Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following components of a security descriptor:
- Owner
- Primary group
- The trustee in an ACE
A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S ) or one of the string constants defined in Sddl.h. For more information about the standard SID string notation, see SID Components.
The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the corresponding relative IDs (RIDs), see Well-known SIDs.
| SDDL SID string | Constant in Sddl.h | Account alias and corresponding RID |
|---|---|---|
| "AA" | SDDL_ACCESS_CONTROL_ASSISTANCE_OPS | Access control assistance operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AC" | SDDL_ALL_APP_PACKAGES | All applications running in an app package context. The corresponding RID is SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AN" | SDDL_ANONYMOUS | Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID. |
| "AO" | SDDL_ACCOUNT_OPERATORS | Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS. |
| "AP" | SDDL_PROTECTED_USERS | Protected Users. The corresponding RID is DOMAIN_GROUP_RID_PROTECTED_USERS. Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "AU" | SDDL_AUTHENTICATED_USERS | Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID. |
| "BA" | SDDL_BUILTIN_ADMINISTRATORS | Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS. |
| "BG" | SDDL_BUILTIN_GUESTS | Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS. |
| "BO" | SDDL_BACKUP_OPERATORS | Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS. |
| "BU" | SDDL_BUILTIN_USERS | Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS. |
| "CA" | SDDL_CERT_SERV_ADMINISTRATORS | Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS. |
| "CD" | SDDL_CERTSVC_DCOM_ACCESS | Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "CG" | SDDL_CREATOR_GROUP | Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID. |
| "CN" | SDDL_CLONEABLE_CONTROLLERS | Cloneable domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "CO" | SDDL_CREATOR_OWNER | Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID. |
| "CY" | SDDL_CRYPTO_OPERATORS | Crypto operators. The corresponding RID is DOMAIN_ALIAS_RID_CRYPTO_OPERATORS. Windows Server 2003:* Not available. |
| "DA" | SDDL_DOMAIN_ADMINISTRATORS | Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS. |
| "DC" | SDDL_DOMAIN_COMPUTERS | Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS. |
| "DD" | SDDL_DOMAIN_DOMAIN_CONTROLLERS | Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS. |
| "DG" | SDDL_DOMAIN_GUESTS | Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS. |
| "DU" | SDDL_DOMAIN_USERS | Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS. |
| "EA" | SDDL_ENTERPRISE_ADMINS | Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS. |
| "ED" | SDDL_ENTERPRISE_DOMAIN_CONTROLLERS | Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID. |
| "EK" | SDDL_ENTERPRISE_KEY_ADMINS | Enterprise key admins. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "ER" | SDDL_EVENT_LOG_READERS | Event log readers. The corresponding RID is DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "ES" | SDDL_RDS_ENDPOINT_SERVERS | Endpoint servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "HA" | SDDL_HYPER_V_ADMINS | Hyper-V administrators. The corresponding RID is DOMAIN_ALIAS_RID_HYPER_V_ADMINS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "HI" | SDDL_ML_HIGH | High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. Windows Server 2003: Not available. |
| "HO" | SDDL_USER_MODE_HARDWARE_OPERATORS | Group members may operate hardware from user mode. The corresponding RID is DOMAIN_ALIAS_RID_USER_MODE_HARDWARE_OPERATORS. |
| "IS" | SDDL_IIS_USERS | Anonymous Internet users. The corresponding RID is DOMAIN_ALIAS_RID_IUSERS. Windows Server 2003: Not available. |
| "IU" | SDDL_INTERACTIVE | Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID. |
| "KA" | SDDL_KEY_ADMINS | Domain key admins. The corresponding RID is DOMAIN_GROUP_RID_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "LA" | SDDL_LOCAL_ADMIN | Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN. |
| "LG" | SDDL_LOCAL_GUEST | Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST. |
| "LS" | SDDL_LOCAL_SERVICE | Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID. |
| "LU" | SDDL_PERFLOG_USERS | Performance Log users. The corresponding RID is DOMAIN_ALIAS_RID_LOGGING_USERS. |
| "LW" | SDDL_ML_LOW | Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. Windows Server 2003: Not available. |
| "ME" | SDDL_ML_MEDIUM | Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. Windows Server 2003: Not available. |
| "MP" | SDDL_ML_MEDIUM_PLUS | Medium Plus integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_PLUS_RID. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "MU" | SDDL_PERFMON_USERS | Performance Monitor users. The corresponding RID is DOMAIN_ALIAS_RID_MONITORING_USERS. |
| "NO" | SDDL_NETWORK_CONFIGURATION_OPS | Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS. |
| "NS" | SDDL_NETWORK_SERVICE | Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID. |
| "NU" | SDDL_NETWORK | Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID. |
| "OW" | SDDL_OWNER_RIGHTS | Owner Rights SID. The corresponding RID is SECURITY_CREATOR_OWNER_RIGHTS_RID. Windows Server 2003:* Not available. |
| "PA" | SDDL_GROUP_POLICY_ADMINS | Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS. |
| "PO" | SDDL_PRINTER_OPERATORS | Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS |
| "PS" | SDDL_PERSONAL_SELF | Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID. |
| "PU" | SDDL_POWER_USERS | Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS. |
| "RA" | SDDL_RDS_REMOTE_ACCESS_SERVERS | RDS remote access servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "RC" | SDDL_RESTRICTED_CODE | Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID. |
| "RD" | SDDL_REMOTE_DESKTOP | Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS. |
| "RE" | SDDL_REPLICATOR | Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR. |
| "RM" | SDDL_RMS__SERVICE_OPERATORS | RMS Service. Available only in Windows Vista. |
| "RO" | SDDL_ENTERPRISE_RO_DCs | Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "RS" | SDDL_RAS_SERVERS | RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS. |
| "RU" | SDDL_ALIAS_PREW2KCOMPACC | Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS. |
| "SA" | SDDL_SCHEMA_ADMINISTRATORS | Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS. |
| "SH" | SDDL_OPENSSH_USERS | Users allowed to connect with OpenSSH. The corresponding RID is DOMAIN_ALIAS_RID_OPENSSH_USERS. |
| "SI" | SDDL_ML_SYSTEM | System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. Windows Server 2003: Not available. |
| "SO" | SDDL_SERVER_OPERATORS | Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS. |
| "SS" | SDDL_SERVICE_ASSERTED | Authentication service asserted. The corresponding RID is SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "SU" | SDDL_SERVICE | Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID. |
| "SY" | SDDL_LOCAL_SYSTEM | Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID. |
| "UD" | SDDL_USER_MODE_DRIVERS | User-mode driver. The corresponding RID is SECURITY_USERMODEDRIVERHOST_ID_BASE_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available. |
| "WD" | SDDL_EVERYONE | Everyone. The corresponding RID is SECURITY_WORLD_RID. |
| "WR" | SDDL_WRITE_RESTRICTED_CODE | Write Restricted code. The corresponding RID is SECURITY_WRITE_RESTRICTED_CODE_RID. Windows Server 2003:* Not available. |
The ConvertSidToStringSid and ConvertStringSidToSid functions always use the standard SID string notation and do not support SDDL SID string constants.
For more information about well-known SIDs, see Well-known SIDs.