SID looks like this: S-1-5-21-1683771067-1221355100-624655392-1001. The format follows
this pattern: S-R-IA-SA-SA-RID. Here are the terms and their functions:
S represents a SID identifier. This flags the number as a SID rather than some other kind
of long, obscure number.
R represents the Revision. All SIDs generated by Windows use a revision level of 1.
IA represents the issuing authority. Nearly all SIDs in Windows specify the NT Authority,
ID number 5, as the issuing authority. Exceptions include SIDs that represent well-known
groups and accounts.
SA represents a sub-authority. The SA designates special groups or functions. For example,
21 indicates that the SID was issued by a domain controller or standalone machine. The
long number, 1683771067-1221355100-624655392, is the SA for the issuing domain or machine.
RID is the Relative ID, a unique, sequential number assigned by the issuing SA to
represent a security principal such as a user, computer, or group.
Functions of SIDs
If you're new to Windows system administration, this business of SIDs and RIDs might seem
like geek-level stuff that no one really cares about. Nothing could be further from the
truth. Understanding how SIDs are generated, stored, and manipulated is absolutely vital
to managing a Windows system.
For instance, after you know that the system relies on the SID to uniquely identify a
user, you won't be surprised that you can change a user's name without affecting the
user's access permissions. You can take advantage of this in situations where a new user
joins the company to replace a user who has left. You can simply rename the old user's
account to the new user's name and retain the old account's access permissions and group
memberships.
Knowing how the system uses SIDs also helps you to plan for moving accounts from one
domain to another when you migrate an NT or Windows 2000 domain to a Windows Server 2003
domain. For example, when you copy a user account from one domain to another using the
Active Directory Migration Tool (or a third-party equivalent), the user's SID in the
classic NT domain is retained in a special SID History attribute so that the user can
still access resources in the old domain when logged on to the new domain.