Security Identifiers

A security identifier (SID) is a unique value of variable length used to identify a security principal or security group. Windows 2000 uses SIDs in the following access control components:

Access tokens    One SID in an access token identifies the user represented by the token. Additional SIDs identify the security groups to which the user belongs.

Security descriptors    One SID in an object's security descriptor identifies the object's owner. Another SID identifies the owner's primary group.

Access control entries (ACEs)    Each ACE contains a SID that identifies the user or group for whom access is allowed, denied, or audited.

The SID that identifies a particular account or group is generated by the system at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer and stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority and stored as an attribute of the User or Group object in Active Directory.

SIDs are unique within the scope of the account or group they identify. The SID for every local account and group is unique on the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, the SID for every domain account and group is unique within an enterprise. The SID for an account or group created in a domain never matches the SID for any other account or group created in the same domain. The SID for an account or group created in one domain of an enterprise never matches the SID for an account or group created in another domain of the same enterprise.

SIDs are also unique for all time. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, suppose Alice has an account in a Windows 2000 domain, leaves her job, and then later returns to a different job at the same company. When Alice leaves her job, an administrator deletes her account and with it the SID identifying the user Alice. When Alice returns to a new job in the same company, an administrator creates a new account, and Windows 2000 generates a new SID for the user Alice. The new SID does not match the old one, so none of the access that was given to Alice's old account is transferred to Alice's new account. Her two accounts represent two completely different security principals.