What Are Security Identifiers?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Are Security Identifiers?
In this section
A security identifier (SID) is a value of variable length that is used to uniquely identify a security principal or security group.
Each account or group has a unique SID that is issued by an authority, such as a Windows domain controller, and stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
Each time a user logs on, the system creates an access token for that user. The access token contains the user’s SID, the SIDs for any groups the user belongs to, and the user’s privileges. This token provides the security context for whatever actions the user executes on that computer.
In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
SIDs are a fundamental building block of the Windows security model. They work together with specific components of the authorization and access control technologies in the Windows Server 2003 security infrastructure to help protect access to network resources and provide a more secure computing environment.
Security Identifiers Dependencies and Interactions
The Windows Server 2003 operating system uses SIDs in the following authorization and access control components:
A security principal can be a user or computer account, or a group of these accounts — any entity that the security system recognizes. User accounts can be used by human users as well as autonomous processes. A security principal is automatically assigned a security identifier when it is created.
Although all security principals incorporate a unique SID, it is important to note that SIDs are generated and stored differently depending on the type of account they are associated with:
The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer and stored with other account information in a secure area of the registry.
The SID for a domain account or group is generated by the domain security authority and stored as an attribute of the User or Group object in Active Directory directory service.
One SID in an access token identifies the user. Other SIDs identify the security groups to which the user belongs.
Security descriptors and ACLs
One SID in an object's security descriptor identifies the object's owner. Another SID identifies the owner's primary group. Within the security descriptor are access control lists (ACLs) that contain access control entries (ACEs). Each ACE contains a SID that identifies the user or group for which access is allowed, denied, or audited.
These related security components are discussed in depth in separate sections of the Microsoft Windows Server 2003 Technical Reference.
The following diagram shows the relationship of SIDs to other key components of the authorization and access control model.
Security Identifiers in the Authorization and Access Control Process
The following resources contain additional information that is relevant to this section: