Eyes of the World SID

How to find the Everyone group where you might not think to look.

Bill: I installed Microsoft Exchange 2003 on a Windows 2000 server; Exchange 2000 was already installed on the same server but not in use. We upgraded to Exchange 2003 over the top of Exchange 2000, then migrated mail boxes, etc., over to the new server. Mail works fine, and other groups are visible and work fine. But, I can not, for the life of me, find the "Everyone" group! If I try to create it, it says it already exists. I can't see it in Active Directory either. Any ideas? I searched briefly in my Exchange 2003 Admin guide, but no luck.

James: The "Everyone" group is not so much a group as it is a label, like Deadheads. You don't need ever to have seen Jerry Garcia in concert to belong to the Deadheads. All you need to do is put a Deadhead sticker on the primer covering the trunk of your Pontiac Bonneville and you're in.

The Everyone group belongs to set of special accounts called Well-Known SIDs. The Everyone group SID is S-1-1-0, also known as the World SID. So, automatically consider yourself a member of that account.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

When you log onto a Windows 2000, Windows 2003 or Windows machine, the Local Security Authority Subsystem (LSASS) puts any Well-Known SIDs that apply to your logon situation into your access token. If you make a network connection to a server, then your local access token would contain the Network SID S-1-1-20 along with the Everyone SID and a few other well-known SIDs. If you were to log onto the console of the server instead, you'd get the Interactive SID in your access token and not the Network SID.

You can find the well-known SIDs in Active Directory in a container called WellKnown Security Principals. To see this container, launch Adsiedit.msc or Ldp from the Windows Server 2003 Support Tools and use it to view the top-level containers inside the Configuration naming context. Here's a list of the well-known SIDs and their friendly names:

Friendly Name Well-Known SID
Anonymous Logon S-1-5-7
Authenticated Users S-1-5-11
Batch S-1-5-3
Creator Group S-1-3-0
Creator Owner S-1-3-1
Dialup S-1-5-1
Digest Authentication S-1-5-64-21
Domain Controllers
Everyone S-1-1-0
Interactive S-1-5-4
Local Service S-1-15-19
Network S-1-5-2
Network Service S-1-1-20
NTLM Authentication S-1-5-64-10
Other Organization S-1-5-1000
Proxy S-1-5-8
Interactive Logon
Restricted S-1-5-12
SChannel Authentication S-1-5-64-14
Self S-1-5-10
Service S-1-5-6
Terminal Server User S-1-5-13
This Organization S-1-5-15

The Everyone group takes on a new significance in Windows Server 2003 because, for the first time in a Windows operating system, the Everyone group does not get added to the access token of a null session. In other words, if a process makes an anonymous network connection to a Windows 2003 server, the process does not get the Everyone SID. It only gets the Anonymous Logon SID, which has virtually no privileges in the operating system.

Hope this helps.

Clearing the Air on Antivirus
After last week's column concerning cleaning out Norton Antivirus (NAV) entries from the Registry, a few readers wrote in with the names of Symantec tools that specialize in this work so you can avoid digging around in the Registry yourself. (Sort of a digital drain cleaner, I guess.)

For the personal edition of NAV, Phillip recommends using the RNAV utility. Download it from http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606?

For the corporate edition of NAV, Gabriele recommends the NoNAV utility, which can be obtained by calling Symantec technical support.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus