Well-Known Security Identifiers with their SID Display Name and description
- S-1-5-1 Dialup
A group that includes all users who are logged on to the system by means of a dial-up connection.
- S-1-5-2 Network
A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.
- S-1-5-3 Batch
A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.
- S-1-5-4 Interactive
A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop connection from a remote computer, or by using a remote shell such as telnet. In each case, the user's access token contains the Interactive SID. If the user logs on using a Remote Desktop connection, the user's access token also contains the Remote Interactive Logon SID.
- S-1-5-5-X-Y Logon Session
A logon session. The X and Y values for these SIDs uniquely identify a particular logon session.
- S-1-5-6 Service
A group that includes all security principals that have logged on as a service.
- S-1-5-7 Anonymous Logon
A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity used by Internet Information Services (IIS) for anonymous Web access. IIS uses an actual account—by default, IUSR_ComputerName—for anonymous access to resources on a Web site. Strictly speaking, such access is not anonymous; the security principal is known even though unidentified people are using the account. IUSR_ComputerName (or whatever you name the account) has a password, and IIS logs the account on when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users while Anonymous Logon is not.
- S-1-5-8 Proxy
Does not currently apply: this SID is not used in the Windows 2000 Server or Windows Server 2003 operating systems.
- S-1-5-9 Enterprise Domain Controllers
A group that includes all domain controllers in a forest of domains.
- S-1-5-10 Self
A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal represented by the object.
- S-1-5-11 Authenticated Users
A group that includes all users and computers whose identities have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
Note: This group includes authenticated security principals from any trusted domain, not just the current domain.
- S-1-5-12 Restricted
An identity used by a process that is executing in a restricted security context. In Windows XP and Windows Server 2003 operating systems, a software restriction policy can assign one of three security levels to executable code: unrestricted, restricted, or disallowed. When code executes at the restricted security level, the Restricted SID is added to the user's access token.
- S-1-5-13 Terminal Server User
A group that includes all users who log on to a server with Terminal Services enabled: specifically, a server that is in Terminal Services version 4.0 application compatibility mode.
- S-1-5-14 Remote Interactive Logon
A group that includes all users who log on to the computer by using a Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
- S-1-5-18 System (or LocalSystem)
An identity that is used locally by the operating system and by services configured to log on as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.
- S-1-5-19 LocalService
An identity used by services that are local to the computer, have no need for extensive local access and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem — both locally and on the network.
- S-1-5-20 NetworkService
An identity used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem but has significantly reduced local access.
S-1-5-domain-500 Administrator A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed. By default, the Administrator account is a member of the Administrators group and cannot be removed from that group.
- S-1-5-domain-501 Guest
A user account for people who do not have individual accounts. Every computer has a local Guest account and every domain has a domain Guest account.
By default, Guest is a member of Everyone and Guests. The domain Guest account is also a member of the Domain Guests and Domain Users groups. Unlike Anonymous Logon, Guest is a real account and can be used to log on interactively. By default, the account is enabled on Windows XP and disabled on all editions of the Windows Server 2003 operating system. The Guest account does not require a password, but can have one.
- S-1-5-domain-502 krbtgt
A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.
- S-1-5-domain-512 Domain Admins
A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain’s Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
- S-1-5-domain-513 Domain Users
A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.
S-1-5-domain-514 Domain Guests A global group that, by default, has only one member, the domain’s built-in Guest account.
- S-1-5-domain-515 Domain Computers
A global group that includes all computers that have joined the domain, excluding domain controllers.
- S-1-5-domain-516 Domain Controllers
A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.
- S-1-5-domain-517 Cert Publishers
A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.
- S-1-5-root domain-518 Schema Admins
A group that exists only in the forest root domain. It is a universal group if the domain is in native mode and a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
- S-1-5-root domain-519 Enterprise Admins
A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise Certificate Authorities. By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest.
- S-1-5-domain-520 Group Policy Creator Owners
A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups, such as Administrators and Domain Admins. Objects that are created by members of these groups are owned by the group rather than by the individual.
- S-1-5-domain-553 RAS and IAS Servers
A domain local group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
For more information read the full document on Microsoft Web site with the link listed below:
|