Everhart,Glenn
From:	Evgenii Borisovich Rudnyi [rudnyi@MCH1.CHEM.MSU.SU]
Sent:	Sunday, April 05, 1998 12:44 PM
To:	NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject:	SIDs of local groups
The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default
Windows NT Installations" states that SID values for local groups are as
follows

  BUILTIN\ADMINISTRATORS     S-1-2-32-544
  BUILTIN\USERS              S-1-2-32-545
  BUILTIN\GUESTS             S-1-2-32-546
  BUILTIN\ACCOUNT OPERATORS  S-1-2-32-548
  BUILTIN\SERVER OPERATORS   S-1-2-32-549
  BUILTIN\PRINT OPERATORS    S-1-2-32-550
  BUILTIN\BACKUP OPERATORS   S-1-2-32-551
  BUILTIN\REPLICATOR         S-1-2-32-552

Interestingly enough that GETSID from the NT Resource Kit confirms this
from several NT boxes I have tried it on.

However, I could not reproduce this with WIN32 function
LookupAccountName. The latter shows that SIDs above are erroneous and
they should look like

  BUILTIN\ADMINISTRATORS     S-1-5-32-544
  BUILTIN\USERS              S-1-5-32-545
  ...

This also can be confirmed by watching binary values in SAM and by
employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid.
If SID S-1-5-32-544 is generated then LookupAccountSid tells us that
it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is
put in, then the answer is that the account for this SID does not exist.

The question is whether this is the error in documentation (and in
GETSID, it looks like that its authors did not employ WIN32 API), or
there are some sophisticated security implications.

Evgenii Rudnyi

--
Chemistry Department       rudnyi@comp.chem.msu.su
Moscow State University    http://www.chem.msu.su/~rudnyi/welcome.html
119899 Moscow              +(095)939 5452, fax+(095)932 8846, +(095)939 1205
Russia