Each user's SIDs is unique across all Windows installations.
S-1-0-0 | The null/nobody SID (used when SID is unknown) | Everyone (German: Jeder ) |
S-1-1-0 | World, which is the group that all (except anonymous) users belong to. | |
S-1-2-0 | Local | LOCAL |
S-1-2-1 | Console Logon | CONSOLE LOGON (German: KONSOLENANMELDUNG ) |
S-1-3-0 | Creator owner id | CREATOR OWNER |
S-1-3-1 | Creator group id | CREATOR GROUP |
S-1-3-2 | Creator owner server id | CREATOR OWNER SERVER |
S-1-3-3 | Creator owner group id | CREATOR GROUP SERVER |
S-1-3-4 | Owner rights | OWNER RIGHTS |
S-1-5-1 | Dialup | DIALUP |
S-1-5-2 | The Network group, which represents users who have logged on to a machine from the network. | NETWORK |
S-1-5-3 | Batch | BATCH |
S-1-5-4 | Interactive | NT AUTHORITY\INTERACTIVE (german: NT AUTORITÄT\INTERAKTIV ) |
S-1-5-5-x-y | is a logon SID which identifies logon session. This SID can be queried using whoami.exe /logonid | |
S-1-5-6 | Service (compare with S-1-5-80… ). Having S-1-5-6 in the token makes the process totally invisible for AppLocker, both for auditing and blocking. | SERVICE |
S-1-5-7 | Anonymous logon | ANONYMOUS LOGON |
S-1-5-8 | Proxy | PROXY |
S-1-5-9 | Enterprice DC (EDC), aka domain controller account | ENTERPRISE DOMAIN CONTROLLERS |
S-1-5-10 | self | SELF |
S-1-5-11 | User that is authenticated somewhere | NT AUTHORITY\Authenticated Users (German: NT-AUTORITÄT\Authentifizierte Benutzer ) |
S-1-5-12 | Running rectricted code | NT AUTHORITY\RESTRICTED |
S-1-5-13 | Running on Terminal Server | TERMINAL SERVER USER |
S-1-5-14 | Remote logon | NT AUTHORITY\Authenticated Users (Or REMOTE INTERACTIVE LOGON ?) |
S-1-5-15 | This organization | NT AUTHORITY\This Organization |
S-1-5-17 | IUser | NT AUTHORITY\IUSR |
S-1-5-18 | Local System (the SID for the local system account). | NT AUTHORITY\SYSTEM , sometimes also referred to as SYSTEM or Local System. |
S-1-5-19 | Local Service | NT AUTHORITY\LOCAL SERVICE |
S-1-5-20 | Network Service | NT AUTHORITY\NETWORK SERVICE |
S-1-5-21-… | User accounts (and also domains?) | |
S-1-5-21-do-ma-in-500 | (local?) Administrator | |
S-1-5-21-do-ma-in-501 | A domain's guest accoutn which allows users that don't have a domain account to log in | |
S-1-5-21-do-ma-in-503 | The Default Account (aka Default System Managed Account) | |
S-1-5-21-do-ma-in-504 | | |
S-1-5-32 | The built-in domain, it contains groups that define roles on a local machine. | BUILTIN |
S-1-5-32-544 | | BUILTIN\Administrators |
S-1-5-32-545 | Users | BUILTIN\Users |
S-1-5-32-546 | The Guests group | BUILTIN\Guests |
S-1-5-32-547 | Power Users | |
S-1-5-32-551 | Backup Operators | |
S-1-5-32-552 | Replicator | |
S-1-5-32-555 | Remote Desktop Users | |
S-1-5-32-558 | Performance Monitor Users | |
S-1-5-32-559 | Performance Log Users | |
S-1-5-32-568 | IIS_IUSRS | |
S-1-5-32-569 | Cryptographic Operators | |
S-1-5-32-573 | Event Log Readers | |
S-1-5-32-578 | Hyper-V Administrators | |
S-1-5-32-579 | Access Control Assistance Operators | |
S-1-5-32-581 | System Managed Accounts Group | |
S-1-5-32-583 | Device Owners | |
S-1-5-64-10 | NTLM Authentication | |
S-1-5-80 | all services | |
S-1-5-80-…-…-…-…-… | The SID of a particular service | NT SERVICE\… |
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 | Trusted installer | NT SERVICE\TrustedInstaller |
S-1-5-94-… | Windows Remoting Virtual Users | |
S-1-5-113 | Local account | |
S-1-5-114 | Local account and member of Adminstrators group | German: NT-AUTORITÄT\Lokales Konto und Mitglied der Gruppse "Administratoren" |
S-1-15-2-1 | All applications running in an app package context. | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES |
S-1-15-3-… | All capability SIDs start with S-1-15-3 . | |
S-1-16-… | … Mandatory Level | See processes: integrity levels |
S-1-18-1 | | Authentication authority asserted identity |