The SID structure defines a security identifier (SID), which is a variable-length byte array that uniquely identifies a security principal. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The RPC marshaled version of the SID structure is defined in section 2.4.2.1.
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
1
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
2
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
3
0
|
1
|
|---|
|
Revision
|
SubAuthorityCount
|
IdentifierAuthority
|
|
...
|
|
SubAuthority (variable)
|
|
...
|
-
Revision (1 byte): An 8-bit unsigned integer that specifies the revision level of the SID structure. This value MUST be set to 0x01.
-
-
SubAuthorityCount (1 byte): An 8-bit unsigned integer that specifies the number of elements in the SubAuthority array. The maximum number of elements allowed is 15.
-
IdentifierAuthority (6 bytes): A SID_IDENTIFIER_AUTHORITY structure that contains information, which indicates the authority under which the SID was created. It describes the entity that created the SID and manages the account.
-
SubAuthority (variable): A variable length array of unsigned 32-bit integers that uniquely identifies a principal relative to the IdentifierAuthority. Its length is determined by SubAuthorityCount.
In abstract the sequence of identifiers that comprise the SID SHOULD be a hierarchical series. The first integer in the array contains a value that is unique relative to the IdentifierAuthority of the SID. All subsequent integers are unique relative to the previous integer. For SubAuthority[n], the issuer consists of the combination of the IdentifierAuthority and all SubAuthority[0…n–1] values preceding SubAuthority[n]. The last SubAuthority[n] is a RID (relative identifier) that uniquely identifies the security principal or group in the domain specified by SubAuthority 0 through n–1. RID values are determined by the creator of the SID. Any SID is considered valid only if it has at least one valid RID value.
In abstract, the SID is a hierarchical sequence, but in practice it is difficult to manage and deploy. When an account domain is created in Windows, three subauthorities are generated randomly to serve as the account domain portion of the SID. Windows uses the Identifier Authority value 5 to denote SIDs created by Windows. A SubAuthority[1] value of 21 is used to denote SIDs that use this set of three random subauthorities. Thus, a Windows domain would have SIDs that appear as "S-1-5-21-x1-x2-x3-rid", where x1 through x3 are random numbers assigned during domain creation, and the RID is a domain-specific unique number assigned to the user or group during its creation.
When represented as strings, for example in documentation or logs, SIDs are expressed as follows:
S-1-IdentifierAuthority-SubAuthority1-SubAuthority2-...-SubAuthorityn