Eyes of the World SID

How to find the Everyone group where you might not think to look.

Bill: I installed Microsoft Exchange 2003 on a Windows 2000 server; Exchange 2000 was already installed on the same server but not in use. We upgraded to Exchange 2003 over the top of Exchange 2000, then migrated mail boxes, etc., over to the new server. Mail works fine, and other groups are visible and work fine. But, I can not, for the life of me, find the "Everyone" group! If I try to create it, it says it already exists. I can't see it in Active Directory either. Any ideas? I searched briefly in my Exchange 2003 Admin guide, but no luck.
—James

James: The "Everyone" group is not so much a group as it is a label, like Deadheads. You don't need ever to have seen Jerry Garcia in concert to belong to the Deadheads. All you need to do is put a Deadhead sticker on the primer covering the trunk of your Pontiac Bonneville and you're in.

The Everyone group belongs to set of special accounts called Well-Known SIDs. The Everyone group SID is S-1-1-0, also known as the World SID. So, automatically consider yourself a member of that account.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

When you log onto a Windows 2000, Windows 2003 or Windows machine, the Local Security Authority Subsystem (LSASS) puts any Well-Known SIDs that apply to your logon situation into your access token. If you make a network connection to a server, then your local access token would contain the Network SID S-1-1-20 along with the Everyone SID and a few other well-known SIDs. If you were to log onto the console of the server instead, you'd get the Interactive SID in your access token and not the Network SID.

You can find the well-known SIDs in Active Directory in a container called WellKnown Security Principals. To see this container, launch Adsiedit.msc or Ldp from the Windows Server 2003 Support Tools and use it to view the top-level containers inside the Configuration naming context. Here's a list of the well-known SIDs and their friendly names:

Friendly Name Well-Known SID
Anonymous Logon S-1-5-7
Authenticated Users S-1-5-11
Batch S-1-5-3
Creator Group S-1-3-0
Creator Owner S-1-3-1
Dialup S-1-5-1
Digest Authentication S-1-5-64-21
Enterprise
Domain Controllers
S-1-1-9
Everyone S-1-1-0
Interactive S-1-5-4
Local Service S-1-15-19
Network S-1-5-2
Network Service S-1-1-20
NTLM Authentication S-1-5-64-10
Other Organization S-1-5-1000
Proxy S-1-5-8
Remote
Interactive Logon
S-1-5-14
Restricted S-1-5-12
SChannel Authentication S-1-5-64-14
Self S-1-5-10
Service S-1-5-6
Terminal Server User S-1-5-13
This Organization S-1-5-15
Well-Known-Security-
Id-System
S-1-5-18

The Everyone group takes on a new significance in Windows Server 2003 because, for the first time in a Windows operating system, the Everyone group does not get added to the access token of a null session. In other words, if a process makes an anonymous network connection to a Windows 2003 server, the process does not get the Everyone SID. It only gets the Anonymous Logon SID, which has virtually no privileges in the operating system.

Hope this helps.

Clearing the Air on Antivirus
After last week's column concerning cleaning out Norton Antivirus (NAV) entries from the Registry, a few readers wrote in with the names of Symantec tools that specialize in this work so you can avoid digging around in the Registry yourself. (Sort of a digital drain cleaner, I guess.)

For the personal edition of NAV, Phillip recommends using the RNAV utility. Download it from http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606?
Open&src=sg&docid=1999092715593506&nsf=nav.nsf&view=
df0a595864594c86852567ac0063608c&dtype=&prod=&ver=&osv=&osv_lvl=
.

For the corporate edition of NAV, Gabriele recommends the NoNAV utility, which can be obtained by calling Symantec technical support.

comments powered by Disqus

Reader Comments:

Wed, Jan 11, 2006 Anonymous Anonymous

good

Fri, Jan 21, 2005 Anonymous Anonymous

very good article

Mon, Mar 8, 2004 Anonymous Anonymous

Good, could have used even more detail

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.