What Is the SID? (Security Identifier)

SID stands for security identifier, a unique string that Windows Server automatically assigns to each computer, user and group in order to mark and clearly distinguish them. The SID cannot be altered and remains the same even if the object it refers to (e.g. the user) is renamed.

Example: The SID is entered into the ACL in order to explicitly identify the authorized user or group. If a user is renamed later on, their permissions will still remain the same because the SID of the user and in the ACL are not affected by the name change.

Windows SID Format

SIDs always follow the same structure, with values separated by dashes:

  • S: The letter S indicates that this string is a SID.
  • 1: The second position shows the revision level, i.e. the version of the SID specification. It has never been changed from 1.
  • 5: The third position marks the identifier authority, which is typically 5 for NT Authority.
  • Domain or local computer identifier: This 48-bit string identifies the computer or domain that created the SID.
  • Relative ID (RID): The RID consists of four numbers and uniquely identifies a security principal in the local domain. RIDs not created by default by windows will have a value of 1000 or greater.

When you put it all together, an example of a SID could look like this:

S-1-5-43-4342332-4365423-981231-1015

Setting up a SID

For domain users or groups, the SID will contain the domain identifier, which is a random value determined during creation of the domain. When a user or group object is created, Windows sets its relative ID (RID). For local computer accounts, a user SID contains the computer’s local computer identifier, which in turn is assigned during the Windows installation.

SID Modification

It is not possible to change the SID by standard means, but the software adsiedit will allow you to make changes. The SID will also change if the related object is created in one domain (and the domain identifier becomes part of the object’s SID) and is then migrated to another domain. In this case, a new SID will be created, but the previous SID is saved in the SID history in the Active Directory.

The entries in the SID history are also used during permission checks, which allows users to access the resources in the old domain after the account has been migrated, since the check (also) uses the old SID.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.