Table 1: Windows 2003, XP SP2, and Win2K Well-Known Security Principals
Well-Known Security Principal (Corresponding SID)
Membership and Meaning
Everyone (S-1-1-0)
Included in the access token for all users, including the Guest account; included in the access token for anonymous users if the Network Access: Let Everyone permissions apply to anonymous users policy setting is enabled
Creator Owner(S-1-3-0)
Placeholder used for permission inheritance between parent and child objects; for child objects, Creator Owner permissions are replaced by permissions for the object's actual owner
Creator Group (S-1-3-1)
Placeholder used for permission inheritance between parent and child objects; for child objects, Creator Group permissions are replaced by permissions for the primary group of the object's actual owner
Dialup(S-1-5-1)
Included in the access token for all users logged on through a dial-up or VPN connection
Network (S-1-5-2)
Included in the access token for all users logged on through a network connection
Batch (S-1-5-3)
Included in the access token for all users logged on through a batch scheduler connection
Interactive (S-1-5-4)
Included in the access token for all users logged on interactively
Service(S-1-5-6)
Included in the access token for all principals logged on as a service
Anonymous(S-1-5-7)
Included in the access token for all users logged on anonymously
Enterprise Domain Controllers (S-1-5-9)
Included in the access token for all DCs in a Windows AD forest
Self (S-1-5-10)
Placeholder for the object itself; can be useful for permission inheritance between parent and child objects
Authenticated Users(S-1-5-11)
Included in the access token for all users authenticated to the OS; included in the access token for the Guest account in XP and Win2K; doesn't include the Guest account in Windows 2003 and XP SP2
Terminal Server User(S-1-5-13)
Included in the access token for all users logged on using Terminal Services 4.0 application compatibility mode