LEX Online Manual Content

Editor for Microsoft SID Attributes

This editor is used to show, edit or create Microsoft security identifier (SID) attributes.
Such LDAP attributes are used quite exclusively in Microsoft Active Directory environments.

Editor for Microsoft Security Identifier

In the top area of this dialog, you see the distinguished name and type icon for the object whose attribute your are editing. In the line beneath, the attribute name is shown.

One of the most important LDAP attribute for Active Directory objects that are security principals (=> that can get permissions on other objects) is the attribute objectSid which has the Microsoft security identifier attribute syntax, another important attribute is the tokenGroups attribute, which shows the SIDs from all the groups where an object is member in (directly and nested).

The LDAP attribute syntax for SID attributes is described in the Microsoft Active Directory Technical Specification [MSADTS]. It is used quite exclusively by Microsoft in Active Directory environments.

The value contained in String(SID) attribute represents an Microsoft Security Identifier in binary form. The SID plays an important role when it comes to identify any kind of Microsoft Security Principals like users or groups, for example in access tokens, access control lists and so on.

The structure of a SID value is described in the Microsoft Data Type Reference [MSDTY]. It is a binary value, which consists of

1-Byte Revision: An 8-bit unsigned integer that specifies the revision level of the SID structure. This value MUST be set to 0x01.

1-Byte SubAuthority Count: An 8-bit unsigned integer that specifies the number of elements in the SubAuthority array. The maximum number of elements allowed is 15.

6-Byte IdentifierAuthority: A structure that contains information, which indicates the authority under which the SID was created. It describes the entity that created the SID and manages the account.

Variable-Length SubAuthority: A variable length array of unsigned 32-bit integers that uniquely identifies a principal relative to the IdentifierAuthority. Its length is determined by SubAuthorityCount.

Although SIDs are binary values with a variable length (normal Active Directory SIDs have a length from 12 to 48 byte), they are normally displayed as a string with a specific notation syntax, for example like these:

S-1-5-7 (Wellknown SID for 'Anonymous Logon')
S-1-5-21-1621763826-2590103247-2238570322-1113

This display form is called SDDL (Security Descriptor Definition Language). Every Active Directory Configuration Partition stores information about the wellknown standard SIDs which can be used by the regarding system. The according objects are in the CN=WellKnown Security Principals,CN=Configuration,DC=.... organizational unit.

Editing the SID values

Almost all attributes which are marked as SID in the directory schema are read-only system attributes.

Anyhow, if you want to edit a SID attribute, you can enter directly a SSDL string in the text box.

You could also choose one of the wellknown SIDs which are present in the current Active Directory system. Just use the pull down combo box for this:

Choosing a wellknown SID

The third way to set a SID is to use the Browse button. An LEX dialog which is suited for selecting objects is shown where you can choose your object whose SID is taken for the value in this editor:

Editing the raw SID data

If you opened a SID attribute with this editor dialog, you can also display and edit the SID data in it's binary form if you want: Just press on the Raw label in the bottom left corner of the dialog. The editor is switched to an binary editor then:

Editing the raw SID data

When will the Microsoft SID editor will be used?

The MS SID editor is used whenever LEX has valid schema information and detects the following official attribute syntax:

2.5.5.17

String(SID) {MS}