Active Directory itself, as a directory service, does not possess a single, universal Security ID (SID); rather, it is the fundamental system responsible for assigning, storing, and managing SIDs for various security entities within its domain.
What is a Security ID (SID)?
A security identifier (SID) is a unique value that is used to identify any security entity that the Windows operating system (OS) can authenticate. These entities, often referred to as security principals, include:
- Users: Individual user accounts.
- Groups: Collections of user accounts, such as "Domain Admins" or "Sales Team."
- Computers: Workstations and servers joined to the domain.
- Services: Specific services running on a system.
Each SID is designed to be globally unique within its scope, ensuring that every security principal has a distinct identifier, even if its display name changes.
SIDs in the Context of Active Directory
In an Active Directory environment, SIDs are fundamental to how permissions and access control lists (ACLs) function. When you grant a user or group access to a resource (like a shared folder or a file), it's the SID, not the username, that is actually recorded in the resource's ACL. This design ensures that if a user's name is changed, their permissions remain intact because their underlying SID has not changed.
SID Structure
A SID is a variable-length string that typically starts with "S-1-" followed by a series of numbers separated by hyphens. These numbers provide specific information about the SID's structure and the entity it represents.
Here's a breakdown of the typical SID structure:
| Component | Description | Example Segment (for a domain user) |
|---|---|---|
S- |
Identifies the string as a SID. | S- |
Revision Level |
Indicates the version of the SID structure (always 1 for current SIDs). |
S-1- |
Identifier Authority |
Defines the top-level authority that issued the SID (e.g., 5 for NT Authority). |
S-1-5- |
Subauthorities |
A series of values identifying the domain or local computer. For domain accounts, this includes the domain SID. | S-1-5-21-XXXXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ- |
Relative ID (RID) |
A unique number assigned by the issuing authority (domain or local computer) that identifies the security principal within its scope. | S-1-5-21-XXXXXXXXXX-YYYYYYYYYY-ZZZZZZZZZZ-500 |
Example: The built-in Administrator account typically has a RID of 500. So, a domain administrator's SID might look like S-1-5-21-1234567890-9876543210-1122334455-500.
Well-Known SIDs
Windows and Active Directory also use "well-known SIDs" that represent generic groups or users across all Windows installations. These SIDs are constant and recognized by all systems. Examples include:
- S-1-5-18: Local System
- S-1-5-19: NT Authority\LocalService
- S-1-5-20: NT Authority\NetworkService
- S-1-5-32-544: Builtin\Administrators (the local Administrators group)
- S-1-1-0: Everyone
How Active Directory Leverages SIDs
Active Directory relies heavily on SIDs for various core functions:
- Access Control: Every object in Active Directory and every resource managed by the Windows OS uses SIDs in its Discretionary Access Control List (DACL) to determine who has what permissions. When a user tries to access a resource, their SID (and the SIDs of any groups they belong to) is compared against the SIDs in the resource's ACL.
- Trust Relationships: SIDs play a role in inter-domain trust relationships. When a user from one domain accesses resources in another trusted domain, the SIDs are passed along, and the trusting domain uses them to determine access rights.
- User and Group Management: When a new user or group is created in Active Directory, a unique SID is generated and assigned to it. This SID is stored in the user or group object's
objectSIDattribute. - SID Filtering: In domain trusts, SID filtering is a security mechanism that prevents SIDs from outside the trusting domain's forest from being used to elevate privileges. It helps mitigate "SID history" attacks where an attacker might try to import a high-privileged SID from a different forest.
Practical Insights and Solutions
- Viewing SIDs: You can view the SID for your current user account using the command prompt:
whoami /userOr, using PowerShell:
(Get-ADUser -Identity $env:USERNAME).SIDFor other users or groups, you can use
Get-ADUser <Username> -Properties SIDorGet-ADGroup <GroupName> -Properties SID. - SID History: Active Directory also maintains a
sIDHistoryattribute for user and group objects. This attribute stores previous SIDs for the object. This is crucial during domain migrations when an object's primary SID might change (e.g., moving a user from one domain to another), ensuring that the user retains access to resources based on their old SIDs. - Uniqueness and Duplication: The uniqueness of SIDs is paramount. Duplicate SIDs (often caused by improper disk imaging techniques without using Sysprep) can lead to severe security and operational issues, as the OS cannot correctly distinguish between two different security principals sharing the same identifier.
SIDs are the backbone of security in Windows and Active Directory, providing a robust, unique, and immutable identifier for every security principal.
[[Active Directory Security Identifiers]]
