A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S…) or one of the string constants defined in Sddl.h. For more information about the standard SID string notation, see
SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the corresponding relative IDs (RIDs), see Well-known SIDs.
| SID string |
Constant in Sddl.h |
Account alias and corresponding RID |
|---|
| "AO" | SDDL_ACCOUNT_OPERATORS | Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
| "RU" | SDDL_ALIAS_PREW2KCOMPACC | Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
| "AN" | SDDL_ANONYMOUS | Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
| "AU" | SDDL_AUTHENTICATED_USERS | Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
| "BA" | SDDL_BUILTIN_ADMINISTRATORS | Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
| "BG" | SDDL_BUILTIN_GUESTS | Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
| "BO" | SDDL_BACKUP_OPERATORS | Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
| "BU" | SDDL_BUILTIN_USERS | Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
| "CA" | SDDL_CERT_SERV_ADMINISTRATORS | Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
| "CD" | SDDL_CERTSVC_DCOM_ACCESS | Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. |
| "CG" | SDDL_CREATOR_GROUP | Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
| "CO" | SDDL_CREATOR_OWNER | Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
| "DA" | SDDL_DOMAIN_ADMINISTRATORS | Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
| "DC" | SDDL_DOMAIN_COMPUTERS | Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
| "DD" | SDDL_DOMAIN_DOMAIN_CONTROLLERS | Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
| "DG" | SDDL_DOMAIN_GUESTS | Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
| "DU" | SDDL_DOMAIN_USERS | Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
| "EA" | SDDL_ENTERPRISE_ADMINS | Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
| "ED" | SDDL_ENTERPRISE_DOMAIN_CONTROLLERS | Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
| "RO" | SDDL_ENTERPRISE_RO_DCs | Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. |
| "WD" | SDDL_EVERYONE | Everyone. The corresponding RID is SECURITY_WORLD_RID. |
| "PA" | SDDL_GROUP_POLICY_ADMINS | Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
| "IU" | SDDL_INTERACTIVE | Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
| "LA" | SDDL_LOCAL_ADMIN | Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
| "LG" | SDDL_LOCAL_GUEST | Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
| "LS" | SDDL_LOCAL_SERVICE | Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
| "SY" | SDDL_LOCAL_SYSTEM | Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
| "NU" | SDDL_NETWORK | Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
| "LW" | SDDL_ML_LOW | Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. |
| "ME" | SDDL_MLMEDIUM | Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. |
| "HI" | SDDL_ML_HIGH | High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. |
| "SI" | SDDL_ML_SYSTEM | System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. |
| "NO" | SDDL_NETWORK_CONFIGURATION_OPS | Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
| "NS" | SDDL_NETWORK_SERVICE | Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
| "PO" | SDDL_PRINTER_OPERATORS | Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. |
| "PS" | SDDL_PERSONAL_SELF | Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
| "PU" | SDDL_POWER_USERS | Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
| "RS" | SDDL_RAS_SERVERS | RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
| "RD" | SDDL_REMOTE_DESKTOP | Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
| "RE" | SDDL_REPLICATOR | Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
| "RC" | SDDL_RESTRICTED_CODE | Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
| "SA" | SDDL_SCHEMA_ADMINISTRATORS | Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
| "SO" | SDDL_SERVER_OPERATORS | Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
| "SU" | SDDL_SERVICE | Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
For more information about well-known SIDs, see Well-known SIDs.