Stable SIDs for "None"+'"Administrator" ?

Brian Inglis Brian.Inglis@SystematicSW.ab.ca
Sat Nov 9 18:59:29 GMT 2024 

Attached a list of stable and local passwd and group sids that might be of use.

Note the digit groups after -21- and -80- ids are variable.

No id what some of the numbers are!

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry


On 2024-11-09 11:25, Christian Franke via Cygwin wrote:
> Roland Mainz via Cygwin wrote:
>> On Sat, Nov 9, 2024 at 6:00 PM Corinna Vinschen via Cygwin wrote:
>>> On Nov  9 17:31, Roland Mainz via Cygwin wrote:
>>>> Does anyone know a list of SIDs which can be used to get the
>>>> user+group accounts for passwd entry "Adminstrator" and group entry
>>>> "None" ?
>>>>
>>>> Our problem is that the actual account names vary with the system
>>>> locale, e.g. group entry "None" is "Kein" in "de_DE",  "Aucun" in
>>>> fr_FR etc. ...
>>>> ... so far we thought we fixed this by doing a lookup via SID, and
>>>> then remembering the localised name.
>>>>
>>>> But: The SIDs are apparently not stable between Windows versions.
>>>> For example:
>>>> ---- snip ----
>>>> # Windows Server 2022/en
>>>> $ getent group None
>>>> None:S-1-5-21-168624908-967194555-3343779530-513:197121:
>>>> # Windows Server 2019
>>>> $ getent group None
>>>> None:S-1-5-21-3286904461-661230000-4220857270-513:197121
>>>> ---- snip ----
>>> They *are* stable in that they are
>>>
>>>    ${Machine-SID}-513
>>>
>>>> And if there is no such list, would $ mkgroup | egrep
>>>> ':S-1-5-21-.+-513:' # be a suitable workaround ?
>>> No.
>>>
>>>    ${AD-SID|-513 == "Domain Users"
>>>
>>> I have not the faintest idea what the MS guys were thinking at the time,
>>> calling the group "None".  This is basically the equivalent of "Domain
>>> Users" for local accounts on machines not being domain controller.  A
>>> useful name would have been "Local Users" or "Machine Users", but,
>>> well, it is what it is.
>>>
>>> The safe way to check the SID is to fetch the machine SID attach the RID
>>> 513, and check for equality.
>> How can I get the "machine SID", preferably using /usr/bin/getent,
>> /usr/bin/getconf or /proc ?
> 
> If domain info is excluded from mkgroup output, the one and only S-*-513 group 
> should contain the machine SID:
> 
> $ sid=$(mkgroup -l | sed -n 's/[^:]*:\(S-[-0-9]*\)-513:.*$/\1/p')
> 
> $ test $(wc -l <<<"$sid") = 1 || echo 'My assumption was wrong :-)'
-------------- next part --------------
Passwd Sids

System Independent Passwd Sids

SYSTEM:*:18:18:U-NT AUTHORITY/SYSTEM,S-1-5-18:/home/SYSTEM:/bin/bash
LOCAL SERVICE:*:19:19:U-NT AUTHORITY/LOCAL SERVICE,S-1-5-19:/:/sbin/nologin
NETWORK SERVICE:*:20:20:U-NT AUTHORITY/NETWORK SERVICE,S-1-5-20:/:/sbin/nologin
Administrators:*:544:544:U-BUILTIN/Administrators,S-1-5-32-544:/:/sbin/nologin

System Dependent S-1-5-21-...-500 Passwd Sids

Administrator:*:$GROUPS:$GROUPS:U-$HOSTNAME/Administrator,S-1-5-21-????????-????????-????????-500:/home/Administrator:/bin/bash
DefaultAccount:*:$GROUPS:$GROUPS:U-$HOSTNAME/DefaultAccount,S-1-5-21-????????-????????-????????-503:/home/DefaultAccount:/bin/bash
Guest:*:$GROUPS:$GROUPS:U-$HOSTNAME/Guest,S-1-5-21-????????-????????-????????-501:/home/Guest:/bin/bash
WDAGUtilityAccount:*:$GROUPS:$GROUPS:U-$HOSTNAME/WDAGUtilityAccount,S-1-5-21-????????-????????-????????-504:/home/WDAGUtilityAccount:/bin/bash

Other

NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-????????-????????-????????-????????-2271478464:/:/sbin/nologin

Group Sids

System Independent Group Sids

Authenticated Users:S-1-5-11:11:
RESTRICTED:S-1-5-12:12:
SYSTEM:S-1-5-18:18:
Administrators:S-1-5-32-544:544:
Users:S-1-5-32-545:545:
Guests:S-1-5-32-546:546:
Performance Monitor Users:S-1-5-32-558:558:
Performance Log Users:S-1-5-32-559:559:
Distributed COM Users:S-1-5-32-562:562:
IIS_IUSRS:S-1-5-32-568:568:
Event Log Readers:S-1-5-32-573:573:
Hyper-V Administrators:S-1-5-32-578:578:
Remote Management Users:S-1-5-32-580:580:
System Managed Accounts Group:S-1-5-32-581:581:
Device Owners:S-1-5-32-583:583:
ALL APPLICATION PACKAGES:S-1-15-2-1:69409:
ALL RESTRICTED APP PACKAGES:S-1-15-2-2:69410:

System Dependent S-1-5-21-...-500 Group Sids

None:S-1-5-21-????????-????????-????????-513:$GROUPS:

Other

NT SERVICE+TrustedInstaller:S-1-5-80-????????-????????-????????-????????-2271478464:328384:

More information about the Cygwin mailing list