Well-known SIDs
Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:
- Everyone or World, which is a group that includes all users.
- CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the system replaces the CREATOR_OWNER SID with the SID of the object's creator.
- The Administrators group for the built-in domain on the local computer.
There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.
The Windows API defines a set of constants for well-known identifier authority and relative identifier (RID) values. You can use these constants to create well-known SIDs. The following example combines the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants to show the universal well-known SID for the special group representing all users (Everyone or World):
S-1-1-0
This example uses the string notation for SIDs in which S identifies the string as a SID, the first 1 is the revision level of the SID, and the remaining two digits are the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants.
You can use the AllocateAndInitializeSid function to build a SID by combining an identifier authority value with up to eight subauthority values. For example, to determine whether the logged-on user is a member of a particular well-known group, call AllocateAndInitializeSid to build a SID for the well-known group and use the EqualSid function to compare that SID to the group SIDs in the user's access token. For an example, see Searching for a SID in an Access Token in C++. You must call the FreeSid function to free a SID allocated by AllocateAndInitializeSid.
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and subauthority constants that you can use to build well-known SIDs.
The following are some universal well-known SIDs.
Universal well-known SID | Identifies |
---|---|
Null SID String value: S-1-0-0 |
A group with no members. This is often used when a SID value is not known. |
World String value: S-1-1-0 |
A group that includes all users. |
Local String value: S-1-2-0 |
Users who log on to terminals locally (physically) connected to the system. |
Creator Owner ID String value: S-1-3-0 |
A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
Creator Group ID String value: S-1-3-1 |
A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs; the last value is used with Windows well-known SIDs.
Identifier authority | Value | String value |
---|---|---|
SECURITY_NULL_SID_AUTHORITY | 0 |
S-1-0 |
SECURITY_WORLD_SID_AUTHORITY | 1 |
S-1-1 |
SECURITY_LOCAL_SID_AUTHORITY | 2 |
S-1-2 |
SECURITY_CREATOR_SID_AUTHORITY | 3 |
S-1-3 |
SECURITY_NT_AUTHORITY | 5 |
S-1-5 |
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
Relative identifier authority | Value | String value |
---|---|---|
SECURITY_NULL_RID | 0 |
S-1-0-0 |
SECURITY_WORLD_RID | 0 |
S-1-1-0 |
SECURITY_LOCAL_RID | 0 |
S-1-2-0 |
SECURITY_LOCAL_LOGON_RID | 1 |
S-1-2-1 |
SECURITY_CREATOR_OWNER_RID | 0 |
S-1-3-0 |
SECURITY_CREATOR_GROUP_RID | 1 |
S-1-3-1 |
The SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal but are meaningful only on Windows installations. You can use the following RID values with SECURITY_NT_AUTHORITY to create well-known SIDs.
Constant | Identifies |
---|---|
SECURITY_DIALUP_RID String value: S-1-5-1 |
Users who log on to terminals using a dial-up modem. This is a group identifier. |
SECURITY_NETWORK_RID String value: S-1-5-2 |
Users who log on across a network. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. |
SECURITY_BATCH_RID String value: S-1-5-3 |
Users who log on using a batch queue facility. This is a group identifier added to the token of a process when it was logged as a batch job. The corresponding logon type is LOGON32_LOGON_BATCH. |
SECURITY_INTERACTIVE_RID String value: S-1-5-4 |
Users who log on for interactive operation. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. |
SECURITY_LOGON_IDS_RID String value: S-1-5-5-*X*-*Y* |
A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y). |
SECURITY_SERVICE_RID String value: S-1-5-6 |
Accounts authorized to log on as a service. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. |
SECURITY_ANONYMOUS_LOGON_RID String value: S-1-5-7 |
Anonymous logon, or null session logon. |
SECURITY_PROXY_RID String value: S-1-5-8 |
Proxy. |
SECURITY_ENTERPRISE_CONTROLLERS_RID String value: S-1-5-9 |
Enterprise controllers. |
SECURITY_PRINCIPAL_SELF_RID String value: S-1-5-10 |
The PRINCIPAL_SELF security identifier can be used in the ACL of a user or group object. During an access check, the system replaces the SID with the SID of the object. The PRINCIPAL_SELF SID is useful for specifying an inheritable ACE that applies to the user or group object that inherits the ACE. It the only way of representing the SID of a created object in the default security descriptor of the schema. |
SECURITY_AUTHENTICATED_USER_RID String value: S-1-5-11 |
The authenticated users. |
SECURITY_RESTRICTED_CODE_RID String value: S-1-5-12 |
Restricted code. |
SECURITY_TERMINAL_SERVER_RID String value: S-1-5-13 |
Terminal Services. Automatically added to the security token of a user who logs on to a terminal server. |
SECURITY_LOCAL_SYSTEM_RID String value: S-1-5-18 |
A special account used by the operating system. |
SECURITY_NT_NON_UNIQUE String value: S-1-5-21 |
SIDS are not unique. |
SECURITY_BUILTIN_DOMAIN_RID String value: S-1-5-32 |
The built-in system domain. |
SECURITY_WRITE_RESTRICTED_CODE_RID String value: S-1-5-33 |
Write restricted code. |
SECURITY_RESTRICTED_SERVICES_BASE_RID String value: S-1-5-99 |
Restricted Services. |
The following RIDs are relative to each domain.
RID | Identifies |
---|---|
DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP Value: 0x0000023E |
The group of users who can connect to certification authorities using Distributed Component Object Model (DCOM). |
DOMAIN_USER_RID_ADMIN Value: 0x000001F4 |
The administrative user account in a domain. |
DOMAIN_USER_RID_GUEST Value: 0x000001F5 |
The guest-user account in a domain. Users who do not have an account can automatically log on to this account. |
DOMAIN_GROUP_RID_ADMINS Value: 0x00000200 |
The domain administrators' group. This account exists only on systems running server operating systems. |
DOMAIN_GROUP_RID_USERS Value: 0x00000201 |
A group that contains all user accounts in a domain. All users are automatically added to this group. |
DOMAIN_GROUP_RID_GUESTS Value: 0x00000202 |
The guest-group account in a domain. |
DOMAIN_GROUP_RID_COMPUTERS Value: 0x00000203 |
The domain computers' group. All computers in the domain are members of this group. |
DOMAIN_GROUP_RID_CONTROLLERS Value: 0x00000204 |
The domain controllers' group. All DCs in the domain are members of this group. |
DOMAIN_GROUP_RID_CERT_ADMINS Value: 0x00000205 |
The certificate publishers' group. Computers running Certificate Services are members of this group. |
DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS Value: 0x000001F2 |
The group of enterprise read-only domain controllers. |
DOMAIN_GROUP_RID_SCHEMA_ADMINS Value: 0x00000206 |
The schema administrators' group. Members of this group can modify the Active Directory schema. |
DOMAIN_GROUP_RID_ENTERPRISE_ADMINS Value: 0x00000207 |
The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains. |
DOMAIN_GROUP_RID_POLICY_ADMINS Value: 0x00000208 |
The policy administrators' group. |
DOMAIN_GROUP_RID_READONLY_CONTROLLERS Value: 0x00000209 |
The group of read-only domain controllers |
DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS Value: 0x0000020A |
The group of cloneable domain controllers. |
DOMAIN_GROUP_RID_CDC_RESERVED Value: 0x0000020C |
The reserved CDC group. |
DOMAIN_GROUP_RID_PROTECTED_USERS Value: 0x0000020D |
The protected users group. |
DOMAIN_GROUP_RID_KEY_ADMINS Value: 0x0000020E |
The key admins group. |
DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS Value: 0x0000020F |
The enterprise key admins group. |
The following RIDs are used to specify mandatory integrity level.
RID | Value | Identifies |
---|---|---|
SECURITY_MANDATORY_UNTRUSTED_RID | 0x00000000 |
Untrusted. |
SECURITY_MANDATORY_LOW_RID | 0x00001000 |
Low integrity. |
SECURITY_MANDATORY_MEDIUM_RID | 0x00002000 |
Medium integrity. |
SECURITY_MANDATORY_MEDIUM_PLUS_RID | SECURITY_MANDATORY_MEDIUM_RID + 0x100 |
Medium high integrity. |
SECURITY_MANDATORY_HIGH_RID | 0X00003000 |
High integrity. |
SECURITY_MANDATORY_SYSTEM_RID | 0x00004000 |
System integrity. |
SECURITY_MANDATORY_PROTECTED_PROCESS_RID | 0x00005000 |
Protected process. |
The following table has examples of domain-relative RIDs that you can use to form well-known SIDs for local groups (aliases). For more information about local and global groups, see Local Group Functions and Group Functions.
RID | Identifies |
---|---|
DOMAIN_ALIAS_RID_ADMINS Value: 0x00000220 String value: S-1-5-32-544 |
A local group used for administration of the domain. |
DOMAIN_ALIAS_RID_USERS Value: 0x00000221 String value: S-1-5-32-545 |
A local group that represents all users in the domain. |
DOMAIN_ALIAS_RID_GUESTS Value: 0x00000222 String value: S-1-5-32-546 |
A local group that represents guests of the domain. |
DOMAIN_ALIAS_RID_POWER_USERS Value: 0x00000223 String value: S-1-5-32-547 |
A local group used to represent a user or set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users. |
DOMAIN_ALIAS_RID_ACCOUNT_OPS Value: 0x00000224 String value: S-1-5-32-548 |
A local group that exists only on systems running server operating systems. This local group permits control over nonadministrator accounts. |
DOMAIN_ALIAS_RID_SYSTEM_OPS Value: 0x00000225 String value: S-1-5-32-549 |
A local group that exists only on systems running server operating systems. This local group performs system administrative functions, not including security functions. It establishes network shares, controls printers, unlocks workstations, and performs other operations. |
DOMAIN_ALIAS_RID_PRINT_OPS Value: 0x00000226 String value: S-1-5-32-550 |
A local group that exists only on systems running server operating systems. This local group controls printers and print queues. |
DOMAIN_ALIAS_RID_BACKUP_OPS Value: 0x00000227 String value: S-1-5-32-551 |
A local group used for controlling assignment of file backup-and-restore privileges. |
DOMAIN_ALIAS_RID_REPLICATOR Value: 0x00000228 String value: S-1-5-32-552 |
A local group responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system. |
DOMAIN_ALIAS_RID_RAS_SERVERS Value: 0x00000229 String value: S-1-5-32-553 |
A local group that represents RAS and IAS servers. This group permits access to various attributes of user objects. |
DOMAIN_ALIAS_RID_PREW2KCOMPACCESS Value: 0x0000022A String value: S-1-5-32-554 |
A local group that exists only on systems running Windows 2000 Server. For more information, see Allowing Anonymous Access. |
DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS Value: 0x0000022B String value: S-1-5-32-555 |
A local group that represents all remote desktop users. |
DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS Value: 0x0000022C String value: S-1-5-32-556 |
A local group that represents the network configuration. |
DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS Value: 0x0000022D String value: S-1-5-32-557 |
A local group that represents any forest trust users. |
DOMAIN_ALIAS_RID_MONITORING_USERS Value: 0x0000022E String value: S-1-5-32-558 |
A local group that represents all users being monitored. |
DOMAIN_ALIAS_RID_LOGGING_USERS Value: 0x0000022F String value: S-1-5-32-559 |
A local group responsible for logging users. |
DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS Value: 0x00000230 String value: S-1-5-32-560 |
A local group that represents all authorized access. |
DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS Value: 0x00000231 String value: S-1-5-32-561 |
A local group that exists only on systems running server operating systems that allow for terminal services and remote access. |
DOMAIN_ALIAS_RID_DCOM_USERS Value: 0x00000232 String value: S-1-5-32-562 |
A local group that represents users who can use Distributed Component Object Model (DCOM). |
DOMAIN_ALIAS_RID_IUSERS Value: 0X00000238 String value: S-1-5-32-568 |
A local group that represents Internet users. |
DOMAIN_ALIAS_RID_CRYPTO_OPERATORS Value: 0x00000239 String value: S-1-5-32-569 |
A local group that represents access to cryptography operators. |
DOMAIN_ALIAS_RID_CACHEABLE_PRINCIPALS_GROUP Value: 0x0000023B String value: S-1-5-32-571 |
A local group that represents principals that can be cached. |
DOMAIN_ALIAS_RID_NON_CACHEABLE_PRINCIPALS_GROUP Value: 0x0000023C String value: S-1-5-32-572 |
A local group that represents principals that cannot be cached. |
DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP Value: 0x0000023D String value: S-1-5-32-573 |
A local group that represents event log readers. |
DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP Value: 0x0000023E String value: S-1-5-32-574 |
The local group of users who can connect to certification authorities using Distributed Component Object Model (DCOM). |
DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS Value: 0x0000023F String value: S-1-5-32-575 |
A local group that represents RDS remote access servers. |
DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS Value: 0x00000240 String value: S-1-5-32-576 |
A local group that represents endpoint servers. |
DOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS Value: 0x00000241 String value: S-1-5-32-577 |
A local group that represents management servers. |
DOMAIN_ALIAS_RID_HYPER_V_ADMINS Value: 0x00000242 String value: S-1-5-32-578 |
A local group that represents hyper-v admins. |
DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS Value: 0x00000243 String value: S-1-5-32-579 |
A local group that represents access control assistance OPS. |
DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS Value: 0x00000244 String value: S-1-5-32-580 |
A local group that represents remote management users. |
DOMAIN_ALIAS_RID_DEFAULT_ACCOUNT Value: 0x00000245 String value: S-1-5-32-581 |
A local group that represents the default account. |
DOMAIN_ALIAS_RID_STORAGE_REPLICA_ADMINS Value: 0x00000246 String value: S-1-5-32-582 |
A local group that represents storage replica admins. |
DOMAIN_ALIAS_RID_DEVICE_OWNERS Value: 0x00000247 String value: S-1-5-32-583 |
A local group that represents can make settings expected for Device Owners. |
DOMAIN_ALIAS_RID_USER_MODE_HARDWARE_OPERATORS Value: 0x00000248 String value: S-1-5-32-584 |
Members of this group can access user mode mapper drivers. |
The WELL_KNOWN_SID_TYPE enumeration defines the list of commonly used SIDs. Additionally, the Security Descriptor Definition Language (SDDL) uses SID strings to reference well-known SIDs in a string format.