A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S…) or one of the string constants defined in Sddl.h. For more information about the standard SID string notation, see
SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the corresponding relative IDs (RIDs), see Well-known SIDs.
| SID string |
Constant in Sddl.h |
Account alias and corresponding RID |
|---|
|
"AN"
|
SDDL_ANONYMOUS
|
Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
|
|
"AO"
|
SDDL_ACCOUNT_OPERATORS
|
Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
|
|
"AU"
|
SDDL_AUTHENTICATED_USERS
|
Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
|
|
"BA"
|
SDDL_BUILTIN_ADMINISTRATORS
|
Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
|
|
"BG"
|
SDDL_BUILTIN_GUESTS
|
Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
|
|
"BO"
|
SDDL_BACKUP_OPERATORS
|
Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
|
|
"BU"
|
SDDL_BUILTIN_USERS
|
Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
|
|
"CA"
|
SDDL_CERT_SERV_ADMINISTRATORS
|
Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
|
|
"CD"
|
SDDL_CERTSVC_DCOM_ACCESS
|
Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP.
|
|
"CG"
|
SDDL_CREATOR_GROUP
|
Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
|
|
"CO"
|
SDDL_CREATOR_OWNER
|
Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
|
|
"DA"
|
SDDL_DOMAIN_ADMINISTRATORS
|
Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
|
|
"DC"
|
SDDL_DOMAIN_COMPUTERS
|
Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
|
|
"DD"
|
SDDL_DOMAIN_DOMAIN_CONTROLLERS
|
Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
|
|
"DG"
|
SDDL_DOMAIN_GUESTS
|
Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
|
|
"DU"
|
SDDL_DOMAIN_USERS
|
Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
|
|
"EA"
|
SDDL_ENTERPRISE_ADMINS
|
Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
|
|
"ED"
|
SDDL_ENTERPRISE_DOMAIN_CONTROLLERS
|
Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
|
|
"HI"
|
SDDL_ML_HIGH
|
High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID.
|
|
"IU"
|
SDDL_INTERACTIVE
|
Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
|
|
"LA"
|
SDDL_LOCAL_ADMIN
|
Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
|
|
"LG"
|
SDDL_LOCAL_GUEST
|
Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
|
|
"LS"
|
SDDL_LOCAL_SERVICE
|
Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
|
|
"LW"
|
SDDL_ML_LOW
|
Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID.
|
|
"ME"
|
SDDL_MLMEDIUM
|
Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID.
|
|
"NO"
|
SDDL_NETWORK_CONFIGURATION_OPS
|
Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
|
|
"NS"
|
SDDL_NETWORK_SERVICE
|
Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
|
|
"NU"
|
SDDL_NETWORK
|
Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
|
|
"PA"
|
SDDL_GROUP_POLICY_ADMINS
|
Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
|
|
"PO"
|
SDDL_PRINTER_OPERATORS
|
Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
|
|
"PS"
|
SDDL_PERSONAL_SELF
|
Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
|
|
"PU"
|
SDDL_POWER_USERS
|
Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
|
|
"RC"
|
SDDL_RESTRICTED_CODE
|
Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
|
|
"RD"
|
SDDL_REMOTE_DESKTOP
|
Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
|
|
"RE"
|
SDDL_REPLICATOR
|
Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
|
|
"RO"
|
SDDL_ENTERPRISE_RO_DCs
|
Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS.
|
|
"RS"
|
SDDL_RAS_SERVERS
|
RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
|
|
"RU"
|
SDDL_ALIAS_PREW2KCOMPACC
|
Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
|
|
"SA"
|
SDDL_SCHEMA_ADMINISTRATORS
|
Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
|
|
"SI"
|
SDDL_ML_SYSTEM
|
System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID.
|
|
"SO"
|
SDDL_SERVER_OPERATORS
|
Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
|
|
"SU"
|
SDDL_SERVICE
|
Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.
|
|
"SY"
|
SDDL_LOCAL_SYSTEM
|
Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
|
|
"WD"
|
SDDL_EVERYONE
|
Everyone. The corresponding RID is SECURITY_WORLD_RID.
|
For more information about well-known SIDs, see Well-known SIDs.