6,849
社区成员
发帖
与我相关
我的任务
分享请问:哪位知道在注册表里HEKY_USERS中的类似S-1-5-21-8429....的一常串编号和什么有关?
这个是在什么时候产生的,是和你的电脑硬件有关还是只是和你的用户名,计算机名有关。
还是压根就是随机产生的。
还是压根就是随机产生的。
...全文
请发表友善的回复…
发表回复
Alan_lz 2005-01-28
- 打赏
- 举报
是挺详细,不过我的问题还是没有解决。
but,anyway,thank you all。
but,anyway,thank you all。
jimmyge 2005-01-27
- 打赏
- 举报
很詳細了!^_^
scz123 2005-01-26
- 打赏
- 举报
这串号码是表示SID(Using Security Identifier)
计算机里所有用户的SID的前面一串都是固定的,如S-1-5-21,不同用户/计算机接下来的都是不同的
可以参考:
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=sid&View=zh-cn
http://msdn.microsoft.com/library/en-us/secauthz/security/sid_components.asp
计算机里所有用户的SID的前面一串都是固定的,如S-1-5-21,不同用户/计算机接下来的都是不同的
可以参考:
http://search.microsoft.com/search/results.aspx?st=b&na=80&qu=sid&View=zh-cn
http://msdn.microsoft.com/library/en-us/secauthz/security/sid_components.asp
funsuzhou 2005-01-26
- 打赏
- 举报
续上面:
SID: S-1-5-domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the domain's built-in Guest account.
SID: S-1-5-domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
SID: S-1-5-domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
SID: S-1-5-root domain-518
Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-root domain-519
Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
SID: S-1-5-domain-533
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in Active Directory.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
SID: S-1-5-domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the domain's built-in Guest account.
SID: S-1-5-domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
SID: S-1-5-domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an enterprise certificate authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
SID: S-1-5-root domain-518
Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-root domain-519
Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
SID: S-1-5-domain-533
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in Active Directory.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units (OUs) of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
funsuzhou 2005-01-26
- 打赏
- 举报
【ZT】Windows2000通用SID列表
SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-4
Name: Non-unique Authority
Description: An identifier authority.
SID: S-1-5
Name: NT Authority
Description: An identifier authority.
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users that have logged on through a dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
SID: S-1-5-8
Name: Proxy
Description: This SID is not used in Windows 2000.
SID: S-1-5-9
Name: Enterprise Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. It is the only user account that is given full control over the system by default.
SID: S-1-5-domain-501
Name: Guest
Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
SID: S-1-5-domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center (KDC) service.
SID: S-1-5-domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
SID: S-1-5-domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-4
Name: Non-unique Authority
Description: An identifier authority.
SID: S-1-5
Name: NT Authority
Description: An identifier authority.
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users that have logged on through a dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
SID: S-1-5-8
Name: Proxy
Description: This SID is not used in Windows 2000.
SID: S-1-5-9
Name: Enterprise Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. It is the only user account that is given full control over the system by default.
SID: S-1-5-domain-501
Name: Guest
Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
SID: S-1-5-domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center (KDC) service.
SID: S-1-5-domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
SID: S-1-5-domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
funsuzhou 2005-01-26
- 打赏
- 举报
【ZT】SID详解
前言
SID也就是安全标识符(Security Identifiers),是标识用户、组和计算机帐户的唯一的号码。在第一次创建该帐户时,将给网络上的每一个帐户发布一个唯一的 SID。Windows 2000 中的内部进程将引用帐户的 SID 而不是帐户的用户或组名。如果创建帐户,再删除帐户,然后使用相同的用户名创建另一个帐户,则新帐户将不具有授权给前一个帐户的权力或权限,原因是该帐户具有不同的 SID 号。安全标识符也被称为安全 ID 或 SID。
SID的作用
用户通过验证后,登陆进程会给用户一个访问令牌,该令牌相当于用户访问系统资源的票证,当用户试图访问系统资源时,将访问令牌提供给 Windows NT,然后 Windows NT 检查用户试图访问对象上的访问控制列表。如果用户被允许访问该对象,Windows NT将会分配给用户适当的访问权限。
访问令牌是用户在通过验证的时候有登陆进程所提供的,所以改变用户的权限需要注销后重新登陆,重新获取访问令牌。
SID号码的组成
如果存在两个同样SID的用户,这两个帐户将被鉴别为同一个帐户,原理上如果帐户无限制增加的时候,会产生同样的SID,在通常的情况下SID是唯一的,他由计算机名、当前时间、当前用户态线程的CPU耗费时间的总和三个参数决定以保证它的唯一性。
一个完整的SID包括:
• 用户和组的安全描述
• 48-bit的ID authority
• 修订版本
• 可变的验证值Variable sub-authority values
例:S-1-5-21-310440588-250036847-580389505-500
我们来先分析这个重要的SID。第一项S表示该字符串是SID;第二项是SID的版本号,对于2000来说,这个就是1;然后是标志符的颁发机构(identifier authority),对于2000内的帐户,颁发机构就是NT,值是5。然后表示一系列的子颁发机构,前面几项是标志域的,最后一个标志着域内的帐户和组。
SID的获得
开始-运行-regedt32-HKEY_LOCAL_MACHINESAMSAMDomainsBuiltinAliasesMembers,找到本地的域的代码,展开后,得到的就是本地帐号的所有SID列表。
其中很多值都是固定的,比如第一个000001F4(16进制),换算成十进制是500,说明是系统建立的内置管理员帐号administrator,000001F5换算成10进制是501,也就是GUEST帐号了,详细的参照后面的列表。
这一项默认是system可以完全控制,这也就是为什么要获得这个需要一个System的Cmd的Shell的原因了,当然如果权限足够的话你可以把你要添加的帐号添加进去。
或者使用Support Tools的Reg工具:
reg query "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList
还有一种方法可以获得SID和用户名称的对应关系:
1. Regedt32:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion ProfileList
2. 这个时候可以在左侧的窗口看到SID的值,可以在右侧的窗口中ProfileImagePath看到不同的SID关联的用户名,
比如%SystemDrive%Documents and SettingsAdministrator.momo这个对应的就是本地机器的管理员SID
%SystemDrive%Documents and SettingsAdministrator.domain这个就是对应域的管理员的帐户
另外微软的ResourceKit里面也提供了工具getsid,sysinternals的工具包里面也有Psgetsid,其实感觉原理都是读取注册表的值罢了,就是省了一些事情。
SID重复问题的产生
安装NT/2000系统的时候,产生了一个唯一的SID,但是当你使用类似Ghost的软件克隆机器的时候,就会产生不同的机器使用一个SID的问题。产生了很严重的安全问题。
同样,如果是重复的SID对于对等网来说也会产生很多安全方面的问题。在对等网中帐号的基础是SID加上一个相关的标识符(RID),如果所有的工作站都拥有一样的SID,每个工作站上产生的第一个帐号都是一样的,这样就对用户本身的文件夹和文件的安全产生了隐患。
这个时候某个人在自己的NTFS分区建立了共享,并且设置了自己可以访问,但是实际上另外一台机器的SID号码和这个一样的用户此时也是可以访问这个共享的。
下面是SID末尾RID值的列表,括号内为16进制:
Built-In Users
DOMAINNAMEADMINISTRATOR
S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)
DOMAINNAMEGUEST
S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)
Built-In Global Groups
DOMAINNAMEDOMAIN ADMINS
S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)
DOMAINNAMEDOMAIN USERS
S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)
DOMAINNAMEDOMAIN GUESTS
S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)
Built-In Local Groups
BUILTINADMINISTRATORS S-1-5-32-544 (=0x220)
BUILTINUSERS S-1-5-32-545 (=0x221)
BUILTINGUESTS S-1-5-32-546 (=0x222)
BUILTINACCOUNT OPERATORS S-1-5-32-548 (=0x224)
BUILTINSERVER OPERATORS S-1-5-32-549 (=0x225)
BUILTINPRINT OPERATORS S-1-5-32-550 (=0x226)
BUILTINBACKUP OPERATORS S-1-5-32-551 (=0x227)
BUILTINREPLICATOR S-1-5-32-552 (=0x228)
Special Groups
CREATOR OWNER S-1-3-0
EVERYONE S-1-1-0
NT AUTHORITYNETWORK S-1-5-2
NT AUTHORITYINTERACTIVE S-1-5-4
NT AUTHORITYSYSTEM S-1-5-18
NT AUTHORITYauthenticated users S-1-5-11 *.(over)
前言
SID也就是安全标识符(Security Identifiers),是标识用户、组和计算机帐户的唯一的号码。在第一次创建该帐户时,将给网络上的每一个帐户发布一个唯一的 SID。Windows 2000 中的内部进程将引用帐户的 SID 而不是帐户的用户或组名。如果创建帐户,再删除帐户,然后使用相同的用户名创建另一个帐户,则新帐户将不具有授权给前一个帐户的权力或权限,原因是该帐户具有不同的 SID 号。安全标识符也被称为安全 ID 或 SID。
SID的作用
用户通过验证后,登陆进程会给用户一个访问令牌,该令牌相当于用户访问系统资源的票证,当用户试图访问系统资源时,将访问令牌提供给 Windows NT,然后 Windows NT 检查用户试图访问对象上的访问控制列表。如果用户被允许访问该对象,Windows NT将会分配给用户适当的访问权限。
访问令牌是用户在通过验证的时候有登陆进程所提供的,所以改变用户的权限需要注销后重新登陆,重新获取访问令牌。
SID号码的组成
如果存在两个同样SID的用户,这两个帐户将被鉴别为同一个帐户,原理上如果帐户无限制增加的时候,会产生同样的SID,在通常的情况下SID是唯一的,他由计算机名、当前时间、当前用户态线程的CPU耗费时间的总和三个参数决定以保证它的唯一性。
一个完整的SID包括:
• 用户和组的安全描述
• 48-bit的ID authority
• 修订版本
• 可变的验证值Variable sub-authority values
例:S-1-5-21-310440588-250036847-580389505-500
我们来先分析这个重要的SID。第一项S表示该字符串是SID;第二项是SID的版本号,对于2000来说,这个就是1;然后是标志符的颁发机构(identifier authority),对于2000内的帐户,颁发机构就是NT,值是5。然后表示一系列的子颁发机构,前面几项是标志域的,最后一个标志着域内的帐户和组。
SID的获得
开始-运行-regedt32-HKEY_LOCAL_MACHINESAMSAMDomainsBuiltinAliasesMembers,找到本地的域的代码,展开后,得到的就是本地帐号的所有SID列表。
其中很多值都是固定的,比如第一个000001F4(16进制),换算成十进制是500,说明是系统建立的内置管理员帐号administrator,000001F5换算成10进制是501,也就是GUEST帐号了,详细的参照后面的列表。
这一项默认是system可以完全控制,这也就是为什么要获得这个需要一个System的Cmd的Shell的原因了,当然如果权限足够的话你可以把你要添加的帐号添加进去。
或者使用Support Tools的Reg工具:
reg query "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList
还有一种方法可以获得SID和用户名称的对应关系:
1. Regedt32:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion ProfileList
2. 这个时候可以在左侧的窗口看到SID的值,可以在右侧的窗口中ProfileImagePath看到不同的SID关联的用户名,
比如%SystemDrive%Documents and SettingsAdministrator.momo这个对应的就是本地机器的管理员SID
%SystemDrive%Documents and SettingsAdministrator.domain这个就是对应域的管理员的帐户
另外微软的ResourceKit里面也提供了工具getsid,sysinternals的工具包里面也有Psgetsid,其实感觉原理都是读取注册表的值罢了,就是省了一些事情。
SID重复问题的产生
安装NT/2000系统的时候,产生了一个唯一的SID,但是当你使用类似Ghost的软件克隆机器的时候,就会产生不同的机器使用一个SID的问题。产生了很严重的安全问题。
同样,如果是重复的SID对于对等网来说也会产生很多安全方面的问题。在对等网中帐号的基础是SID加上一个相关的标识符(RID),如果所有的工作站都拥有一样的SID,每个工作站上产生的第一个帐号都是一样的,这样就对用户本身的文件夹和文件的安全产生了隐患。
这个时候某个人在自己的NTFS分区建立了共享,并且设置了自己可以访问,但是实际上另外一台机器的SID号码和这个一样的用户此时也是可以访问这个共享的。
下面是SID末尾RID值的列表,括号内为16进制:
Built-In Users
DOMAINNAMEADMINISTRATOR
S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)
DOMAINNAMEGUEST
S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)
Built-In Global Groups
DOMAINNAMEDOMAIN ADMINS
S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)
DOMAINNAMEDOMAIN USERS
S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)
DOMAINNAMEDOMAIN GUESTS
S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)
Built-In Local Groups
BUILTINADMINISTRATORS S-1-5-32-544 (=0x220)
BUILTINUSERS S-1-5-32-545 (=0x221)
BUILTINGUESTS S-1-5-32-546 (=0x222)
BUILTINACCOUNT OPERATORS S-1-5-32-548 (=0x224)
BUILTINSERVER OPERATORS S-1-5-32-549 (=0x225)
BUILTINPRINT OPERATORS S-1-5-32-550 (=0x226)
BUILTINBACKUP OPERATORS S-1-5-32-551 (=0x227)
BUILTINREPLICATOR S-1-5-32-552 (=0x228)
Special Groups
CREATOR OWNER S-1-3-0
EVERYONE S-1-1-0
NT AUTHORITYNETWORK S-1-5-2
NT AUTHORITYINTERACTIVE S-1-5-4
NT AUTHORITYSYSTEM S-1-5-18
NT AUTHORITYauthenticated users S-1-5-11 *.(over)
liuyong82 2005-01-26
- 打赏
- 举报
是的,但是管理员有权限take ownership
Alan_lz 2005-01-26
- 打赏
- 举报
不错不错,有了解了些新知识。
不过还是有个疑惑。
问题产生于:我是使用了NTFS权限使我的移动硬盘的某些分区在其他人的电脑里没有权限访问,具体是把Owner改为了我自己,而不是管理员。但我担心如果我的系统某天突然崩溃,即便我重新再装系统,仍然使用相同的用户名和计算机名,是不是我自己都没有办法再访问移动硬盘了???
所以再次问::重装系统后即便使用完全一致的用户/计算机 SID标记也无法恢复?
不过还是有个疑惑。
问题产生于:我是使用了NTFS权限使我的移动硬盘的某些分区在其他人的电脑里没有权限访问,具体是把Owner改为了我自己,而不是管理员。但我担心如果我的系统某天突然崩溃,即便我重新再装系统,仍然使用相同的用户名和计算机名,是不是我自己都没有办法再访问移动硬盘了???
所以再次问::重装系统后即便使用完全一致的用户/计算机 SID标记也无法恢复?
