The SID structure defines a security identifier (SID), which is a variable-length byte array that uniquely identifies a security principal. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The RPC marshaled version of the SID structure is defined in section 2.4.2.1.
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
1
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
2
0
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
3
0
|
1
|
|---|
|
Revision
|
SubAuthorityCount
|
IdentifierAuthority
|
|
...
|
|
SubAuthority (variable)
|
|
...
|
-
Revision (1 byte): An 8-bit unsigned integer that specifies the revision level of the SID structure. This value MUST be set to 0x01.
-
-
SubAuthorityCount (1 byte): An 8-bit unsigned integer that specifies the number of elements in the SubAuthority array. The maximum number of elements allowed is 15.
-
IdentifierAuthority (6 bytes): A SID_IDENTIFIER_AUTHORITY structure that contains information, which indicates the authority under which the SID was created. It describes the entity that created the SID.<2>
-
SubAuthority (variable): A variable length array of unsigned 32-bit integers that uniquely identifies a principal relative to the IdentifierAuthority. Its length is determined by SubAuthorityCount.
The top-level issuer is the authority. Each issuer specifies, in an implementation-specific manner, how many integers identify the next issuer.
A newly created account store is assigned a 96-bit identifier (a cryptographic strength (pseudo) random number).
A newly created security principal in an account store is assigned a 32-bit identifier that is unique within the store.
The SID for such a security principal has following content: SubAuthorityCount is 5, IdentifierAuthority is 5 (SECURITY_NT_AUTHORITY), SubAuthority [0] is 21 (SECURITY_NT_NON_UNIQUE), SubAuthority [1] through SubAuthority [3] contain the account store identifier, SubAuthority [4] is the security principal identifier.
Consumers of SIDs SHOULD NOT rely on anything more than that the SID has the appropriate structure.
When represented as strings, for example in documentation or logs, SIDs are expressed as follows:
S-1-IdentifierAuthority-SubAuthority1-SubAuthority2-...-SubAuthorityn