A security identifier (SID) is a unique value of variable length used to identify a
trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
Windows security uses SIDs in the following security elements:
In addition to the uniquely created, domain-specific SIDs assigned to specific users and groups, there are
well-known SIDs that identify generic groups and generic users. For example, the well-known SIDs, Everyone and World, identify a group that includes all users.
Most applications never need to work with SIDs. Because the names of
well-known SIDs can vary, you should use the functions to build the SID from predefined constants rather than using the name of the well-known SID. For example, the U.S. English version of the Windows operating system has a well-known SID named "BUILTIN\Administrators" that might have a different name on international versions of the system. For an example that builds a well-known SID, see
Searching for a SID in an Access Token in C++.
If you do need to work with SIDs, do not manipulate them directly. Instead, use the following functions.
| Function | Description |
|---|
| AllocateAndInitializeSid | Allocates and initializes a SID with the specified number of subauthorities. |
| ConvertSidToStringSid | Converts a SID to a string format suitable for display, storage, or transport. |
| ConvertStringSidToSid | Converts a string-format SID to a valid, functional SID. |
| CopySid | Copies a source SID to a buffer. |
| EqualPrefixSid | Tests two SID prefix values for equality. A SID prefix is the entire SID except for the last subauthority value. |
| EqualSid | Tests two SIDs for equality. They must match exactly to be considered equal. |
| FreeSid | Frees a previously allocated SID by using the
AllocateAndInitializeSid function. |
| GetLengthSid | Retrieves the length of a SID. |
| GetSidIdentifierAuthority | Retrieves a pointer to the identifier authority for a SID. |
| GetSidLengthRequired | Retrieves the size of the buffer required to store a SID with a specified number of subauthorities. |
| GetSidSubAuthority | Retrieves a pointer to a specified subauthority in a SID. |
| GetSidSubAuthorityCount | Retrieves the number of subauthorities in a SID. |
| InitializeSid | Initializes a SID structure. |
| IsValidSid | Tests the validity of a SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum. |
| LookupAccountName | Retrieves the SID that corresponds to a specified account name. |
| LookupAccountSid | Retrieves the account name that corresponds to a specified SID. |
Send comments about this topic to Microsoft
Build date: 10/14/2008