目次
Windows Security Identifiers (SID) - セキュリティ識別子
S-1-1- ~ S-1-3-、S-1-5- (SECURITY_NT_AUTHORITY)
PS > Get-CimInstance -ClassName Win32_GroupUser
GroupComponent PartComponent PSComputerName -------------- ------------- -------------- Win32_Group (Name = "Administrators", Domain = "CMON") Win32_UserAccount (Name = "Administrator", Domain = "CMON") Win32_Group (Name = "Administrators", Domain = "CMON") Win32_UserAccount (Name = "tomoyan", Domain = "CMON") Win32_Group (Name = "Guests", Domain = "CMON") Win32_UserAccount (Name = "Guest", Domain = "CMON") Win32_Group (Name = "IIS_IUSRS", Domain = "CMON") Win32_SystemAccount (Name = "IUSR", Domain = "CMON") Win32_Group (Name = "Performance Log Users", Domain = "CMON") Win32_SystemAccount (Name = "INTERACTIVE", Domain = "CMON") Win32_Group (Name = "Performance Log Users", Domain = "CMON") Win32_UserAccount (Name = "tomoyan", Domain = "CMON") Win32_Group (Name = "Remote Desktop Users", Domain = "CMON") Win32_UserAccount (Name = "tomoyan", Domain = "CMON") Win32_Group (Name = "System Managed Accounts Group", Domain = "CMON") Win32_UserAccount (Name = "DefaultAccount", Domain = "CMON") Win32_Group (Name = "Users", Domain = "CMON") Win32_SystemAccount (Name = "INTERACTIVE", Domain = "CMON") Win32_Group (Name = "Users", Domain = "CMON") Win32_SystemAccount (Name = "Authenticated Users", Domain = "CMON") Win32_Group (Name = "Users", Domain = "CMON") Win32_UserAccount (Name = "tomoyan", Domain = "CMON") Win32_Group (Name = "Debugger Users", Domain = "CMON") Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
PS > Get-CimInstance -ClassName Win32_SystemAccount | ft Name, SID
Name SID ---- --- Everyone S-1-1-0 LOCAL S-1-2-0 CREATOR OWNER S-1-3-0 CREATOR GROUP S-1-3-1 CREATOR OWNER SERVER S-1-3-2 CREATOR GROUP SERVER S-1-3-3 OWNER RIGHTS S-1-3-4 DIALUP S-1-5-1 NETWORK S-1-5-2 BATCH S-1-5-3 INTERACTIVE S-1-5-4 SERVICE S-1-5-6 ANONYMOUS LOGON S-1-5-7 PROXY S-1-5-8 SYSTEM S-1-5-18 ENTERPRISE DOMAIN CONTROLLERS S-1-5-9 SELF S-1-5-10 Authenticated Users S-1-5-11 RESTRICTED S-1-5-12 TERMINAL SERVER USER S-1-5-13 REMOTE INTERACTIVE LOGON S-1-5-14 IUSR S-1-5-17 LOCAL SERVICE S-1-5-19 NETWORK SERVICE S-1-5-20 BUILTIN S-1-5-32
PS > Get-CimInstance -ClassName Win32_UserAccount | ft Name, SID
Name SID ---- --- Administrator S-1-5-21-862093196-3552257265-3460289004-500 DefaultAccount S-1-5-21-862093196-3552257265-3460289004-503 Guest S-1-5-21-862093196-3552257265-3460289004-501 tomoyan S-1-5-21-862093196-3552257265-3460289004-1001 WDAGUtilityAccount S-1-5-21-862093196-3552257265-3460289004-504
PS > Get-LocalGroup | ft Name, SID
Name SID ---- --- Debugger Users S-1-5-21-862093196-3552257265-3460289004-1002 Access Control Assistance Operators S-1-5-32-579 Administrators S-1-5-32-544 Backup Operators S-1-5-32-551 Cryptographic Operators S-1-5-32-569 Device Owners S-1-5-32-583 Distributed COM Users S-1-5-32-562 Event Log Readers S-1-5-32-573 Guests S-1-5-32-546 Hyper-V Administrators S-1-5-32-578 IIS_IUSRS S-1-5-32-568 Network Configuration Operators S-1-5-32-556 Performance Log Users S-1-5-32-559 Performance Monitor Users S-1-5-32-558 Power Users S-1-5-32-547 Remote Desktop Users S-1-5-32-555 Remote Management Users S-1-5-32-580 Replicator S-1-5-32-552 System Managed Accounts Group S-1-5-32-581 Users S-1-5-32-545
S-1-15- (Capability SID) - 機能SID
PS > Get-ItemPropertyValue -Path HKLM:\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses -Name AllCachedCapabilities
S-1-15-3-1024-955681297-3470559067-873149510-312866181-505149074-2965990245-3641224364-480676545 S-1-15-3-1024-3167453650-624722384-889205278-321484983-714554697-3592933102-807660695-1632717421 S-1-15-3-2105443330-1210154068-4021178019-2481794518 S-1-15-3-1024-3275915203-3073501320-309536135-1674744297-1740689076-4251230105-810187298-4091229748 S-1-15-3-1 S-1-15-3-1024-3996699186-3595629362-3480063212-3905085333-2276303035-3068169911-3004821721-4252886170 S-1-15-3-12 S-1-15-3-1024-1615643396-3082447698-3017968123-3374415059-2610093431-2583988378-2307023373-470284681 S-1-15-3-1024-3802075078-3056353928-831493480-1656114792-3017467262-3614159431-110502994-2980336225 S-1-15-3-1024-278763595-641296858-3665893476-2977301132-1926709684-2066268498-4151792040-2589241065 S-1-15-3-1024-1692970155-4054893335-185714091-3362601943-3526593181-1159816984-2199008581-497492991 S-1-15-3-1024-3804131010-705767314-2184915385-1233717497-4177653708-4048234552-2488388519-2361358067 S-1-15-3-1024-1023893147-235863880-425656572-4266519675-2590647553-3475379062-430000033-3360374247 S-1-15-3-1024-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067 S-1-15-3-1024-2263946659-221263054-3004297223-2509109377-4006057435-143953683-28675390-302247413 S-1-15-3-1024-2946685888-1412457410-1274547043-2288208346-1419295423-4263087484-1197735815-185032629 S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422 S-1-15-3-1024-1631604711-3604716289-3767720303-698625756-2814662190-970047950-2326260488-1280393717 S-1-15-3-1024-724741592-1210917904-489960769-637019204-3345707629-3097053430-1727148295-85063603 S-1-15-3-1024-1727386112-3145810323-3431268083-3689970327-739836844-3616656621-880051228-1594631605 S-1-15-3-1024-4191902497-1978494743-2749246665-3072910927-102050379-1373940514-1865125746-920055924 S-1-15-3-1024-192337609-3775446108-269428844-3253752169-951748958-3578505117-3621846901-2918023745 S-1-15-3-1024-3190844328-4099963570-3870079217-2969588245-2822710570-1600598934-3576592281-2616761512 ...
参考文献
Windows オペレーティング システムの既知のセキュリティ識別子
PowerShellでCIM cmdletを用いて対象PCのユーザーや所属するユーザーグループを調べる - tech.guitarrapc.cóm
非表示/仮想Windowsユーザーアカウントのリスト - 初心者向けチュートリアル
Windows 10 Could Break If Capability SIDs Are Removed From Permissions
オブジェクトを識別するSIDとは?:Tech TIPS - @IT
Well-known security identifiers in Windows operating systems
Security Identifiers Technical Reference | Microsoft Docs
Well-known SIDs - Win32 apps | Microsoft Docs
Windows security identifiers (SID)
Windows NTでアプリを実行するユーザーを制御する方法
SIDの形式 - eternalwindows