Well Known SIDs and Built in Group SIDS

  Well-known SIDs are a group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems. The following table lists the Well Known SIDs values and  Active Directory Build in group SIDs.

Built in Group SIDs and Well Known SIDs

Name SID Value Identifies
Everyone S-1-1-0 The generic group Everyone automatically includes everyone who uses the computer, even anonymous guests. The identifier authority value for this SID is 1 (World Authority). It has only one subauthority value, 0 (Null RID).
Creator Authority S-1-3 An identifier authority.
Creator Owner S-1-3-0 The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object’s current owner. The identifier authority value for this SID is 3 (Creator Authority). It has only one subauthority value, 0 (Null RID).
Creator Group S-1-3-1 A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s creator. The primary group is used only by the POSIX subsystem.
Creator Owner Server S-1-3-2 This SID is not used in Windows 2000.
Creator Group Server S-1-3-3 A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
Principal Self S-1-5-10 The generic user Principal Self is a placeholder in an ACE on a User, Group, or Computer object in Active Directory. When you grant permission to Principal Self, you grant it to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. The identifier authority for this SID is 5 (NT Authority). It has only one subauthority value, 10 (Self RID).
Null SID(Nobody) S-1–0–0 A group with no members. This is often used when a SID value is not known.
Local Authority S-1-2 An identifier authority.
Local S-1-2-0 A group that includes all users who have logged on locally.
Console Logon S-1-2-1 A group that includes users who are logged on to the physical console.
Creator Authority S-1-3 An identifier authority.
Non-unique Authority S-1-4 An identifier authority.
NT Authority S-1-5 An identifier authority.
Dialup S-1-5-1 A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
Network S-1-5-2 A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
Batch S-1-5-3 A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
Interactive S-1-5-4 A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
Logon Session S-1-5-5-X-Y A logon session. The X and Y values for these SIDs are different for each session.
Service S-1-5-6 A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
Anonymous S-1-5-7 A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
Proxy S-1-5-8 This SID is not used in Windows 2000.
Enterprise Domain Controllers S-1-5-9 A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
Authenticated Users S-1-5-11 A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Restricted Code S-1-5-12 This SID is reserved for future use.
Terminal Server Users S-1-5-13 A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
Remote Interactive Logon S-1-5-14 A group that includes all users who have logged on through a terminal services logon.
This Organization S-1-5-15 A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
This Organization S-1-5-17 An account that is used by the default Internet Information Services (IIS) user.
Local System S-1-5-18 A service account that is used by the operating system.
NT Authority S-1-5-19 Local Service
NT Authority S-1-5-20 Network Service
Administrator S-1-5-21domain-500 A user account for the system administrator. By default, it is the only user account that is given full control over the system.
Guest S-1-5-21domain-501 A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
krbtgt S-1-5-21domain-502 A service account that is used by the Key Distribution Center (KDC) service.
Domain Admins S-1-5-21domain-512 A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
Domain Users S-1-5-21domain-513 A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Domain Guests S-1-5-21domain-514 A global group that, by default, has only one member, the domain’s built-in Guest account.
Domain Computers S-1-5-21domain-515 A global group that includes all clients and servers that have joined the domain.
Schema Admins S-1-5-21root domain-518 A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
Enterprise Admins S-1-5-21root domain-519 A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Group Policy Creator Owners S-1-5-21domain-520 A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
RAS and IAS Servers S-1-5-21domain-553 A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
Administrators S-1-5-32-544 A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
Users S-1-5-32-545 A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
Guests S-1-5-32-546 A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.
Power Users S-1-5-32-547 A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
Account Operators S-1-5-32-548 A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Server Operators S-1-5-32-549 A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Print Operators S-1-5-32-550 A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Backup Operators S-1-5-32-551 A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Replicators S-1-5-32-552 A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
BUILTINPre-Windows 2000 Compatible Access S-1-5-32-554 An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
BUILTINRemote Desktop Users S-1-5-32-555 An alias. Members in this group are granted the right to logon remotely.
BUILTINNetwork Configuration Operators S-1-5-32-556 An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
BUILTINIncoming Forest Trust Builders S-1-5-32-557 An alias. Members of this group can create incoming, one-way trusts to this forest.
Enterprise Read-only Domain Controllers S-1-5- 21domain -498 A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
Read-only Domain Controllers S-1-5- 21domain -521 A Global group. Members of this group are Read-Only Domain Controllers in the domain
BUILTINCryptographic Operators S-1-5-32-569 A Builtin Local group. Members are authorized to perform cryptographic operations.
Allowed RODC Password Replication Group S-1-5-21 domain -571 A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
Denied RODC Password Replication Group S-1-5- 21 domain -572 A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
BUILTINEvent Log Readers S-1-5-32-573 A Builtin Local group. Members of this group can read event logs from local machine.
BUILTINCertificate Service DCOM Access S-1-5-32-574 A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.

Thanks,
Morgan
Software Developer

Advertisement

Leave a Comment