Tuesday, 15 October 2013

Well Known SIDs and Built in Group SIDS

  Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems. The following table lists the Well Known SIDs values and  Active Directory Build in group SIDs.

Built in Group SIDs and Well Known SIDs

NameSID ValueIdentifies
EveryoneS-1-1-0The generic group Everyone automatically includes everyone who uses the computer, even anonymous guests. The identifier authority value for this SID is 1 (World Authority). It has only one subauthority value, 0 (Null RID).
Creator AuthorityS-1-3An identifier authority.
Creator OwnerS-1-3-0The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object's current owner. The identifier authority value for this SID is 3 (Creator Authority). It has only one subauthority value, 0 (Null RID).
Creator GroupS-1-3-1A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
Creator Owner ServerS-1-3-2This SID is not used in Windows 2000.
Creator Group ServerS-1-3-3A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
Principal SelfS-1-5-10The generic user Principal Self is a placeholder in an ACE on a User, Group, or Computer object in Active Directory. When you grant permission to Principal Self, you grant it to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. The identifier authority for this SID is 5 (NT Authority). It has only one subauthority value, 10 (Self RID).
Null SID(Nobody)S-1–0–0A group with no members. This is often used when a SID value is not known.
Local AuthorityS-1-2An identifier authority.
LocalS-1-2-0A group that includes all users who have logged on locally.
Console LogonS-1-2-1A group that includes users who are logged on to the physical console.
Creator AuthorityS-1-3An identifier authority.
Non-unique AuthorityS-1-4An identifier authority.
NT AuthorityS-1-5An identifier authority.
DialupS-1-5-1A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
NetworkS-1-5-2A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
BatchS-1-5-3A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
InteractiveS-1-5-4A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
Logon SessionS-1-5-5-X-YA logon session. The X and Y values for these SIDs are different for each session.
ServiceS-1-5-6A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
AnonymousS-1-5-7A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
ProxyS-1-5-8This SID is not used in Windows 2000.
Enterprise Domain ControllersS-1-5-9A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
Authenticated UsersS-1-5-11A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Restricted CodeS-1-5-12This SID is reserved for future use.
Terminal Server UsersS-1-5-13A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
Remote Interactive LogonS-1-5-14A group that includes all users who have logged on through a terminal services logon.
This OrganizationS-1-5-15A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
This OrganizationS-1-5-17An account that is used by the default Internet Information Services (IIS) user.
Local SystemS-1-5-18A service account that is used by the operating system.
NT AuthorityS-1-5-19Local Service
NT AuthorityS-1-5-20Network Service
AdministratorS-1-5-21domain-500A user account for the system administrator. By default, it is the only user account that is given full control over the system.
GuestS-1-5-21domain-501A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
krbtgtS-1-5-21domain-502A service account that is used by the Key Distribution Center (KDC) service.
Domain AdminsS-1-5-21domain-512A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
Domain UsersS-1-5-21domain-513A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Domain GuestsS-1-5-21domain-514A global group that, by default, has only one member, the domain's built-in Guest account.
Domain ComputersS-1-5-21domain-515A global group that includes all clients and servers that have joined the domain.
Schema AdminsS-1-5-21root domain-518A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
Enterprise AdminsS-1-5-21root domain-519A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Group Policy Creator OwnersS-1-5-21domain-520A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
RAS and IAS ServersS-1-5-21domain-553A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
AdministratorsS-1-5-32-544A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
UsersS-1-5-32-545A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
GuestsS-1-5-32-546A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
Power UsersS-1-5-32-547A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
Account OperatorsS-1-5-32-548A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Server OperatorsS-1-5-32-549A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Print OperatorsS-1-5-32-550A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Backup OperatorsS-1-5-32-551A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
ReplicatorsS-1-5-32-552A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
BUILTIN\Pre-Windows 2000 Compatible AccessS-1-5-32-554An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
BUILTIN\Remote Desktop UsersS-1-5-32-555An alias. Members in this group are granted the right to logon remotely.
BUILTIN\Network Configuration OperatorsS-1-5-32-556An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
BUILTIN\Incoming Forest Trust BuildersS-1-5-32-557An alias. Members of this group can create incoming, one-way trusts to this forest.
Enterprise Read-only Domain ControllersS-1-5- 21domain -498A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
Read-only Domain ControllersS-1-5- 21domain -521A Global group. Members of this group are Read-Only Domain Controllers in the domain
BUILTIN\Cryptographic OperatorsS-1-5-32-569A Builtin Local group. Members are authorized to perform cryptographic operations.
Allowed RODC Password Replication GroupS-1-5-21 domain -571 A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
Denied RODC Password Replication GroupS-1-5- 21 domain -572A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
BUILTIN\Event Log ReadersS-1-5-32-573A Builtin Local group. Members of this group can read event logs from local machine.
BUILTIN\Certificate Service DCOM AccessS-1-5-32-574A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.


Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment