| Platform SDK: Access Control |
Well-known SIDs identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:
There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows NT/Windows 2000. In addition, there are well-known SIDs that are meaningful only on Windows NT/Windows 2000 systems.
The Win32 API defines a set of constants for well-known identifier authority and RID values. You can use these constants to create well-known SIDs. The following example combines the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known SID for the special group representing all users (Everyone or World):
S-1–1–0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants.
You can use the AllocateAndInitializeSid function to build a SID by combining an identifier authority value with up to eight subauthority values. For example, to determine whether the logged-on user is a member of a particular well-known group, call AllocateAndInitializeSid to build a SID for the well-known group and use the EqualSid function to compare that SID to the group SIDs in the user's access token. For sample code, see Searching for a SID in an Access Token. You must call the FreeSid function to free a SID allocated by AllocateAndInitializeSid.
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and subauthority constants that you can use to build well-known SIDs.
The following are some universal well-known SIDs.
| Universal well-known SID | Value | Identifies |
|---|---|---|
| Null SID | (S-1–0–0) | A group with no members. This is often used when a SID value is not known. |
| World | (S-1–1–0) | A group that includes all users. |
| Local | (S-1–2–0) | Users who log on to terminals locally (physically) connected to the system. |
| Creator Owner ID | (S-1–3–0) | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
| Creator Group ID | (S-1–3–1) | Identifies a security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs; the last value is used with Windows NT/Windows 2000 well-known SIDs.
| Identifier authority | Value | SID string prefix |
|---|---|---|
| SECURITY_NULL_SID_AUTHORITY | 0 | S-1–0 |
| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1–1 |
| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1–2 |
| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1–3 |
| SECURITY_NT_AUTHORITY | 5 | S-1–5 |
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
| Relative identifier authority | Value | Identifier authority |
|---|---|---|
| SECURITY_NULL_RID | 0 | S-1–0 |
| SECURITY_WORLD_RID | 0 | S-1–1 |
| SECURITY_LOCAL_RID | 0 | S-1–2 |
| SECURITY_CREATOR_OWNER_RID | 0 | S-1–3 |
| SECURITY_CREATOR_GROUP_RID | 1 | S-1–3 |
The SECURITY_NT_AUTHORITY (S-1–5) predefined identifier authority produces SIDs that are not universal but are meaningful only on Windows NT/Windows 2000 installations. You can use the following RID values with SECURITY_NT_AUTHORITY to create well-known SIDs.
| Constant | Identifies |
|---|---|
| SECURITY_DIALUP_RID (S-1–5–1) |
Users who log on to terminals using a dial-up modem. This is a group identifier. |
| SECURITY_NETWORK_RID (S-1–5–2) |
Users who can log on across a network. This is a group identifier. |
| SECURITY_BATCH_RID (S-1–5–3) |
Users who can log on using a batch queue facility. This is a group identifier. |
| SECURITY_INTERACTIVE_RID (S-1–5–4) |
Users who can log on for interactive operation. This is a group identifier. |
| SECURITY_LOGON_IDS_RID (S-1–5–5-X-Y) |
A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y). |
| SECURITY_SERVICE_RID (S-1–5–6) |
Accounts authorized to log on as a service. |
| SECURITY_ANONYMOUS_LOGON_RID (S-1–5–7) |
Anonymous logon, or null session logon. |
| SECURITY_PROXY_RID (S-1–5–8) |
|
| SECURITY_ENTERPRISE_CONTROLLERS_RID (S-1–5–9) |
|
| SECURITY_PRINCIPAL_SELF_RID (S-1–5–10) |
The PRINCIPAL_SELF security identifier can be used in the ACL of a user or group object. During an access check, the system replaces the SID with the SID of the object. The PRINCIPAL_SELF SID is useful for specifying an inheritable ACE that applies to the user or group object that inherits the ACE. It the only way of representing the SID of a created object in the default security descriptor in the schema. |
| SECURITY_AUTHENTICATED_USER_RID (S-1–5–11) |
The authenticated users. |
| SECURITY_RESTRICTED_CODE_RID (S-1–5–12) |
Restricted code. |
| SECURITY_TERMINAL_SERVER_RID (S-1-5-13) |
Terminal Services: Automatically added to the security token of a user who logs on to a Terminal Server. |
| SECURITY_LOCAL_SYSTEM_RID (S-1–5–18) |
A special account used by the operating system. |
| SECURITY_NT_NON_UNIQUE (S-1–5–21) |
|
| SECURITY_BUILTIN_DOMAIN_RID (S-1–5–32) |
The built-in system domain. |
The following RIDs are relative to each domain.
| RID | Identifies |
|---|---|
| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
| DOMAIN_USER_RID_GUEST | The guest-user account in a domain. Users who do not have an account can automatically log onto this account. |
| DOMAIN_GROUP_RID_ADMINS | The domain administrators' group. This account exists only on systems running Windows NT Server/Windows 2000 Server. |
| DOMAIN_GROUP_RID_USERS | A group containing all user accounts in a domain. All users are automatically added to this group. |
| DOMAIN_GROUP_RID_GUESTS | The guest-group account in a domain. |
| DOMAIN_GROUP_RID_COMPUTERS | The domain computers' group. All computers in the domain are members of this group. |
| DOMAIN_GROUP_RID_CONTROLLERS | The domain controllers' group. All DCs in the domain are members of this group. |
| DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Certificate Services are members of this group. |
| DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema. |
| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains. |
| DOMAIN_GROUP_RID_POLICY_ADMINS | The policy administators' group. |
The following table has examples of domain-relative RIDs you can use to form well-known SIDs for local groups (aliases). For more information about local and global groups, see Local Group Functions and Group Functions.
| RID | Identifies |
|---|---|
| DOMAIN_ALIAS_RID_ADMINS | A local group used for administration of the domain. |
| DOMAIN_ALIAS_RID_USERS | A local group representing all users in the domain. |
| DOMAIN_ALIAS_RID_GUESTS | A local group representing guests of the domain. |
| DOMAIN_ALIAS_RID_POWER_USERS | A local group used to represent a user or set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. |
| DOMAIN_ALIAS_RID_ACCOUNT_OPS | A local group existing only on systems running Windows NT Server/Windows 2000 Server. This local group permits control over non-administrator accounts. |
| DOMAIN_ALIAS_RID_SYSTEM_OPS | A local group existing only on systems running Windows NT Server/Windows 2000 Server. This local group performs system administrative functions, not including security functions. It establishes network shares, controls printers, unlocks workstations, and performs other operations. |
| DOMAIN_ALIAS_RID_PRINT_OPS | A local group existing only on systems running Windows NT Server/Windows 2000 Server. This local group controls printers and print queues. |
| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group used for controlling assignment of file backup-and-restore privileges. |
| DOMAIN_ALIAS_RID_REPLICATOR | A local group responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system. |
| DOMAIN_ALIAS_RID_RAS_SERVERS | A local group representing RAS and IAS servers. This group permits access to various attributes of user objects. |
| DOMAIN_ALIAS_RID_PREW2KCOMPACCESS | A local group existing only on systems running Windows 2000 Server. It provides access rights and privileges equal to anonymous access under Windows NT, which is Everyone access. |