Software >> OS >> Windows >> What is SID and what is its format

SID looks like this: S-1-5-21-1683771067-1221355100-624655392-1001. The format follows this pattern: S-R-IA-SA-SA-RID. Here are the terms and their functions: S represents a SID identifier. This flags the number as a SID rather than some other kind of long, obscure number. R represents the Revision. All SIDs generated by Windows use a revision level of 1. IA represents the issuing authority. Nearly all SIDs in Windows specify the NT Authority, ID number 5, as the issuing authority. Exceptions include SIDs that represent well-known groups and accounts. SA represents a sub-authority. The SA designates special groups or functions. For example, 21 indicates that the SID was issued by a domain controller or standalone machine. The long number, 1683771067-1221355100-624655392, is the SA for the issuing domain or machine. RID is the Relative ID, a unique, sequential number assigned by the issuing SA to represent a security principal such as a user, computer, or group. Functions of SIDs If you're new to Windows system administration, this business of SIDs and RIDs might seem like geek-level stuff that no one really cares about. Nothing could be further from the truth. Understanding how SIDs are generated, stored, and manipulated is absolutely vital to managing a Windows system. For instance, after you know that the system relies on the SID to uniquely identify a user, you won't be surprised that you can change a user's name without affecting the user's access permissions. You can take advantage of this in situations where a new user joins the company to replace a user who has left. You can simply rename the old user's account to the new user's name and retain the old account's access permissions and group memberships. Knowing how the system uses SIDs also helps you to plan for moving accounts from one domain to another when you migrate an NT or Windows 2000 domain to a Windows Server 2003 domain. For example, when you copy a user account from one domain to another using the Active Directory Migration Tool (or a third-party equivalent), the user's SID in the classic NT domain is retained in a special SID History attribute so that the user can still access resources in the old domain when logged on to the new domain.