SID is a term related to Windows security. SID refers to security identifier or security ID. Whenever you create a new object or an item like a user or a group, its unique security ID is created. Before understanding the SID fully, we have to know the basics of security Principal, Access control entry(ACE) and Access control List (ACL).
In simple terms, the security principal is an object that needs authentication to access a file or a folder on a system. The most common examples of a security principal are a user, a computer or a process. A user or computer, when added to a network asks for an access to files. Similarly, a process or a service running on a Windows computer might need an access to files on a system.
So a security principal is applied to all the entities that need access to files. Furthermore, any object that is created in Active Directory in windows server will have a security principal applied to it. So basically windows OS assigns some identification name to the object. But what happens if the two or more objects have the same name. Here comes the role of SID.
To understand SID better, take an example of a manufacturing unit that manufactures some equipment or a gadget. So every gadget has its own unique serial number and helps in many attributes associated with it. So in a similar way, SID is a unique number that is applied to any new entity created in a windows system. So now even if the two objects have the same name, windows can easily identify the different objects via its SID.
Examples of SID
Here, in the examples of SID above, you can see the shorter as well as longer security identifier numbers. The other thing to note is that all SIDs start with the letter S. The shorter Security IDs are generated for objects in a local computer while longer SIDs are for entities created in a domain.
To bring more clarity on SID, you can have a look at a real example of SID. So open windows registry by typing regedit in run window
Now Navigate to Hkey-Local-Machine>Software>Microsoft>WindowsNT>Current Version>Profile list
The profile list contains all the users who log in to Windows OS. Here is the image, and you can see that there are five profiles created automatically. And once you click on the Sid number, in the profile image path you can see the name of the user.
How SIDs are beneficial
To explain the usage of the SID, let’s take a case scenario where multiple users work in an organization. Say a user is created in the name of James Ashley and his SID is created say “S-1-5-21-1129136414-3157084160-1998405333-1001“.
Now let’s assume that the James Ashley left the company and his user account is deleted. Now a new person with the same name joins the company. So a new user account with same name Pablo is created.
Now you can see that although the name of the employee is same, the SID is different from the earlier SID created for Pablo.
If another user with the same name is created in a domain, the windows will still assign a different SID to it.
So we see that whether on a local computer or a domain, the users with the same name will have different security IDs altogether.
When a user is created, its SID is assigned to files or folders as per the group policy. Now when you delete a user, the SID is also deleted and so are the permissions linked with that SID.
So the best way to manage the network users is to disable the user rather than deleting it. So when a new employee joins in place of the user who has left, you just need to enable the user and rename it. This way all the permissions and access to files and folders to this user account remains intact.
How SID works
Every document in a file server has an access control list (ACE) associated with it. The ACE has Access control entries which define which user has the access to this file. Normally or by default, you can say that ACE consists of an Administrator and System user accounts added to the ACL. In case you need to add a different or additional entity or a user with permissions you need to add its ACE to the ACL. The access is determined by the SID of a user in the access control entry. The access to the file is allowed only If the SID of a user matches with the SID in the access control List (ACL).