Security Identifier

A security identifier , or SID for short, is a unique security identifier that Microsoft Windows NT automatically assigns in order to permanently identify every system, every user and every group.

purpose

The access rights specified in Access Control Lists are linked to the SID . If the names of systems, users, or groups are changed, their SIDs remain unchanged. Therefore all access rights are retained. So SID make it possible to change the naming without problems.

Award

During the installation of the operating system, the system itself receives its SID from a random number generator . This is necessary so that a unique identification in the network is guaranteed. So-called well-known SIDs are then assigned, which are the same on every system. For example for the administrators group .

A user's SID is created automatically when it is created. The SID of a locally created user is based on the SID of the system. The SID of a user created in a domain changes if he is moved from one domain to another, since the domain of the user is also stored in the SID.

construction

Example:

S-1-5-21-7623811015-3361044348-030300820-1013

Explanation:

S - Abbreviation for SID

1 - revision number

5 - Identifier Authority

21-7623811015-3361044348-030300820 - Domain or local system

1013 - User number (relative ID, RID, which is incremented for normal accounts starting with 1000)

Allowed values of 'Identifier Authority':

0 null-account authority

1 World Authority

2 Local Authority

3 Creator Authority

4 non-unique authority

5 NT Authority

9 Resource Manager Authority

16 mandatory level

Problems

If you create a memory image of the hard disk of a fully installed system , the SID is also saved in it. If you equip other computers with this image, several systems have the same SID. This was strongly advised against in the past, otherwise problems could arise. Microsoft warns in particular that otherwise access to removable media , which should be expressly denied, may be possible. In the meantime, however, this view has been put into perspective by a Microsoft employee.

Microsoft supports such uses of memory dumps only if the Sysprep program is used. It has the effect that the next time the system is started, the setup is run through again without reinstallation. a. new SID can be assigned.

The PsGetSid program developed by Winternals enables the SID to be read out locally or via the network. Up until November 2009, NewSID was also a program that could be used to change the SID of a system to a random SID. The reason for the withdrawal of the program was that double-assigned SIDs for different computers were not as problematic as previously assumed and a program like NewSID was therefore superfluous.

SIDs lost due to deletion of users or deinstallation of systems can only be restored with a high administrative effort, since creating a new object with the same name leads to a different SID. However, it is possible to change a SID via ADSIEdit . Domain controllers under Windows 2008 and higher also support restoring AD objects from a shadow copy if the domain functional level is on Windows Server 2008 or higher.

Web links

Individual evidence

↑ The six Identifier Authorities of NT (NT defines 6 IdentifierAuthorities) [1]
↑ Blog entry by Mark Russinovich [2]
↑ The above blog entry only warns against cloning a system that is already registered in a domain without Sysprep

[1] The six Identifier Authorities of NT (NT defines 6 IdentifierAuthorities) [1]

[2] Blog entry by Mark Russinovich [2]

[3] The above blog entry only warns against cloning a system that is already registered in a domain without Sysprep