Windows Access Control List (ACL) 9
More on SID Strings
In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following components of a security descriptor:
- Owner.
- Primary group.
- The trustee in an ACE.
A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S...) or one of the string constants defined in sddl.h.
More on SID Components
A SID value includes components that provide information about the SID structure and components that uniquely identify a trustee. A SID consists of the following components:
- The revision level of the SID structure.
- A 48-bit identifier authority value that identifies the authority that issued the SID.
- A variable number of sub authority or relative identifier (RID) values that uniquely identify the trustee relative to the authority that issued the SID.
RID is a portion of a security identifier (SID) that identifies a user or group in relation to the authority that issued the SID. The combination of the identifier authority value and the sub authority values ensures that no two SIDs will be the same, even if two different SID-issuing authorities issue the same combination of RID values. Each SID-issuing authority issues a given RID only once. SIDs are stored in binary format in a SID structure. To display a SID, you can call the ConvertSidToStringSid() function to convert a binary SID to string format. To convert a SID string back to a valid, functional SID, call the ConvertStringSidToSid() function. These functions use the following standardized string notation for SIDs, which makes it simpler to visualize their components:
S-R-I-S-S...
In this notation, the literal character S identifies the series of digits as a SID, R is the revision level, I is the identifier-authority value, and S... is one or more sub authority values. The following example uses this notation to display the well-known domain-relative SID of the local Administrators group:
S-1–5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier authority and RID values defined in winnt.h:
- A revision level of 1.
- An identifier-authority value of 5 (SECURITY_NT_AUTHORITY).
- A first sub authority value of 32 (SECURITY_BUILTIN_DOMAIN_RID).
- A second sub authority value of 544 (DOMAIN_ALIAS_RID_ADMINS).
The following SID string constants for well-known SIDs are defined in sddl.h.
|
SID string |
Constant in Sddl.h |
Account alias and corresponding RID |
|
AO |
SDDL_ACCOUNT_OPERATORS |
Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
|
RU |
SDDL_ALIAS_PREW2KCOMPACC |
Alias to grant permissions to accounts that use applications compatible with Windows NT 4.0 operating systems. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
|
AN |
SDDL_ANONYMOUS |
Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
|
AU |
SDDL_AUTHENTICATED_USERS |
Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
|
BA |
SDDL_BUILTIN_ADMINISTRATORS |
Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
|
BG |
SDDL_BUILTIN_GUESTS |
Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
|
BO |
SDDL_BACKUP_OPERATORS |
Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
|
BU |
SDDL_BUILTIN_USERS |
Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
|
CA |
SDDL_CERT_SERV_ADMINISTRATORS |
Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
|
CG |
SDDL_CREATOR_GROUP |
Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
|
CO |
SDDL_CREATOR_OWNER |
Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
|
DA |
SDDL_DOMAIN_ADMINISTRATORS |
Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
|
DC |
SDDL_DOMAIN_COMPUTERS |
Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
|
DD |
SDDL_DOMAIN_DOMAIN_CONTROLLERS |
Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
|
DG |
SDDL_DOMAIN_GUESTS |
Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
|
DU |
SDDL_DOMAIN_USERS |
Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
|
EA |
SDDL_ENTERPRISE_ADMINS |
Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
|
ED |
SDDL_ENTERPRISE_DOMAIN_CONTROLLERS |
Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
|
WD |
SDDL_EVERYONE |
Everyone. The corresponding RID is SECURITY_WORLD_RID. |
|
PA |
SDDL_GROUP_POLICY_ADMINS |
Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
|
IU |
SDDL_INTERACTIVE |
Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
|
LA |
SDDL_LOCAL_ADMIN |
Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
|
LG |
SDDL_LOCAL_GUEST |
Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
|
LS |
SDDL_LOCAL_SERVICE |
Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
|
SY |
SDDL_LOCAL_SYSTEM |
Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
|
NU |
SDDL_NETWORK |
Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
|
NO |
SDDL_NETWORK_CONFIGURATION_OPS |
Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
|
NS |
SDDL_NETWORK_SERVICE |
Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
|
PO |
SDDL_PRINTER_OPERATORS |
Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. |
|
PS |
SDDL_PERSONAL_SELF |
Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
|
PU |
SDDL_POWER_USERS |
Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
|
RS |
SDDL_RAS_SERVERS |
RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
|
RD |
SDDL_REMOTE_DESKTOP |
Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
|
RE |
SDDL_REPLICATOR |
Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
|
RC |
SDDL_RESTRICTED_CODE |
Restricted code. This is a restricted token created using the CreateRestrictedToken() function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
|
SA |
SDDL_SCHEMA_ADMINISTRATORS |
Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
|
SO |
SDDL_SERVER_OPERATORS |
Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
|
SU |
SDDL_SERVICE |
Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
|
Table 6 |
||
The ConvertSidToStringSid() and ConvertStringSidToSid() functions always use the standard SID string notation and do not support SDDL SID string constants.
< Windows ACL 8 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL 10 >