Security

Previous Topic Next Topic

Authentication in Windows 2000 Server

Windows 2000 Server supports authenticated logon, meaning that the user must present credentials (usually a combination of user name and password) for identification. Once the user is authenticated by the operating system, a security token is attached to all applications that the user runs. All processes (applications) must have a token associated with them that identifies the user and the Windows groups to which that user belongs. The token contains the user’s security identifier (SID) and the SIDs of all the groups to which the user belongs. An SID uniquely identifies all users and groups (of users) in the Microsoft® Windows® operating system.

In order to log on, the user must have an account in either the security account manager (SAM) database or in the Microsoft® Active Directory™ directory service.

What Does an SID Look Like?

Fortunately, most administrators will never have to deal with SIDs directly. Here is a sample SID:

S-1-5-21-2127521184-1604012920-1887927527-1004

The first part, S-1-5, identifies Windows 2000 Server; the next four blocks of numbers identify the Windows domain or workgroup; and the last number identifies the particular user or group.

Well-Known SIDs

Each and every account and group in the Windows operating system has a unique SID, which is also unique to that domain of servers. However, some SIDs are termed well-known. In other words, they are the same regardless of what domain you use. These SIDs include:

Account SID Comment
LocalSystem S-1-5-18 The account which most system services use
Everyone S-1-1-0 All users; the Everyone group
Interactive S-1-5-4 Users who can log on for interactive operation
Network S-1-5-2 Users who can log on across a network

See the following:


© 1997-1999 Microsoft Corporation. All rights reserved.