3

I'm trying to edit a particular section inside the Local Security Policy snap in and I'm wondering if I really need to give all of these groups (I think they're groups) permissions. Based on this information I may remove the same groups from other parts of the snap in but these look strange particularly the number ones and possibly Classic .NET AppPool. I do development in Visual Studios but I don't do development in ASP.NET or at least haven't in a number of years. I'm wondering if it's safe to remove them without causing future headaches. It may be that the only way to know for sure is to remove them and then do things that I normally do to see if they work properly but maybe someone else has already been through this experience. Here's a screenshot of the particular section I'm looking at but the same user groups will be in other places to remove.

User List

Codezilla
  • 171
  • 1
  • 4
  • 1
    Windows has an interesting feature: those numbered accounts - they're likely to be system accounts that require these permissions. If you remove them without understanding what the GUIDs refer to, your machine is quite likely to start behaving oddly... – Rory Alsop Oct 13 '13 at 22:26
  • 2
    Typically, a RID (last four digits of a SID, which is those long numbers @RoryAlsop is referring to as GUIDs) of 1000 represents the first user-made account on the system. The built-in Administrator is 500, Guest is 501. User-made accounts start at 1000 and go up sequentially. So, 1001 would be the second user you created on the system and 1010 would be the eleventh. (Deleted users included.) You can see how existing users map to SIDs by running wmic useraccount get name,sid from a CMD prompt. However, troubleshooting for your case may be different if those SIDs point to domain accounts. – Iszi Oct 15 '13 at 06:57
  • Similar to mapping users, you can map groups to SIDs with wmic group get name,sid. – Iszi Oct 15 '13 at 07:03
  • @Iszi - oops, yes - SIDs, not GUIDs – Rory Alsop Oct 15 '13 at 08:07
  • @RoryAlsop That's ok, it took me awhile to catch onto the mistake myself. – Iszi Oct 15 '13 at 15:56

1 Answers1

1

What you are looking at is called an SID (Security Identifier). It is a unique and immutable value used to identify a security principal (includes machines, domain computer accounts, users) and security group in Windows OSs.

Below is the structure of an SID: enter image description here Common SID’s

MS Developer Page lists these SIDs as non unique. From your example, it looks like it's listed under the NT autority, 21 signifies that the remaining subauthorities identify a domain and the RID signifies that it was not created by default (has an RID > 1000)(@ Iszi) & src)

Use the powershell function to match the number to the {name} of the domain member:

get-sid “{name}$" (src)

To aid you in your search you could use you could also use the PsGetSid tool from the Windows SysInternals Suite.

Classic .NET AppPool is a synthesized account related to a mode of the Internet Information Server(IIS) 7.0 system. When an application pool is in Classic mode, IIS 7 and above handles requests in the same way as in IIS 6.0 worker process isolation mode. ASP.NET requests first go through native processing steps in IIS and are then routed to Aspnet_isapi.dll for processing of managed code in the managed runtime. Finally, the request is routed back through IIS to send the response.(z) If you delete this it will be gone. I would suggest running TaskManager to see if any application are running under this pool before doing that. Also, ensure that you are not using an older web application built on IIS 6.x and older.

Community
  • 1
eTo-san
  • 331
  • 1
  • 6