Table 2: Well-Known Security Principal Groups Introduced in Windows 2003
Well-Known Security Principal (Corresponding SID)
Membership and Meaning
Restricted Code(S-1-5-12)
Added to the user's access token when using RunAs with the Run this
program with restricted access option in Windows 2003 or the Protect my computer and data from unauthorized program activity option in XP
Remote Interactive Logon(S-1-5-14)
Added to the user's access token when the user is logged on using Terminal
Services or RDP; lets you assign permissions to users logged on via Terminal
Services or RDP
This Organization(S-1-5-15)
Used for forest trust and external trust selective authentication; selective
authentication lets administrators distinguish users from the trusted forest/domain and users from the trusting forest/domain when dealing with access control settings; added to the access tokens in the trusting forest/domain of users who are defined in the trusting forest/domain (see Other Organization)
Local Service (S-1-5-19)
Least privilege service account for services that need access only to local
data, not to other computers on the network
Network Service (S-1-5-20)
Least privilege service account for services that need access to other
computers on the network
NTLM Authentication(S-1-5-64-10)
Lets you set special permissions for down-level clients authenticating by the
less-secure NTLM protocol; added to the user's access token when the user logs on to a DC using NTLM; can be used in a deny access control entry (ACE) to restrict access to resources
SChannel Authentication(S-1-5-64-14)
Lets you set special permissions for clients authenticating via a secure channel (e.g., HTTP Secure—HTTPS—authentication to a Microsoft IIS server, LDAP authentication to a Windows DC)
Digest Authentication(S-1-5-64-21)
Authentication packet that enables HTTP digest authentication on an IIS server; lets you specify who can log on using digest authentication
Other Organization (S-1-5-1000)
Used for forest trust and external trust selective authentication; lets youdistinguish users from the trusted forest/domain and users from the trusting forest/domain when dealing with access control settings; added to the access tokens in the trusting forest/domain of users who are defined in the trusted forest/domain (see This Organization)