A Security Identifier (SID) is a unique variable-length value used to identify a security principal (such as a security group) in Windows operating systems. SIDs that identify generic users or groups are particularly well known. Their values remain constant on all operating systems. In this article, we will try to understand why some SIDs do not resolve to friendly names, and then recommend what can be done to resolve any SID to a friendly name if possible.
This information is useful for troubleshooting security issues. It is also useful for solving display problems in the Windows Access Control List (ACL) editor. Windows follows a security principal by its SID. To display the security principal in the ACL editor, Windows resolves the SID to its associated security principal name.
In some areas of the Windows user interface, as shown in the image above. you see Windows Account Security Identifiers (SIDS) that don’t resolve into friendly names. These locations are:
- File explorer
- Security audit reports
- The Access Control List (ACL) editor in the Registry Editor
These unresolved SIDs are because Windows Server 2012 and Windows 8 introduced a type of SID known as SID capacity. By design, a capacity SID cannot be resolved into a user-friendly name.
The most commonly used capacity SID is:
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
Windows 10, version 1809 uses more than 300 SID of capacity.
SID is displayed instead of user name
When troubleshooting SIDs that do not resolve to friendly names, make sure it is not a capacity SID.
Caution: DO NOT DELETE Capacity SID from registry or file system permissions. Removing a capacity SID from file system or registry permissions can cause a feature or application to malfunction. After you delete a capacity SID, you cannot use the user interface to add it again.
For a list of all the capacity SIDs that Windows has a record of, follow these steps:
Press Windows key + R.
In the Run dialog box, type regedit and press Enter to open the Registry Editor.
Navigate or navigate to the path to the registry key below:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurityManagerCapabilityClasses
In the right pane, double-click the AllCachedCapabilities Entrance.
Copy all the data to Value data and paste it into a text editor of your choice where you can search for the data.
This value may not include all capacity SIDs used by third-party applications.
Find the SID data you are troubleshooting.
If you find the SID in the registry data, it is a capacity SID. By design, it will not resolve into a friendly name. If you cannot find the SID in the registry data, it is not a SID of known capacity. You can continue to resolve it as a normal unresolved SID. Keep in mind that there is a small chance that the SID may be a third-party capacity SID, in which case it will not resolve to a friendly name.
Capacity SID
Capability SIDs uniquely identify capabilities. In this context, a capacity is a tamper-proof authority token that grants a Windows component or a universal Windows application access to resources such as documents, cameras, locations, etc. An application that “has” a capacity is granted access to the resource associated with the capacity. An application that “does not have” capacity is denied access to the associated resource.