SID Strings
In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following components of a security descriptor:
- Owner
- Primary group
- The trustee in an ACE
A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S ) or one of the string constants defined in Sddl.h. For more information about the standard SID string notation, see SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the corresponding relative IDs (RIDs), see Well-known SIDs.
| SDDL SID string | Constant in Sddl.h | Account alias and corresponding RID |
|---|---|---|
| "AA" | SDDL_ACCESS_CONTROL_ASSISTANCE_OPS | Access control assistance operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AC" | SDDL_ALL_APP_PACKAGES | All applications running in an app package context. The corresponding RID is SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AN" |
SDDL_ANONYMOUS |
Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
| "AO" |
SDDL_ACCOUNT_OPERATORS |
Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
| "AP" | SDDL_PROTECTED_USERS | Protected Users. The corresponding RID is DOMAIN_GROUP_RID_PROTECTED_USERS. Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AU" |
SDDL_AUTHENTICATED_USERS |
Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
| "BA" |
SDDL_BUILTIN_ADMINISTRATORS |
Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
| "BG" |
SDDL_BUILTIN_GUESTS |
Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
| "BO" |
SDDL_BACKUP_OPERATORS |
Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
| "BU" |
SDDL_BUILTIN_USERS |
Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
| "CA" |
SDDL_CERT_SERV_ADMINISTRATORS |
Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
| "CD" |
SDDL_CERTSVC_DCOM_ACCESS |
Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "CG" |
SDDL_CREATOR_GROUP |
Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
| "CN" | SDDL_CLONEABLE_CONTROLLERS | Cloneable domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "CO" |
SDDL_CREATOR_OWNER |
Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
| "CY" | SDDL_CRYPTO_OPERATORS | Crypto operators. The corresponding RID is DOMAIN_ALIAS_RID_CRYPTO_OPERATORS. Windows Server 2003:* Not available. |
| "DA" |
SDDL_DOMAIN_ADMINISTRATORS |
Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
| "DC" |
SDDL_DOMAIN_COMPUTERS |
Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
| "DD" |
SDDL_DOMAIN_DOMAIN_CONTROLLERS |
Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
| "DG" |
SDDL_DOMAIN_GUESTS |
Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
| "DU" |
SDDL_DOMAIN_USERS |
Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
| "EA" |
SDDL_ENTERPRISE_ADMINS |
Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
| "ED" |
SDDL_ENTERPRISE_DOMAIN_CONTROLLERS |
Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
| "EK" | SDDL_ENTERPRISE_KEY_ADMINS | Enterprise key admins. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "ER" | SDDL_EVENT_LOG_READERS | Event log readers. The corresponding RID is DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "ES" | SDDL_RDS_ENDPOINT_SERVERS | Endpoint servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "HA" | SDDL_HYPER_V_ADMINS | Hyper-V administrators. The corresponding RID is DOMAIN_ALIAS_RID_HYPER_V_ADMINS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "HI" |
SDDL_ML_HIGH |
High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. Windows Server 2003: Not available. |
| "IS" | SDDL_IIS_USERS | Anonymous Internet users. The corresponding RID is DOMAIN_ALIAS_RID_IUSERS. Windows Server 2003: Not available. |
| "IU" |
SDDL_INTERACTIVE |
Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
| "KA" | SDDL_KEY_ADMINS | Domain key admins. The corresponding RID is DOMAIN_GROUP_RID_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "LA" |
SDDL_LOCAL_ADMIN |
Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
| "LG" |
SDDL_LOCAL_GUEST |
Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
| "LS" |
SDDL_LOCAL_SERVICE |
Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
| "LU" | SDDL_PERFLOG_USERS | Performance Log users. The corresponding RID is DOMAIN_ALIAS_RID_LOGGING_USERS. |
| "LW" |
SDDL_ML_LOW |
Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. Windows Server 2003: Not available. |
| "ME" |
SDDL_ML_MEDIUM |
Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. Windows Server 2003: Not available. |
| "MP" | SDDL_ML_MEDIUM_PLUS | Medium Plus integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_PLUS_RID. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "MU" |
SDDL_PERFMON_USERS |
Performance Monitor users. The corresponding RID is DOMAIN_ALIAS_RID_MONITORING_USERS. |
| "NO" |
SDDL_NETWORK_CONFIGURATION_OPS |
Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
| "NS" |
SDDL_NETWORK_SERVICE |
Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
| "NU" |
SDDL_NETWORK |
Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
| "OW" | SDDL_OWNER_RIGHTS | Owner Rights SID. The corresponding RID is SECURITY_CREATOR_OWNER_RIGHTS_RID. Windows Server 2003:* Not available. |
| "PA" |
SDDL_GROUP_POLICY_ADMINS |
Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
| "PO" |
SDDL_PRINTER_OPERATORS |
Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS. |
| "PS" |
SDDL_PERSONAL_SELF |
Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
| "PU" |
SDDL_POWER_USERS |
Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
| "RA" | SDDL_RDS_REMOTE_ACCESS_SERVERS | RDS remote access servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "RC" |
SDDL_RESTRICTED_CODE |
Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
| "RD" |
SDDL_REMOTE_DESKTOP |
Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
| "RE" |
SDDL_REPLICATOR |
Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
| "RM" | SDDL_RMS__SERVICE_OPERATORS | RMS Service. Available only in Windows Vista. |
| "RO" |
SDDL_ENTERPRISE_RO_DCs |
Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "RS" |
SDDL_RAS_SERVERS |
RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
| "RU" |
SDDL_ALIAS_PREW2KCOMPACC |
Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
| "SA" |
SDDL_SCHEMA_ADMINISTRATORS |
Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
| "SI" |
SDDL_ML_SYSTEM |
System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. Windows Server 2003: Not available. |
| "SO" |
SDDL_SERVER_OPERATORS |
Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
| "SS" | SDDL_SERVICE_ASSERTED | Authentication service asserted. The corresponding RID is SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "SU" |
SDDL_SERVICE |
Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
| "SY" |
SDDL_LOCAL_SYSTEM |
Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
| "UD" | SDDL_USER_MODE_DRIVERS | User-mode driver. The corresponding RID is SECURITY_USERMODEDRIVERHOST_ID_BASE_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "WD" |
SDDL_EVERYONE |
Everyone. The corresponding RID is SECURITY_WORLD_RID. |
| "WR" | SDDL_WRITE_RESTRICTED_CODE | Write Restricted code. The corresponding RID is SECURITY_WRITE_RESTRICTED_CODE_RID. Windows Server 2003:* Not available. |
The ConvertSidToStringSid and ConvertStringSidToSid functions always use the standard SID string notation and do not support SDDL SID string constants.
For more information about well-known SIDs, see Well-known SIDs.