SIDs of local groups (fwd)

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Apr 7 14:29:10 GMT 1998



<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>

---------- Forwarded message ----------
Date: Mon, 6 Apr 1998 13:53:24 -0700
From: Scott Field <sfield at MICROSOFT.COM>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: Re: SIDs of local groups

the article quoted is in error.  The identifier authority is
SECURITY_NT_AUTHORITY { 0,0,0,0,0,5 }, with the first subauthority being
SECURITY_BUILTIN_DOMAIN_RID 0x20 (32).  Consult the winnt.h header file in
the Win32/Platform SDK.

We will have the error in the article corrected.

> ----------
> From:         Evgenii Borisovich Rudnyi[SMTP:rudnyi at MCH1.CHEM.MSU.SU]
> Reply To:     Evgenii Borisovich Rudnyi
> Sent:         Sunday, April 05, 1998 9:44 AM
> To:   NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
> Subject:      SIDs of local groups
>
> The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default
> Windows NT Installations" states that SID values for local groups are as
> follows
>
>   BUILTIN\ADMINISTRATORS     S-1-2-32-544
>   BUILTIN\USERS              S-1-2-32-545
>   BUILTIN\GUESTS             S-1-2-32-546
>   BUILTIN\ACCOUNT OPERATORS  S-1-2-32-548
>   BUILTIN\SERVER OPERATORS   S-1-2-32-549
>   BUILTIN\PRINT OPERATORS    S-1-2-32-550
>   BUILTIN\BACKUP OPERATORS   S-1-2-32-551
>   BUILTIN\REPLICATOR         S-1-2-32-552
>
> Interestingly enough that GETSID from the NT Resource Kit confirms this
> from several NT boxes I have tried it on.
>
> However, I could not reproduce this with WIN32 function
> LookupAccountName. The latter shows that SIDs above are erroneous and
> they should look like
>
>   BUILTIN\ADMINISTRATORS     S-1-5-32-544
>   BUILTIN\USERS              S-1-5-32-545
>   ...
>
> This also can be confirmed by watching binary values in SAM and by
> employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid.
> If SID S-1-5-32-544 is generated then LookupAccountSid tells us that
> it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is
> put in, then the answer is that the account for this SID does not exist.
>
> The question is whether this is the error in documentation (and in
> GETSID, it looks like that its authors did not employ WIN32 API), or
> there are some sophisticated security implications.
>
> Evgenii Rudnyi
>
> --
> Chemistry Department       rudnyi at comp.chem.msu.su
> Moscow State University    http://www.chem.msu.su/~rudnyi/welcome.html
> 119899 Moscow              +(095)939 5452, fax+(095)932 8846, +(095)939
> 1205
> Russia
>



More information about the samba-technical mailing list