According to this article on Access Tokens, a token contains several pieces of information, including:
- The security identifier (SID) for the user’s account
- An owner SID
I would expect the owner SID and user account SID to be the same. In what example scenario would they be different?
Further documentation explains that the Login SID of an access token is sometimes used in a DACL. I’d like to know a security “pattern” where a DACL would be assigned an access or deny of a particular Login SID. At face value, it seems like a far-fetched case. About the only use I could imagine, would be to deny one logged in user from having visibility about what other users are also logged in. Is there more?
The owner SID represents the entity that should be designated as the owner of any objects created under the focal token. One of the key scenarios under which one expect the owner SID to differ from the login SID is when the System objects: Default owner for objects created by members of the Administrators group local security policy option is configured so that the Administrators group becomes the owner of objects created by a logged in administrator.
The only really “typical” cases for using a logon SID in a DACL would be when controlling access to a process or a transient resource running under the current logon session. For details, see http://blogs.msdn.com/b/david_leblanc/archive/2007/07/29/logon-id-sids.aspx.