Difference between a RID and a SID in Active Directory

SID (Security Identifier)

– An SID is a Security Identifier. It’s the “primary key” for any object in an Active Directory.
For example, users have SIDs, as do Printer objects, Group objects, etc. SID‘s are unique to a Domain.
– In Active Directory users refer to accounts by using the account name, but the operating system internally refers to accounts by their security identifiers (SIDs).
– For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local) and are never reused.

– For every local account and group, the SID is unique for the computer where it was created; no two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group created in one domain will never match the SID for an account or group created in any domain in the enterprise.

User SID structure

SID vs RID

RID (Relative Identifier)

– The relative identifier (RID) Is a variable length number that is assigned to objects at creation and becomes part of the object’s security identifier.
– Generating unique relative identifiers is a more complex process in a network domain Windows 2000 network domains can have several domain controllers, each of them a host for Active Directory, where account information is stored. This means that in a network domain there are as many copies of the account database as there are domain controllers.
– Every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes made to Active Directory on one domain controller are replicated to all other domain controllers in the domain.
– The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation .
– The process of generating unique relative identifiers is a single-master operation . One domain controller is assigned the role of relative identifier (RID) master , and it allocates a sequence of relative identifiers to each domain controller in the domain.
– When a new domain account or group is created in one domain controller’s replica of Active Directory, it is assigned a SID, and the relative identifier for the new SID is taken from the domain controller’s allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller asks the RID master for another block.

Well Known SIDs

Name SID Value Identifies
Everyone S-1-1-0 The generic group Everyone automatically includes everyone who uses the computer, even anonymous guests. The identifier authority value for this SID is 1 (World Authority). It has only one subauthority value, 0 (Null RID).
Creator Authority S-1-3 An identifier authority.
Creator Owner S-1-3-0 The generic user Creator Owner is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object’s current owner. The identifier authority value for this SID is 3 (Creator Authority). It has only one subauthority value, 0 (Null RID).
Creator Group S-1-3-1 A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s creator. The primary group is used only by the POSIX subsystem.
Creator Owner Server S-1-3-2 This SID is not used in Windows 2000.
Creator Group Server S-1-3-3 A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
Principal Self S-1-5-10 The generic user Principal Self is a placeholder in an ACE on a User, Group, or Computer object in Active Directory. When you grant permission to Principal Self, you grant it to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object. The identifier authority for this SID is 5 (NT Authority). It has only one subauthority value, 10 (Self RID).
Null SID(Nobody) S-1–0–0 A group with no members. This is often used when a SID value is not known.
Local Authority S-1-2 An identifier authority.
Local S-1-2-0 A group that includes all users who have logged on locally.
Console Logon S-1-2-1 A group that includes users who are logged on to the physical console.
Creator Authority S-1-3 An identifier authority.
Non-unique Authority S-1-4 An identifier authority.
NT Authority S-1-5 An identifier authority.
Dialup S-1-5-1 A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
Network S-1-5-2 A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
Batch S-1-5-3 A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
Interactive S-1-5-4 A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
Logon Session S-1-5-5-X-Y A logon session. The X and Y values for these SIDs are different for each session.
Service S-1-5-6 A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
Anonymous S-1-5-7 A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
Proxy S-1-5-8 This SID is not used in Windows 2000.
Enterprise Domain Controllers S-1-5-9 A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
Authenticated Users S-1-5-11 A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
Restricted Code S-1-5-12 This SID is reserved for future use.
Terminal Server Users S-1-5-13 A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
Remote Interactive Logon S-1-5-14 A group that includes all users who have logged on through a terminal services logon.
This Organization S-1-5-15 A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
This Organization S-1-5-17 An account that is used by the default Internet Information Services (IIS) user.
Local System S-1-5-18 A service account that is used by the operating system.
NT Authority S-1-5-19 Local Service
NT Authority S-1-5-20 Network Service
Administrator S-1-5-21domain-500 A user account for the system administrator. By default, it is the only user account that is given full control over the system.
Guest S-1-5-21domain-501 A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
krbtgt S-1-5-21domain-502 A service account that is used by the Key Distribution Center (KDC) service.
Domain Admins S-1-5-21domain-512 A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
Domain Users S-1-5-21domain-513 A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
Domain Guests S-1-5-21domain-514 A global group that, by default, has only one member, the domain’s built-in Guest account.
Domain Computers S-1-5-21domain-515 A global group that includes all clients and servers that have joined the domain.
Schema Admins S-1-5-21root domain-518 A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
Enterprise Admins S-1-5-21root domain-519 A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Group Policy Creator Owners S-1-5-21domain-520 A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
RAS and IAS Servers S-1-5-21domain-553 A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
Administrators S-1-5-32-544 A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
Users S-1-5-32-545 A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
Guests S-1-5-32-546 A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.
Power Users S-1-5-32-547 A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
Account Operators S-1-5-32-548 A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
Server Operators S-1-5-32-549 A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
Print Operators S-1-5-32-550 A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
Backup Operators S-1-5-32-551 A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
Replicators S-1-5-32-552 A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
BUILTINPre-Windows 2000 Compatible Access S-1-5-32-554 An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
BUILTINRemote Desktop Users S-1-5-32-555 An alias. Members in this group are granted the right to logon remotely.
BUILTINNetwork Configuration Operators S-1-5-32-556 An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
BUILTINIncoming Forest Trust Builders S-1-5-32-557 An alias. Members of this group can create incoming, one-way trusts to this forest.
Enterprise Read-only Domain Controllers S-1-5- 21domain -498 A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise
Read-only Domain Controllers S-1-5- 21domain -521 A Global group. Members of this group are Read-Only Domain Controllers in the domain
BUILTINCryptographic Operators S-1-5-32-569 A Builtin Local group. Members are authorized to perform cryptographic operations.
Allowed RODC Password Replication Group S-1-5-21 domain -571 A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
Denied RODC Password Replication Group S-1-5- 21 domain -572 A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
BUILTINEvent Log Readers S-1-5-32-573 A Builtin Local group. Members of this group can read event logs from local machine.
BUILTINCertificate Service DCOM Access S-1-5-32-574 A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.

Thanks,
Morgan
Software Developer

Advertisement

2 thoughts on “Difference between a RID and a SID in Active Directory”

    • Nope, sorry, can’t do it without breaking the rules. RIDs are not “assignable”. They are handed out by the “RID Master” to DCs in pools and then used in semi-sequential order. Active Directory keeps control of RIDs so they are never re-used, and it does not allow you to decide which RID is assigned to an account. Part of the reason for this is some RIDs are pre-defined. Look at the last 3 digits of the built in accounts in Morgan’s post. e.g: the built-in Administrator account is RID 500 in every domain. Domain Admins is RID 512. Would you want the ability to assign that RID to any domain user? No, I didn’t think so… 😉

      I say “semi-sequential” because of the pools; Every read/writable Domain Controller gets a pool of 500 RIDs from the RID Master, then uses them sequentially when accounts are created on that DC (Read Only DCs, or RODCs, don’t get a RID pool). When a DC’s pool gets down to 250, it requests another pool so it isn’t likely to run out even in a large account creation operation.

      So, If I have 3 domain controllers, DC1 may get pool; 1001-1500, DC2; 1501-2000, DC3; 2001-2500. If I create accounts on DC3 first, then they will use RID#s 2001, 2002, 2003… If I then create accounts on DC1, they will use 1001, 1002, 1003… which are lower RID numbers, even though they were created _after_ those on DC3… If I wait 10 years (and presumptively millions of accounts) before I ever create any accounts on DC2, then those RID numbers will be way lower than the RIDs in use on DC1 & 2.

      Fortunately, there are over 2 billion available RIDs in any domain, but if you were to ever deplete that, you can no longer create accounts, and you’re in a WORLD of hurt (it used to be a little over 1 billion RIDs and yes, it had, very rarely, been depleted!).

      Reply

Leave a Comment