Is is possible to specify the SID when creating a new local group account?
I’ve successfully created a new group using the NetLocalGroupAdd function by specifying information level 1 (LOCALGROUP_INFO_1) but his creates the group with a different SID each time. This beahviour I expected.
What I would like to do is to specify the SID when creating the group account. It isn’t possible to use NetLocalGroupAdd with level 3. So I moved to look at NetGroupAdd. But this function creates a global group rather than a local one.
Is there a way to do this either during the creation of the group or update the SID with the desired one after the group has been created.
You can’t do that. Any SID generated on your particular machine is issued that machine’s local security authority. (Okay, or the domain security authority if you’re talking about a domain controller) That means, it will always have the form
S-1-5-21<the machine LSA SID>-<random local identifier of the user/group>.This is because the structure of a SID is hierarchical. For instance, all SIDs under
NT AUTHORITYhave the prefixS-1-5, because that is NT AUTHORITY’s SID. (e.g.NT AUTHORITY\SYSTEMisS-1-5-18) Your machine’s LSA isn’t allowed to issue a SID that doesn’t belong under its authority, which is going to be theS-1-5-21<random number generated when Windows is installed>SID.