Well-known SIDs identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:
There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows NT. In addition, there are well-known SIDs that are meaningful only on Windows NT systems.
The Win32 API defines a set of constants for well-known identifier authority and RID values. You can use these constants to create well-known SIDs. The following example combines the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known SID for the special group representing all users (Everyone or World):
S-1–1–0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants.
You can use the AllocateAndInitializeSid function to build a SID by combining an identifier authority value with up to eight subauthority values. For example, to determine whether the logged-on user is a member of a particular well-known group, call AllocateAndInitializeSid to build a SID for the well-known group and use the EqualSid function to compare that SID to the group SIDs in the user's access token. For sample code, see Searching for a SID in an Access Token. You must call the FreeSid function to free a SID allocated by AllocateAndInitializeSid.
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and subauthority constants that you can use to build well-known SIDs.
The following are some universal well-known SIDs.
| Universal well-known SID | Value | Identifies |
|---|---|---|
| Null SID | (S-1–0–0) | A group with no members. This is often used when a SID value is not known. |
| World | (S-1–1–0) | A group that includes all users. |
| Local | (S-1–2–0) | Users who log on to terminals locally (physically) connected to the system. |
| Creator Owner ID | (S-1–3–0) | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
| Creator Group ID | (S-1–3–1) | Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs; the last value is used with Windows NT well-known SIDs.
| Identifier authority | Value | SID string prefix |
|---|---|---|
| SECURITY_NULL_SID_AUTHORITY | 0 | S-1–0 |
| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1–1 |
| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1–2 |
| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1–3 |
| SECURITY_NT_AUTHORITY | 5 | S-1–5 |
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
| Relative identifier authority | Value | Identifier authority |
|---|---|---|
| SECURITY_NULL_RID | 0 | S-1–0 |
| SECURITY_WORLD_RID | 0 | S-1–1 |
| SECURITY_LOCAL_RID | 0 | S-1–2 |
| SECURITY_CREATOR_OWNER_RID | 0 | S-1–3 |
| SECURITY_CREATOR_GROUP_RID | 1 | S-1–3 |
The SECURITY_NT_AUTHORITY (S-1–5) predefined identifier authority produces SIDs that are not universal but are meaningful only on Windows NT installations. You can use the following RID values with SECURITY_NT_AUTHORITY to create well-known SIDs.
| Constant | Identifies | |
|---|---|---|
| SECURITY_DIALUP_RID (S-1–5–1) | ||
| Users who log on to terminals using a dial-up modem. This is a group identifier. | ||
| SECURITY_NETWORK_RID (S-1–5–2) | ||
| Users who can log on across a network. This is a group identifier. | ||
| SECURITY_BATCH_RID (S-1–5–3) | ||
| Users who can log on using a batch queue facility. This is a group identifier. | ||
| SECURITY_INTERACTIVE_RID (S-1–5–4) | ||
| Users who can log on for interactive operation. This is a group identifier. | ||
| SECURITY_LOGON_IDS_RID (S-1–5–5-X-Y) | ||
| A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y). | ||
| SECURITY_SERVICE_RID (S-1–5–6) | ||
| Accounts authorized to log on as a service. | ||
| SECURITY_LOCAL_SYSTEM_RID (S-1–5–0x12) | ||
| A special account used by the operating system. | ||
| SECURITY_BUILTIN_DOMAIN_RID (S-1–5–0x20) | ||
| The built-in system domain. | ||
The following RIDs are relative to each domain.
| RID | Identifies |
|---|---|
| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
| DOMAIN_USER_RID_GUEST | The guest-user account in a domain. Users who do not have an account can automatically log onto this account. |
| DOMAIN_GROUP_RID_ADMINS | The domain administrator's group. This account exists only on systems running Windows NT Server, not Windows NT Workstation. |
| DOMAIN_GROUP_RID_USERS | A group containing all user accounts in a domain. All users are automatically added to this group. |
The following table has examples of domain-relative RIDs you can use to form well-known SIDs for local groups (aliases). For more information about local and global groups, see Local Group Functions and Group Functions.
| RID | Identifies |
|---|---|
| DOMAIN_ALIAS_RID_ADMINS | A local group used for administration of the domain. |
| DOMAIN_ALIAS_RID_USERS | A local group representing all users in the domain. |
| DOMAIN_ALIAS_RID_GUESTS | A local group representing guests of the domain. |
| DOMAIN_ALIAS_RID_POWER_USERS | A local group used to represent a user or set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. |
| DOMAIN_ALIAS_RID_ACCOUNT_OPS | A local group existing only on systems running Windows NT Server. This local group permits control over non-administrator accounts. |
| DOMAIN_ALIAS_RID_SYSTEM_OPS | A local group existing only on systems running Windows NT Server. This local group performs system administrative functions, not including security functions. It establishes network shares, controls printers, unlocks workstations, and performs other operations. |
| DOMAIN_ALIAS_RID_PRINT_OPS | A local group existing only on systems running Windows NT Server. This local group controls printers and print queues. |
| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group used for controlling assignment of file backup-and-restore privileges. |
| DOMAIN_ALIAS_RID_REPLICATOR | A local group responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system. |