Is a SID with zero subauthorities a valid SID? It depends whom you ask

Here's an interesting table.

Function Is Sub­Authority­Count=0 valid?
IsValidSid Yes
Convert­Sid­To­String­Sid Yes
ConvertString­­Sid­To­Sid No

That last entry creates the unfortunate situation where a SID with no subauthorities can be converted to a string, but cannot be converted back.

If it's any consolation, SIDs with no subauthorities aren't encountered in normal usage, so if you ever accidentally reject one of these, it's not going to inconvenience anyone.

Oh, and the answer to the question at the top: Yes, a SID with zero subauthorities is technically valid. It's a degenerate case that's not very interesting, but it is technically valid.

Comments (6)
  1. anonymouscommenter says:

    Yeah but what does it mean? Everybody?

  2. Dan Bugglin says:…/cc246018.aspx…/243330

    It looks like a lot of the built in SIDs have no subauthority.

  3. Dan Bugglin says:

    Actually on closer inspection, it looks like they DO have a single subauthority, just no relative ID.

  4. anonymouscommenter says:


    I guess it would be the SID for the authority itself (similar to how a domain sid with no rid is the sid for the domain itself).

  5. Henri Hein says:


    Ha, it looks like both "Everyone" and "Nobody" has no sub-authorities.

  6. anonymouscommenter says:

    Well, a sub-authority of Nobody would be … Nobody?

    A sub authority of Everyone would be … Somebody (or, Somebodies).

    So a lack of sub-authorities for those two makes perfect sense ;)

Comments are closed.

Skip to main content