SIDs of local groups (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Apr 7 14:29:10 GMT 1998
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
---------- Forwarded message ----------
Date: Mon, 6 Apr 1998 13:53:24 -0700
From: Scott Field <sfield at MICROSOFT.COM>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: Re: SIDs of local groups
the article quoted is in error. The identifier authority is
SECURITY_NT_AUTHORITY { 0,0,0,0,0,5 }, with the first subauthority being
SECURITY_BUILTIN_DOMAIN_RID 0x20 (32). Consult the winnt.h header file in
the Win32/Platform SDK.
We will have the error in the article corrected.
> ----------
> From: Evgenii Borisovich Rudnyi[SMTP:rudnyi at MCH1.CHEM.MSU.SU]
> Reply To: Evgenii Borisovich Rudnyi
> Sent: Sunday, April 05, 1998 9:44 AM
> To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
> Subject: SIDs of local groups
>
> The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default
> Windows NT Installations" states that SID values for local groups are as
> follows
>
> BUILTIN\ADMINISTRATORS S-1-2-32-544
> BUILTIN\USERS S-1-2-32-545
> BUILTIN\GUESTS S-1-2-32-546
> BUILTIN\ACCOUNT OPERATORS S-1-2-32-548
> BUILTIN\SERVER OPERATORS S-1-2-32-549
> BUILTIN\PRINT OPERATORS S-1-2-32-550
> BUILTIN\BACKUP OPERATORS S-1-2-32-551
> BUILTIN\REPLICATOR S-1-2-32-552
>
> Interestingly enough that GETSID from the NT Resource Kit confirms this
> from several NT boxes I have tried it on.
>
> However, I could not reproduce this with WIN32 function
> LookupAccountName. The latter shows that SIDs above are erroneous and
> they should look like
>
> BUILTIN\ADMINISTRATORS S-1-5-32-544
> BUILTIN\USERS S-1-5-32-545
> ...
>
> This also can be confirmed by watching binary values in SAM and by
> employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid.
> If SID S-1-5-32-544 is generated then LookupAccountSid tells us that
> it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is
> put in, then the answer is that the account for this SID does not exist.
>
> The question is whether this is the error in documentation (and in
> GETSID, it looks like that its authors did not employ WIN32 API), or
> there are some sophisticated security implications.
>
> Evgenii Rudnyi
>
> --
> Chemistry Department rudnyi at comp.chem.msu.su
> Moscow State University http://www.chem.msu.su/~rudnyi/welcome.html
> 119899 Moscow +(095)939 5452, fax+(095)932 8846, +(095)939
> 1205
> Russia
>
More information about the samba-technical
mailing list