If I have files on 2 external drives with the following SID values
S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003
What conclusions about the computer or computers that accessed those drives can be made?
I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.
So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?
DW
As far as I've ever heard, the 5-7 segments are unique to the computer/domain. They do not, however, encode anything about the machine into it, if that is what you are asking. They are a unique number much like the your car's license plate is unique. It doesn't actually encode any information about the car into the license plate number.
On possible tidbit of note is that the relative smallness of the RIDs (1003) makes me suspect these are standalone computers, not domain computers. On my computer, the RIDs are 1624 and 1619 (for a 4 person lab).
I am afraid that you won't really know more until/if you track down the originating computers.
There is quite a bit about SIDs on the Microsoft Support page.
http//
Hope this helps.
If I have files on 2 external drives with the following SID values
S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003What conclusions about the computer or computers that accessed those drives can be made?
It depends.
When you say, "…I have files on 2 external drives with the following SID values", to what are you referring, specifically?
I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?
Generally, different SIDs would show access by different types (local, domain) of user accounts on a domain-connected system. But again, when all you say is, "…I have files…with the following SID values…", to what are you referring? Ownership? Security ACLs? Is this something in the files?
There is quite a bit about SIDs on the Microsoft Support page.
http//
support.microsoft.com/kb/243330 Hope this helps.
That is a super-useful link. Bookmarked! D