I have been parsing through the logs and found a random sid doing authentications against AD. It is as follows "s-1-5-21-xxxxx-xxxxx-xxxxx-0"; It cant be found in domain or forest. I want to know if there is speciality of "-0" at the end?
Asked
Active
Viewed 193 times
1 Answers
3
It sounds like it's the domain SID. Essentially the SID of the domain itself.
https://msdn.microsoft.com/en-au/library/cc228090.aspx
domain security identifier (domain SID): The SID of the root object of a domain NC. The relative identifier (RID) portion of the domain SID is always zero. Every security principal object in a domain NC has an objectSid attribute equal to the domain SID except for the RID portion.
Taz
- 147
- 3
- 16