What Is the SID? (Security Identifier)

SID stands forย security identifier, a unique string that Windows Server automatically assigns to each computer, user and group in order to mark and clearly distinguish them. The SID remains the same even if the object it refers to (e.g. the user) is renamed.

Example: The SID is entered into the ACL in order to explicitly identify the authorized user or group. If a user is renamed later on, their permissions remain the same because the SID is not affected by the name change. When there is a change to the SID, for instance because of a domain migration, users will still retain the same permissions because prior SIDs are stored in the SID history of objects in the Active Directory.

Windows SID Format

SIDs always follow the same structure, with values separated by dashes:

  • S: The letter S indicates that this string is a SID.
  • 1: The second position shows the revision level, i.e. the version of the SID specification. It has never been changed from 1.
  • 5: The third position marks the identifier authority, which is typically 5 for NT Authority.
  • Domain or local computer identifier: This 48-bit string identifies the computer or domain that created the SID.
  • Relative ID (RID): The RID consists of four numbers and uniquely identifies a security principal in the local domain. RIDs not created by default by windows will have a value of 1000 or greater.

When you put it all together, an example of a SID could look like this:

S-1-5-43-4342332-4365423-981231-1015

Setting up a SID

For domain users or groups, the SID contains the domain identifier, which is a random value determined during the creation of the domain. When a user or group object is created, Windows sets its relative ID (RID). For local computer accounts, a user SID contains the computerโ€™s local computer identifier, which in turn is assigned during the Windows installation.

How to Change the SID

The SID cannot be edited by normal means, but there are a few ways to change SIDs in Windows networks:

  1. Remove a computer from the domain, delete the computer object in AD and rejoin the domain

  2. Use Sysprep to generalize the Windows installation, which creates a new SID

  3. Download a third-party utility like SIDCHG

Under normal circumstances, there is no reason to change the SID, since duplicate machine SIDs generally do not cause issues. However, admins sometimes run into problems with improperly cloned OS installs, where a cloned machine is made domain controller and other clones cannot join the domain because the domain SID is identical to the machine SID. This is why you should always use sysprep to generalize OS images during the deployment process.

Additionally, because the SID is domain-specific, it is also affected by domain migrations. In this case, a new SID will be created based on the new domain of the object, but the previous SID is saved in the SID history.

White paper

Access Governance Best Practices for Microsoft Environments

Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.