{"id":43413,"date":"2014-12-12T07:00:00","date_gmt":"2014-12-12T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2014\/12\/12\/detecting-whether-a-sid-is-well-known-sid\/"},"modified":"2014-12-12T07:00:00","modified_gmt":"2014-12-12T07:00:00","slug":"detecting-whether-a-sid-is-well-known-sid","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20141212-00\/?p=43413","title":{"rendered":"Detecting whether a SID is well-known SID"},"content":{"rendered":"<p>\nYou might think that the <code>Is&shy;Well&shy;Known&shy;Sid<\/code>\nfunction would tell you whether a SID is well-known, but it doesn&#8217;t.\nRather,\nit tells you whether a SID exactly matches the well-known SID\nyou specified.\nFor example, you can ask,\n&#8220;Is this the <i>Authenticated Users<\/i> SID?&#8221;\nor\n&#8220;Is this the <i>Everyone<\/i> SID?&#8221;\nBut you can&#8217;t ask,\n&#8220;Is this any type of well-known SID?&#8221;\n<\/p>\n<p>\nI guess you could enumerate through all the well-known SIDs,\nand check if your SID matches any of them,\nbut that&#8217;s getting kind of ugly.\n<\/p>\n<p>\nIf what you&#8217;re interested in is\nwhether this is a machine-relative SID\n(or a domain-relative SID, which is the special case where the machine\nis the domain controller),\nas opposed to a universal SID,\nyou can check whether the SID format is S-1-5-<b>21<\/b>-#-#-#-#.\nAll machine-relative SIDs have that form.\n<\/p>\n<pre>\n#define SECURITY_NT_NON_UNIQUE          (0x00000015L) \/\/ decimal 21\n#define SECURITY_NT_NON_UNIQUE_SUB_AUTH_COUNT  (3L)\n<\/pre>\n<p>\nIf you want to exclude\n<code>machine\\Administrator<\/code> and\nother predefined machine-relative SIDs,\nyou can verify that the last number\n(the RID) is greater than or equal to 1000.\n<\/p>\n<pre>\n#define SECURITY_OTHER_ORGANIZATION_RID (0x000003E8L)\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>You might think that the Is&shy;Well&shy;Known&shy;Sid function would tell you whether a SID is well-known, but it doesn&#8217;t. Rather, it tells you whether a SID exactly matches the well-known SID you specified. For example, you can ask, &#8220;Is this the Authenticated Users SID?&#8221; or &#8220;Is this the Everyone SID?&#8221; But you can&#8217;t ask, &#8220;Is this [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-43413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>You might think that the Is&shy;Well&shy;Known&shy;Sid function would tell you whether a SID is well-known, but it doesn&#8217;t. Rather, it tells you whether a SID exactly matches the well-known SID you specified. For example, you can ask, &#8220;Is this the Authenticated Users SID?&#8221; or &#8220;Is this the Everyone SID?&#8221; But you can&#8217;t ask, &#8220;Is this [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=43413"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43413\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=43413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=43413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=43413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}