SID in Active Directory

Question

I am working with a Windows Active directory environment. The SID is the combination of Domain ID and RID.

I found that there can be a maximum of 2^32 RID for a domain. However, the Domain ID can be even more than 32 bits. Also it seems that domain ID is unique only within the forest. I wonder why Microsoft allotted so many bits for Domain ID. Is there any other significance for the Domain Identifier part?

To be precise I have only 3 domain in my forest. Why does server the following ID for the user object?

objectSid: S-1-5-21-2999047449-515994586-265227950-1125

In case this ID is Universally Unique then who assigns this Domain ID?

Answer 1

A SID is not a GUID, it is not intended to be huge unique identifier with trillions of unique values, it is an arbitrary length STRING containing various information which includes the domain ID and the relative ID.

For example, S-1-5-7 is the SID for Anonymous users, S-1-5-32-545 is the SID for the local Users group and S-1-5-32-544 is the SID for the local Administrators group. These SIDs are common to all installations and therefore known as well-known SIDs. See: http://support.microsoft.com/kb/243330

As for who assigned your domain ID, it is randomly generated when the domain is created. It is only unique so far as a new domain will not use an ID already in use within the Forest, but there could be hundreds of domains out there with the same ID.

Answer 2

SID (Security Identifier) :- SID is the primary key for any object in an active directory. SID are unique to a domain. In active directory users refer to accounts by using the account name , but the operating system internally refers to account by their security identifier (SIDs).