There are plenty of information about SIDs on the Internet.
I do not intend to bore anyone copying and pasting, but the fact is or seems to be that information is split and scattered making it difficult to be used. I do not intend to touch on the subject of its implementation details.
What it seems more reasonable in addition to a basic understanding of its purpose, which everybody already or should know well, is its very basic structure and well-known values (generics) as used by Windows systems to which interoperability is required at some point, typically on ACLs of SMB shares.
As most things in Windows world, SIDs are also confusing, both with respect to its own concepts and with respect to other affine concepts such as GUIDs and so on... The bad news is that of course this is probably not getting any better in the near future. So we have to live with it :-(
What I'll attempt is summarizing what's found (at least for now) (at the time of this writing) on two Microsoft sources (MSDN API and References section 2.4.2 and Support KB243330). I believe that the way I display the information is better than what's found on these official references. Anyway...
BASIC STRUCTURE
As you may already have noted, a SID has variable length but always start with the letter S in a prefix that is usually S-1. What this means is that we are dealing with a version 1 SID (I still haven't seen nor have had any interest in looking for other versions).
What follows (separated by another dash) is called the Authority. Please, don't ask me why (I didn't invent this) it's called like that nor if it makes any sense to have such ones numbered and named as follows:
- 0 - Null
- 1 - World
- 2 - Local
- 3 - Creator
- 4 - Non-unique
- 5 - NT
- other unknowns: 15, 16, 18
What shall more frequently appears hence is the prefix S-1-5.
The following remaining parts (delimited by dashes) of the SID are called SubAuthorities (so, at a minimum, one infers, presumes, each one is dependent on the other that follows).
If the first SubAuthority, in general (as there are exceptions as for the 84!), is the 21 (you know, don't ask me why this value!), then it will be necessarily followed by three more SubAuthorities which together will denote a certain domain (or a machine). It may happen that the domain be, in fact, the root domain (the first domain that is created in an Active Directory forest infrastructure).
So, it will be usual to come to a SID that starts with something such as:
S-1-5-21-1111111111-222222222-3333333333where (the three fictitious SubAuthorities delimited by dashes):
1111111111-222222222-3333333333denote (identify) a certain domain or machine.
Finally, the last SubAuthority (but again there are exceptions, such as on the SID 1-5-5-X-Y), that follows the domain / machine id (if Authority = 21) or the Authority id itself (in the remaining cases), is called RID (the relative identifier). The RID, is what ultimately distinguishes one SID from another, that is, ascertain the uniqueness of a SID. It seems that values under 1000 are reserved for the system.
For example, the complete SID denoting respectively a user and a group within the previous example could be:
S-1-5-21-1111111111-222222222-3333333333-1100
S-1-5-21-1111111111-222222222-3333333333-2147483658
WELL-KNOWNS (Yellow Pages)
These well-known SID values are constant across all operating systems.
They typically represent generic identities on Windows.
A few are also relevant in terms of interoperability.
Windows NT, 2000 and later
S-1-0 Null Authority
S-1-0-0 Nobody
S-1-1 World Authority
S-1-1-0 Everyone
S-1-2 Local Authority
S-1-2-0 Local
S-1-2-1 Console Logon
S-1-3 Creator Authority
S-1-3-0 Creator Owner
S-1-3-1 Creator Group
S-1-3-2 Creator Owner Server
S-1-3-3 Creator Group Server
S-1-3-4 Owner Rights
S-1-4 Non-unique Authority
S-1-5 NT Authority
S-1-5-1 Dialup
S-1-5-2 Network
S-1-5-3 Batch
S-1-5-4 Interactive
S-1-5-5-X-Y Logon Session
S-1-5-6 Service
S-1-5-7 Anonymous
S-1-5-8 Proxy
S-1-5-9 Enterprise Domain Controllers
S-1-5-10 Principal Self
S-1-5-11 Authenticated Users
S-1-5-12 Restricted Code
S-1-5-13 Terminal Server Users
S-1-5-14 Remote Interactive Logon
S-1-5-15 This Organization
S-1-5-17 This Organization
S-1-5-18 Local System
S-1-5-19 NT Authority
S-1-5-20 NT Authority
S-1-5-21-domain-500 Administrator
S-1-5-21-domain-501 Guest
S-1-5-21-domain-502 KRBTGT
S-1-5-21-domain-512 Domain Admins
S-1-5-21-domain-513 Domain Users
S-1-5-21-domain-514 Domain Guests
S-1-5-21-domain-515 Domain Computers
S-1-5-21-domain-516 Domain Controllers
S-1-5-21-domain-517 Cert Publishers
S-1-5-21-rootdomain-518 Schema Admins
S-1-5-21-rootdomain-519 Enterprise Admins
S-1-5-21-domain-520 Group Policy Creator Owners
S-1-5-21-domain-553 RAS and IAS Servers
S-1-5-32-544 Administrators
S-1-5-32-545 Users
S-1-5-32-546 Guests
S-1-5-32-547 Power Users
S-1-5-32-548 Account Operators
S-1-5-32-549 Server Operators
S-1-5-32-550 Print Operators
S-1-5-32-551 Backup Operators
S-1-5-32-552 Replicators
S-1-5-64-10 NTLM Authentication
S-1-5-64-14 SChannel Authentication
S-1-5-64-21 Digest Authentication
S-1-5-80 NT Service
S-1-5-80-0 All Services
S-1-5-80-0 NT SERVICES \ ALL SERVICES
S-1-5-83-0 NT VIRTUAL MACHINE \ Virtual Machines
S-1-16-0 Untrusted Mandatory Level
S-1-16-4096 Low Mandatory Level
S-1-16-8192 Medium Mandatory Level
S-1-16-8448 Medium Plus Mandatory Level
S-1-16-12288 High Mandatory Level
S-1-16-16384 System Mandatory Level
S-1-16-20480 Protected Process Mandatory Level
S-1-16-28672 Secure Process Mandatory Level
In the next three sections that follows:
- Rember that the "operations master" is also known as
the flexible single master operations (FSMO).
- The groups that are listed appear as SIDs until the respective Windows Server domain controller is made the primary domain controller (PDC) operations master role holder.
- The additional built-in groups that are listed are created when the respective Windows Server domain controller is added to the domain.
Windows Server 2003
S-1-5-32-554 BUILTIN \ Pre-Windows 2000 Compatible Access
S-1-5-32-555 BUILTIN \ Remote Desktop Users
S-1-5-32-556 BUILTIN \ Network Configuration Operators
S-1-5-32-557 BUILTIN \ Incoming Forest Trust Builders
S-1-5-32-558 BUILTIN \ Performance Monitor Users
S-1-5-32-559 BUILTIN \ Performance Log Users
S-1-5-32-560 BUILTIN \ Windows Authorization Access Group
S-1-5-32-561 BUILTIN \ Terminal Server License Servers
S-1-5-32-562 BUILTIN \ Distributed COM Users
Windows Server 2008 (or R2)
S-1-5-21-rootdomain-498 Enterprise Read-only Domain Controllers
S-1-5-21-domain-521 Read-only Domain Controllers
S-1-5-21-domain-571 Allowed RODC Password Replication Group
S-1-5-21-domain-572 Denied RODC Password Replication Group
S-1-5-32-568 BUILTIN \ IIS_IUSRS
S-1-5-32-569 BUILTIN \ Cryptographic Operators
S-1-5-32-573 BUILTIN \ Event Log Readers
S-1-5-32-574 BUILTIN \ Certificate Service DCOM Access
Windows Server 2012
S-1-5-21-0-0-0-496 COMPOUNDED_AUTHENTICATION
S-1-5-21-0-0-0-497 CLAIMS_VALID
S-1-5-21-domain-522 Cloneable Domain Controllers
S-1-5-21-domain-525 PROTECTED_USERS
S-1-5-32-575 BUILTIN \ RDS Remote Access Servers
S-1-5-32-576 BUILTIN \ RDS Endpoint Servers
S-1-5-32-577 BUILTIN \ RDS Management Servers
S-1-5-32-578 BUILTIN \ Hyper-V Administrators
S-1-5-32-579 BUILTIN \ Access Control Assistance Operators
S-1-5-32-580 BUILTIN \ Remote Management Users
S-1-5-33 WRITE_RESTRICTED_CODE
S-1-5-65-1 THIS_ORGANIZATION_CERTIFICATE
S-1-5-84-0-0-0-0-0 USER_MODE_DRIVERS
S-1-5-113 LOCAL_ACCOUNT
S-1-5-114 LOCAL_ACC_AND_MEMBER_OF_ADMIN_GRP
S-1-5-1000 OTHER_ORGANIZATION
S-1-15-2-1 ALL_APP_PACKAGES
S-1-18-1 AUTH_AUTH_ASSERTED_IDENTITY
S-1-18-2 SERVICE_ASSERTED_IDENTITY
