{"id":109872,"date":"2024-06-10T07:00:00","date_gmt":"2024-06-10T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=109872"},"modified":"2024-06-10T06:56:57","modified_gmt":"2024-06-10T13:56:57","slug":"20240610-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20240610-00\/?p=109872","title":{"rendered":"How do I get the name of a SID, and what does it mean when the conversion fails?"},"content":{"rendered":"

A customer had a file share, and they couldn’t figure out who has access to some of the files. They pulled the access control list (ACL), extracted the security IDs (SIDs), converted them from binary to string form<\/a>, and the result was S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt>. “Why didn’t the conversion work?”<\/p>\n

This is a rather confusing question, because the conversion did work. You have the answer: It’s S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt>.<\/p>\n

After some back-and-forth we learned that what the customer really meant was “How can we take this SID and convert it to something semantically meaningful to humans, like a person’s name?”\u00b9<\/p>\n

Programmatically, you can use LsaLookupSids2<\/code> to ask the local system to find a friendly name for a SID. It will consult its local account database, the domain’s account database, and maybe some other stuff. But sometimes it just shrugs its shoulders and says, “Sorry, I can’t come up with a better name for this one.”<\/p>\n

The customer was confused by the possibility of a SID with no known name. How can the security system work if it doesn’t know who a SID represents?<\/p>\n

The security system doesn’t care who<\/i> a SID represents. When somebody tries to access a resource, it looks for matches between that person’s SIDs and the SIDs in the ACL, and follows the instructions associated with those matches. For example, there may be an access control entry (ACE) that says “Allow S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt> to have read-only access.” The security system doesn’t know or care who S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt> is.<\/p>\n

By analogy, suppose your IT department locks down your phone by pushing a list of phone numbers from whom it will accept calls. The phone doesn’t know the names of the callers, but it doesn’t need to know. It just takes every incoming phone call and sees if the number is on the “Allow” list. (This also avoids problems if somebody calls who happens to have the same name as a person on your allow list. Since the phone number doesn’t match, the call is not let through.) As a courtesy, your phone tries to find a name for the incoming call by looking in the phone’s contacts or maybe by contacting a service. But that is best effort, and sometimes you just get “Unknown caller”. Your phone doesn’t know who they are, but the phone doesn’t need to know who they are in order to make a block\/allow decision.<\/p>\n

You don’t know who this 555-1212 number is, but it’s on your Allow list. And you don’t know who this S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt> SID is, but it’s there on the file’s Allow list.<\/p>\n

The customer said that they were using the Advanced Security Settings property sheet to look up the SIDs. That property sheet already uses LsaLookupSids2<\/code> to look up friendly names for every SID, if known. If something shows up in S-...<\/tt> format, then it means that the system couldn’t find a friendly name.<\/p>\n

At this point, you need to follow the money backward. If you want to know who this 555-1212 number is, you can ask your IT administrator, since they are the ones who added that number to the Allow list. If you want to know who this S-1-5-21-2127521184-1604012920-1887927527-72713<\/tt> SID is, you can ask the file share owner or the file owner who it is. Presumably whoever put it on the access control list knows who it is. Otherwise, why would they have added it?<\/p>\n

\u00b9 It’s not clear to me how they expected the manual algorithm to produce something semantically meaningful, since the manual algorithm consists of counting things and inserting dashes. Nowhere in the algorithm does a number like “72713” turn into a name like “Chris”.<\/p>\n","protected":false},"excerpt":{"rendered":"

Most places will do it for you, or at least try.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25,104],"class_list":["post-109872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code","tag-tipssupport"],"acf":[],"blog_post_summary":"

Most places will do it for you, or at least try.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=109872"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109872\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=109872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=109872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=109872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}