EqualPrefixSid function (securitybaseapi.h)
The EqualPrefixSid function tests two security-identifier (SID) prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.
[in] PSID pSid1,
[in] PSID pSid2
A pointer to the first SID structure to compare. This structure is assumed to be valid.
A pointer to the second SID structure to compare. This structure is assumed to be valid.
If the SID prefixes are equal, the return value is nonzero.
If the SID prefixes are not equal, the return value is zero. To get extended error information, call GetLastError.
The EqualPrefixSid function enables a server application in one domain to verify an attempt by a user to log on to another domain. For example, if a user attempts to log on to RemoteDomain from a workstation in LocalDomain, the server for LocalDomain can request the SIDs for the user and the user's groups from RemoteDomain. The domain controller for RemoteDomain responds with the relevant SIDs.
All SIDs for a specified domain have the same prefix. When the server receives the user's SIDs, the server can call the EqualPrefixSid function for each SID, comparing the user or group SID against the SID for RemoteDomain. If any of the SID prefixes are not equal, the server refuses the logon attempt.
It is advisable to modify the SID for a domain before comparing it with a group or user SID. If the SID for RemoteDomain is S-1–1234–8, each group or user SID for that domain has S-1–1234–8 as its prefix. To compare the SIDs by using the EqualPrefixSid function, an application copies the domain SID and adds any subauthority (RID) value to the copy, thereby creating a SID in the form S-1–1234–8–0. The application then uses the modified domain SID as a template against which the group and user SIDs are compared.
|Minimum supported client
|Windows XP [desktop apps only]
|Minimum supported server
|Windows Server 2003 [desktop apps only]
|securitybaseapi.h (include Windows.h)