SID & RID | Notion

Windows SID

Every Windows user, computer, or service account has a unique alphanumeric identifier called the security ID (SID).

Windows security-related processes, such as authentication, authorization, delegation, and auditing, use SIDs to uniquely identify security principals.

A security principal is any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts.

A SID is a Security Identifier. It’s the “primary key” for any object in an Active Directory. For example, users have SIDs, as do Printer objects, Group objects, etc. SID‘s are unique to a Domain.

In Active Directory users refer to accounts by using the account name, but the operating system internally refers to accounts by their security identifiers (SIDs).
For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account.
For every local account and group, the SID is unique for the computer where it was created; no two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group created in one domain will never match the SID for an account or group created in any domain in the enterprise.

To illustrate, let us analyze an example SID that I retrieved from my test Active Directory (AD) system:

S-1-5-21-4064627337-2434140041-2375368561-1036. All SID fields have a specific meaning; so, for the above sample SID:

S: The initial S identifies the following string as a SID.
1: The revision level, or version, of the SID specification. To date, this has never changed and has always been 1.
5: The identifier authority value. This is a predefined identifier for the top-level authority that issued the SID. This is typically 5, which represents the SECURITY_NT_AUTHORITY.
21-4064627337-2434140041-2375368561: This section is the domain or local computer identifier (in this example, a domain identifier). This is a 48-bit string that identifies the authority (the computer or domain) that created the SID.
1036: The Relative ID (RID) is the last part of a SID. The RID uniquely identifies a security principal relative to the local or domain security authority that issued the SID. Any group or user that the Windows OS doesn't create has a RID of 1000 or greater by default.

<aside> ⚠️ The SID of an AD domain account is created by a Domain’s Security authority that runs on every Windows domain controller (DC)

The SID of a local account is created by the Local Security Authority (LSA) service that runs on every Windows box.

</aside>

Untitled

Below some useful powershell code to retrieve SID and RID of domain users:

# Replace 'username' with the actual username of the user you want to retrieve the SID for
$username = 'fcastle'
# Retrieve the user using Get-ADUser and then access the SID property
$user = Get-ADUser -Identity $username
if ($user) {
	$userSID = $user.SID
	Write-Host "SID of $username is: $userSID"
} else {
	Write-Host "User $username not found."
}