SID Strings

In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following components of a security descriptor:

  • Owner
  • Primary group
  • The trustee in an ACE

A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S ) or one of the string constants defined in Sddl.h. For more information about the standard SID string notation, see SID Components.

The following SID string constants for well-known SIDs are defined in Sddl.h. For information about the corresponding relative IDs (RIDs), see Well-known SIDs.

SDDL SID string Constant in Sddl.h Account alias and corresponding RID
"AA" SDDL_ACCESS_CONTROL_ASSISTANCE_OPS Access control assistance operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"AC" SDDL_ALL_APP_PACKAGES All applications running in an app package context. The corresponding RID is SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"AN"
SDDL_ANONYMOUS
Anonymous logon. The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.
"AO"
SDDL_ACCOUNT_OPERATORS
Account operators. The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.
"AP" SDDL_PROTECTED_USERS Protected Users. The corresponding RID is DOMAIN_GROUP_RID_PROTECTED_USERS. Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"AU"
SDDL_AUTHENTICATED_USERS
Authenticated users. The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.
"BA"
SDDL_BUILTIN_ADMINISTRATORS
Built-in administrators. The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.
"BG"
SDDL_BUILTIN_GUESTS
Built-in guests. The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.
"BO"
SDDL_BACKUP_OPERATORS
Backup operators. The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.
"BU"
SDDL_BUILTIN_USERS
Built-in users. The corresponding RID is DOMAIN_ALIAS_RID_USERS.
"CA"
SDDL_CERT_SERV_ADMINISTRATORS
Certificate publishers. The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.
"CD"
SDDL_CERTSVC_DCOM_ACCESS
Users who can connect to certification authorities using Distributed Component Object Model (DCOM). The corresponding RID is DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"CG"
SDDL_CREATOR_GROUP
Creator group. The corresponding RID is SECURITY_CREATOR_GROUP_RID.
"CN" SDDL_CLONEABLE_CONTROLLERS Cloneable domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"CO"
SDDL_CREATOR_OWNER
Creator owner. The corresponding RID is SECURITY_CREATOR_OWNER_RID.
"CY" SDDL_CRYPTO_OPERATORS Crypto operators. The corresponding RID is DOMAIN_ALIAS_RID_CRYPTO_OPERATORS. Windows Server 2003:* Not available.
"DA"
SDDL_DOMAIN_ADMINISTRATORS
Domain administrators. The corresponding RID is DOMAIN_GROUP_RID_ADMINS.
"DC"
SDDL_DOMAIN_COMPUTERS
Domain computers. The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.
"DD"
SDDL_DOMAIN_DOMAIN_CONTROLLERS
Domain controllers. The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.
"DG"
SDDL_DOMAIN_GUESTS
Domain guests. The corresponding RID is DOMAIN_GROUP_RID_GUESTS.
"DU"
SDDL_DOMAIN_USERS
Domain users. The corresponding RID is DOMAIN_GROUP_RID_USERS.
"EA"
SDDL_ENTERPRISE_ADMINS
Enterprise administrators. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.
"ED"
SDDL_ENTERPRISE_DOMAIN_CONTROLLERS
Enterprise domain controllers. The corresponding RID is SECURITY_SERVER_LOGON_RID.
"EK" SDDL_ENTERPRISE_KEY_ADMINS Enterprise key admins. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"ER" SDDL_EVENT_LOG_READERS Event log readers. The corresponding RID is DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP. Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"ES" SDDL_RDS_ENDPOINT_SERVERS Endpoint servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"HA" SDDL_HYPER_V_ADMINS Hyper-V administrators. The corresponding RID is DOMAIN_ALIAS_RID_HYPER_V_ADMINS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"HI"
SDDL_ML_HIGH
High integrity level. The corresponding RID is SECURITY_MANDATORY_HIGH_RID. Windows Server 2003: Not available.
"IS" SDDL_IIS_USERS Anonymous Internet users. The corresponding RID is DOMAIN_ALIAS_RID_IUSERS. Windows Server 2003: Not available.
"IU"
SDDL_INTERACTIVE
Interactively logged-on user. This is a group identifier added to the token of a process when it was logged on interactively. The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.
"KA" SDDL_KEY_ADMINS Domain key admins. The corresponding RID is DOMAIN_GROUP_RID_KEY_ADMINS. Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"LA"
SDDL_LOCAL_ADMIN
Local administrator. The corresponding RID is DOMAIN_USER_RID_ADMIN.
"LG"
SDDL_LOCAL_GUEST
Local guest. The corresponding RID is DOMAIN_USER_RID_GUEST.
"LS"
SDDL_LOCAL_SERVICE
Local service account. The corresponding RID is SECURITY_LOCAL_SERVICE_RID.
"LU" SDDL_PERFLOG_USERS Performance Log users. The corresponding RID is DOMAIN_ALIAS_RID_LOGGING_USERS.
"LW"
SDDL_ML_LOW
Low integrity level. The corresponding RID is SECURITY_MANDATORY_LOW_RID. Windows Server 2003: Not available.
"ME"
SDDL_ML_MEDIUM
Medium integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_RID. Windows Server 2003: Not available.
"MP" SDDL_ML_MEDIUM_PLUS Medium Plus integrity level. The corresponding RID is SECURITY_MANDATORY_MEDIUM_PLUS_RID. Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"MU"
SDDL_PERFMON_USERS
Performance Monitor users. The corresponding RID is DOMAIN_ALIAS_RID_MONITORING_USERS.
"NO"
SDDL_NETWORK_CONFIGURATION_OPS
Network configuration operators. The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.
"NS"
SDDL_NETWORK_SERVICE
Network service account. The corresponding RID is SECURITY_NETWORK_SERVICE_RID.
"NU"
SDDL_NETWORK
Network logon user. This is a group identifier added to the token of a process when it was logged on across a network. The corresponding logon type is LOGON32_LOGON_NETWORK. The corresponding RID is SECURITY_NETWORK_RID.
"OW" SDDL_OWNER_RIGHTS Owner Rights SID. The corresponding RID is SECURITY_CREATOR_OWNER_RIGHTS_RID. Windows Server 2003:* Not available.
"PA"
SDDL_GROUP_POLICY_ADMINS
Group Policy administrators. The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.
"PO"
SDDL_PRINTER_OPERATORS
Printer operators. The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.
"PS"
SDDL_PERSONAL_SELF
Principal self. The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.
"PU"
SDDL_POWER_USERS
Power users. The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.
"RA" SDDL_RDS_REMOTE_ACCESS_SERVERS RDS remote access servers. The corresponding RID is DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"RC"
SDDL_RESTRICTED_CODE
Restricted code. This is a restricted token created using the CreateRestrictedToken function. The corresponding RID is SECURITY_RESTRICTED_CODE_RID.
"RD"
SDDL_REMOTE_DESKTOP
Terminal server users. The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.
"RE"
SDDL_REPLICATOR
Replicator. The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.
"RM" SDDL_RMS__SERVICE_OPERATORS RMS Service. Available only in Windows Vista.
"RO"
SDDL_ENTERPRISE_RO_DCs
Enterprise Read-only domain controllers. The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS. Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"RS"
SDDL_RAS_SERVERS
RAS servers group. The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.
"RU"
SDDL_ALIAS_PREW2KCOMPACC
Alias to grant permissions to accounts that use applications compatible with operating systems previous to Windows 2000. The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.
"SA"
SDDL_SCHEMA_ADMINISTRATORS
Schema administrators. The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.
"SI"
SDDL_ML_SYSTEM
System integrity level. The corresponding RID is SECURITY_MANDATORY_SYSTEM_RID. Windows Server 2003: Not available.
"SO"
SDDL_SERVER_OPERATORS
Server operators. The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.
"SS" SDDL_SERVICE_ASSERTED Authentication service asserted. The corresponding RID is SECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"SU"
SDDL_SERVICE
Service logon user. This is a group identifier added to the token of a process when it was logged as a service. The corresponding logon type is LOGON32_LOGON_SERVICE. The corresponding RID is SECURITY_SERVICE_RID.
"SY"
SDDL_LOCAL_SYSTEM
Local system. The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.
"UD" SDDL_USER_MODE_DRIVERS User-mode driver. The corresponding RID is SECURITY_USERMODEDRIVERHOST_ID_BASE_RID. Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista and Windows Server 2003: Not available.
"WD"
SDDL_EVERYONE
Everyone. The corresponding RID is SECURITY_WORLD_RID.
"WR" SDDL_WRITE_RESTRICTED_CODE Write Restricted code. The corresponding RID is SECURITY_WRITE_RESTRICTED_CODE_RID. Windows Server 2003:* Not available.

The ConvertSidToStringSid and ConvertStringSidToSid functions always use the standard SID string notation and do not support SDDL SID string constants.

For more information about well-known SIDs, see Well-known SIDs.

[MS-DTYP]: Security Descriptor Description Language