ARCHIVED: In Windows, what is the SID (security identifier)?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The SID (Security IDentifier) is a unique ID number that a computer or domain controller uses to identify you. It is a string of alphanumeric characters assigned to each user on a Windows computer, or to each user, group, and computer on a domain-controlled network such as Indiana University's Active Directory. You can think of it as similar to your student, staff, or faculty ID number at IU, as it uniquely identifies you within the system.

At a basic level, Windows uses SIDs instead of usernames. Whenever you enter a username and password, Windows first checks to see if the password you entered for the username matches what it has stored (in the case of Active Directory or Kerberos domain authentication, the computer asks the domain controller or controllers whether the password is correct). After that, it looks in the Windows registry to see what SID is associated with that username. From that point on, for any user action that requires a permissions check, Windows uses the SID instead of the username to see if it's allowed. For example, if you double-click a folder, Windows checks whether your SID is allowed to access it.

SIDs are important because at the operating system level they identify accounts beyond question. For example, after you leave IU and your ADS account is deleted, someone else can't later create a new ADS account with your old username and then use it to access network resources (such as your Exchange account) that have not been erased yet. The Exchange servers know this person with your exact username isn't you, because the SID isn't the same.

Technical information

SIDs are created in Microsoft environments; while they have an equivalent in the Unix world (the UID or User ID), SIDs are only used by Windows computers or domain-managed/Active Directory networks. They are generated by a security "authority". On a local computer, that authority is Windows itself; on a domain or Active Directory network, it is the domain controller.

An SID looks like this:

  S-1-5-32-1045337234-12924708993-5683276719-19000

Microsoft usually breaks this down into this pattern:

  (SID)-(revision level)-(identifier-authority)-(subauthority1)-(subauthority2)-(etc)
  • SID: The initial S merely identifies the following string as being an SID.
  • Revision level: To date, this has never changed and has always been 1.
  • Identifier-authority: This is a 48-bit string that identifies the authority (the computer or network) that created the SID.
  • Subauthority: This is a variable number that identifies the relation of the user or group described by the SID to the authority that created it. The number tells you:
    • Which computer (or network) created the number
    • Whether this user is a normal user, a guest, an administrator, or part of some other group
    • In what order the user's account was created by this authority (i.e., "This was the first user" or "This is the 231st machine account created".)

    This number is also referred to as the "Relative identifier". There can be several subauthorities involved, especially if the account exists on a domain and belongs to different groups.

This is document aotl in the Knowledge Base.
Last modified on 2018-01-18 13:45:47.