In Windows NT, 2000, and XP, what is the SID (security identifier)?

The SID (Security IDentifier) is a string of alphanumeric characters assigned to each user on a Windows NT, 2000, or XP computer, or to each user, group, and computer on a domain-controlled network such as Indiana University's Active Directory. In short, it's a unique ID number that a computer or domain controller uses to identify you. You can think of it in the same way that you think about your student, staff, or faculty ID number at IU: it uniquely and unquestionably defines you within the system.

At a basic level, Windows uses SIDs instead of usernames. Whenever you enter a username and password, Windows first checks to see if the password you entered for the username matches what is has stored (in the case of Kerberos, domain or Active Directory authentication, the computer asks the domain controller or controllers whether the password is correct). After that, it looks in the Windows registry to see what SID is associated with that username. From that point on, for any user action that requires a permissions check, Windows uses the SID instead of the username to see if it's allowed. For example, if you double-click a folder, Windows checks whether your SID is allowed to access it; it doesn't use your username.

SIDs are important specifically because at the operating system level they identify accounts beyond question. To illustrate, consider what happens after you leave IU. When your ADS account is deleted, for example, someone can't come along later, create a new ADS account with your exact old username and then use it to access network resources (such as your Exchange account) that have not been erased yet. In this example, the Exchange servers know this person with your exact username isn't you, because the SID isn't the same.

Technical information

SIDs are created in Microsoft environments; while they have an equivalent in the Unix world (the UID or User ID), SIDs are only used by Windows computers or domain-managed/Active Directory networks. They are generated by a security "authority". On a local computer, that authority is Windows itself. On a domain or Active Directory network, that authority is the domain controller.

An SID looks like this: S-1-5-32-1045337234-12924708993-5683276719-19000 Microsoft usually breaks this down into this pattern: (SID)-(revision level)-(identifier-authority)-(sub-authority1)-(sub-authority2)-(etc)

• SID: The initial S merely identifies the following string as being an SID.
  
  
• Revision level: To date, this has never changed and has always been 1.
  
  
• Identifier-authority: This is a 48-bit string that identifies the authority (the computer or network) that created the SID.
  
  
• Sub-authority: This is a variable number that identifies the relation of the user or group described by the SID to the authority that created it. In plain English, the number tells you:
  
  
  • Which computer (or network) created the number
  • Whether this user is a normal user, a guest, an administrator, or part of some other group
  • In what order the user's account was created by this authority (i.e., "This was the first user" or "This is the 231st machine account created".)
  
  This number is also referred to as the "Relative identifier". There can be several sub-authorities involved, especially if the account exists on a domain and belongs to different groups.

Also see:

• What is a local account?