SIDs of local groups (fwd)

Luke Kenneth Casson Leighton (lkcl@switchboard.net)
Mon, 6 Apr 1998 14:06:16 +0100 (BST)

Date:	Mon, 6 Apr 1998 14:06:16 +0100 (BST)
From:	Luke Kenneth Casson Leighton <lkcl@switchboard.net>
To:	Samba Technical List <samba-technical@samba.anu.edu.au>
Subject: SIDs of local groups (fwd)

ah - this just came in on ntbugtraq!

<a href="mailto:lkcl@samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>

---------- Forwarded message ----------
Date: Sun, 5 Apr 1998 20:44:23 +0400
From: Evgenii Borisovich Rudnyi <rudnyi@MCH1.CHEM.MSU.SU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: SIDs of local groups

The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default
Windows NT Installations" states that SID values for local groups are as
follows

BUILTIN\ADMINISTRATORS S-1-2-32-544
BUILTIN\USERS S-1-2-32-545
BUILTIN\GUESTS S-1-2-32-546
BUILTIN\ACCOUNT OPERATORS S-1-2-32-548
BUILTIN\SERVER OPERATORS S-1-2-32-549
BUILTIN\PRINT OPERATORS S-1-2-32-550
BUILTIN\BACKUP OPERATORS S-1-2-32-551
BUILTIN\REPLICATOR S-1-2-32-552

Interestingly enough that GETSID from the NT Resource Kit confirms this
from several NT boxes I have tried it on.

However, I could not reproduce this with WIN32 function
LookupAccountName. The latter shows that SIDs above are erroneous and
they should look like

BUILTIN\ADMINISTRATORS S-1-5-32-544
BUILTIN\USERS S-1-5-32-545
...

This also can be confirmed by watching binary values in SAM and by
employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid.
If SID S-1-5-32-544 is generated then LookupAccountSid tells us that
it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is
put in, then the answer is that the account for this SID does not exist.

The question is whether this is the error in documentation (and in
GETSID, it looks like that its authors did not employ WIN32 API), or
there are some sophisticated security implications.

Evgenii Rudnyi

--
Chemistry Department       rudnyi@comp.chem.msu.su
Moscow State University    http://www.chem.msu.su/~rudnyi/welcome.html
119899 Moscow              +(095)939 5452, fax+(095)932 8846, +(095)939 1205
Russia