can have several domain controllers, each of them a host for Active Directory, where account information is stored. This means that in a network domain there are as many copies of the account database as there are domain controllers.
- Every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes made to Active Directory on one domain controller are replicated to all other domain controllers in the domain.
- The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation .
- The process of generating unique relative identifiers is a single-master operation . One domain controller is assigned the role of relative identifier (RID) master , and it allocates a sequence of relative identifiers to each domain controller in the domain.
- When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID, and the relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller asks the RID master for another block.

Well Known SIDs

NameSID ValueIdentifies
EveryoneS-1-1-0The generic group Everyone automatically includes everyone who uses the computer, even anonymous guests. The identifier authority value for this SID is 1 (World Authority). It has only one subauthority value, 0 (Null RID).
Creator AuthorityS-1-3An identifier authority.
Creator OwnerS-1-3-0The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object's current owner. The identifier authority value for this SID is 3 (Creator Authority). It has only one subauthority value, 0 (Null RID).
Creator GroupS-1-3-1A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
Creator Owner ServerS-1-3-2This SID is not used in Windows 2000.
Creator Group ServerS-1-3-3A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
Principal SelfS-1-5-10The generic user Principal Self is a placeholder in an ACE on a User, Group, or Computer object in Active Directory. When you grant permission to Principal Self, you grant it to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. The identifier authority for this SID is 5 (NT Authority). It has only one subauthority value, 10 (Self RID).
Null SID(Nobody)S-1–0–0A group with no members. This is often used when a SID value is not known.
Local AuthorityS-1-2An identifier authority.
LocalS-1-2-0A group that includes all users who have logged on locally.
Console LogonS-1-2-1A group that includes users who are logged on to the physical console.
Creator AuthorityS-1-3An identifier authority.
Non-unique AuthorityS-1-4An identifier authority.
NT AuthorityS-1-5An identifier authority.
DialupS-1-5-1A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
NetworkS-1-5-2A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
BatchS-1-5-3A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
InteractiveS-1-5-4A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
Logon SessionS-1-5-5-X-YA logon session. The X and Y values for these SIDs are different for each session.
ServiceS-1-5-6A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
AnonymousS-1-5-7A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
ProxyS-1-5-8This SID is not used in Windows 2000.
Enterprise Domain ControllersS-1-5-9A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
Authenticated UsersS-1-5-11A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Restricted CodeS-1-5-12This SID is reserved for future use.
Terminal Server UsersS-1-5-13A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
Remote Interactive LogonS-1-5-14A group that includes all users who have logged on through a terminal services logon.
This OrganizationS-1-5-15A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
This OrganizationS-1-5-17An account that is used by the default Internet Information Services (IIS) user.
Local SystemS-1-5-18A service account that is used by the operating system.
NT AuthorityS-1-5-19Local Service
NT AuthorityS-1-5-20Network Service
AdministratorS-1-5-21domain-500A user account for the system administrator. By default, it is the only user account that is given full control over the system.
GuestS-1-5-21domain-501A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
krbtgtS-1-5-21domain-502A service account that is used by the Key Distribution Center (KDC) service.
Domain AdminsS-1-5-21domain-512A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
Domain UsersS-1-5-21domain-513A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Domain GuestsS-1-5-21domain-514A global group that, by default, has only one member, the domain's built-in Guest account.
Domain ComputersS-1-5-21domain-515A global group that includes all clients and servers that have joined the domain.
Schema AdminsS-1-5-21root domain-518A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
Enterprise AdminsS-1-5-21root domain-519A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Group Policy Creator OwnersS-1-5-21domain-520A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
RAS and IAS ServersS-1-5-21domain-553A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
AdministratorsS-1-5-32-544A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
UsersS-1-5-32-545A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
GuestsS-1-5-32-546A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
Power UsersS-1-5-32-547A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
Account OperatorsS-1-5-32-548A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Server OperatorsS-1-5-32-549A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Print OperatorsS-1-5-32-550A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Backup OperatorsS-1-5-32-551A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
ReplicatorsS-1-5-32-552A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
BUILTIN\Pre-Windows 2000 Compatible AccessS-1-5-32-554An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
BUILTIN\Remote Desktop UsersS-1-5-32-555An alias. Members in this group are granted the right to logon remotely.
BUILTIN\Network Configuration OperatorsS-1-5-32-556An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
BUILTIN\Incoming Forest Trust BuildersS-1-5-32-557An alias. Members of this group can create incoming, one-way trusts to this forest.
Enterprise Read-only Domain ControllersS-1-5- 21domain -498A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
Read-only Domain ControllersS-1-5- 21domain -521A Global group. Members of this group are Read-Only Domain Controllers in the domain
BUILTIN\Cryptographic OperatorsS-1-5-32-569A Builtin Local group. Members are authorized to perform cryptographic operations.
Allowed RODC Password Replication GroupS-1-5-21 domain -571 A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
Denied RODC Password Replication GroupS-1-5- 21 domain -572A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
BUILTIN\Event Log ReadersS-1-5-32-573A Builtin Local group. Members of this group can read event logs from local machine.
BUILTIN\Certificate Service DCOM AccessS-1-5-32-574A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.


Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment