Interpretation of S...
 
Notifications
Clear all

Interpretation of SID values

5 Posts
5 Users
0 Reactions
827 Views
(@wodarz)
New Member
Joined: 16 years ago
Posts: 1
Topic starter  

If I have files on 2 external drives with the following SID values

S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003

What conclusions about the computer or computers that accessed those drives can be made?

I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.

So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?

DW


   
Quote
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
 

As far as I've ever heard, the 5-7 segments are unique to the computer/domain. They do not, however, encode anything about the machine into it, if that is what you are asking. They are a unique number much like the your car's license plate is unique. It doesn't actually encode any information about the car into the license plate number.

On possible tidbit of note is that the relative smallness of the RIDs (1003) makes me suspect these are standalone computers, not domain computers. On my computer, the RIDs are 1624 and 1619 (for a 4 person lab).

I am afraid that you won't really know more until/if you track down the originating computers.


   
ReplyQuote
(@ludlowboy)
Trusted Member
Joined: 15 years ago
Posts: 71
 

There is quite a bit about SIDs on the Microsoft Support page.

http//support.microsoft.com/kb/243330

Hope this helps.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

If I have files on 2 external drives with the following SID values

S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003

What conclusions about the computer or computers that accessed those drives can be made?

It depends.

When you say, "…I have files on 2 external drives with the following SID values", to what are you referring, specifically?

I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.

So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?

Generally, different SIDs would show access by different types (local, domain) of user accounts on a domain-connected system. But again, when all you say is, "…I have files…with the following SID values…", to what are you referring? Ownership? Security ACLs? Is this something in the files?


   
ReplyQuote
Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
 

There is quite a bit about SIDs on the Microsoft Support page.

http//support.microsoft.com/kb/243330

Hope this helps.

That is a super-useful link. Bookmarked! D


   
ReplyQuote
Share: