Windows Fundamentals · beginner · ~11 min
Explain how Windows identifies accounts (SIDs), the key built-in groups, and local vs domain accounts.
Windows identifies every user/group/computer by a SID (names are labels). Built-in Administrator is RID 500; SYSTEM (S-1-5-18) outranks Administrator locally. Accounts are local (SAM) or domain (AD).
Enumerating Administrators and Domain Admins membership, and local vs domain accounts, is the start of Windows post-exploitation. Escalation targets are SYSTEM (local) and Domain Admin (domain). SIDs persist across renames, so they're what you track.
SID/RID. The real identity; Administrator = RID 500. SYSTEM (S-1-5-18). The OS account, stronger than Administrator locally. Local vs domain. SAM database vs Active Directory. High-value groups. Administrators, Domain Admins.
Windows access control is built on security principals — users, groups, and computers — each identified by a SID.
A Security Identifier (SID) is the real identity, e.g. S-1-5-21-…-1001. Names are just labels; permissions are stored against SIDs. The last part (the RID) distinguishes accounts; the built-in Administrator is always RID 500.
S-1-5-18) — the OS itself; more powerful than Administrator locally.Enumerating who's in Administrators and Domain Admins, and which accounts are local vs domain, is step one of Windows post-exploitation. The goal of most escalation is to become SYSTEM locally or Domain Admin in the domain. SIDs (not names) are what you ultimately track, because renamed accounts keep their SID.
Windows security principals are tracked by SID, with well-known accounts like RID-500 Administrator and SYSTEM. Knowing local vs domain scope and who holds Administrators/Domain Admins is the foundation of Windows escalation.