Security |
Windows 2000 Server supports authenticated logon, meaning that the user must present credentials (usually a combination of user name and password) for identification. Once the user is authenticated by the operating system, a security token is attached to all applications that the user runs. All processes (applications) must have a token associated with them that identifies the user and the Windows groups to which that user belongs. The token contains the user’s security identifier (SID) and the SIDs of all the groups to which the user belongs. An SID uniquely identifies all users and groups (of users) in the Microsoft® Windows® operating system.
In order to log on, the user must have an account in either the security account manager (SAM) database or in the Microsoft® Active Directory™ directory service.
What Does an SID Look Like?Fortunately, most administrators will never have to deal with SIDs directly. Here is a sample SID:
The first part, S-1-5, identifies Windows 2000 Server; the next four blocks of numbers identify the Windows domain or workgroup; and the last number identifies the particular user or group. Well-Known SIDsEach and every account and group in the Windows operating system has a unique SID, which is also unique to that domain of servers. However, some SIDs are termed well-known. In other words, they are the same regardless of what domain you use. These SIDs include: |
||
Account | SID | Comment |
LocalSystem | S-1-5-18 | The account which most system services use |
Everyone | S-1-1-0 | All users; the Everyone group |
Interactive | S-1-5-4 | Users who can log on for interactive operation |
Network | S-1-5-2 | Users who can log on across a network |
See the following: