A token is a data structure the Windows kernel defines to represent the account and it contains the account’s SID, the SIDs of the groups that the account belongs to at the time it authenticated, and the security privileges assigned to the account and the groups.
When the last token that references a logon session is deleted, LSASS deletes the logon session and the user is considered logged off.
A similar check happens for remote logon sessions, which are the kind created by a “net use” of a remote computer’s share.
To successfully connect to a share you must authenticate to the remote system with an account known to that system.
You can use Ps Get Sid to view the name of the account for a specified SID, and here you can see that the local SID that has a RID of 1000 is for the Abby account, the name of the administrator account Windows prompted me to name during setup: In addition to these dynamically created SIDs, Windows defines a number of accounts that always have predefined SIDs, not just RIDs.
One example is the Everyone group, which has the SID S-1-1-0 on every Windows system: Another example, is the Local System account (System), which is the account in which several system processes like Session Manager (Smss.exe), the Service Control Manager (Services.exe) and Winlogon (Winlogon.exe) run: When an account logs on to a Windows system, the Local Security Authority Subsystem (LSASS -Lsass.exe) creates a logon session and a for the session.
You can use the Sysinternals Ps Get Sid tool to view a machine’s SID by running it with no command-line arguments: Here, the revision number is 1, the authority is 5, and there are four subauthority values.
Instead of generating new random SIDs for these accounts, Windows ensures their uniqueness by simply appending a per-account unique number, called a (RID), to the machine SID.
The RIDs for these initial accounts are predefined, so the Administrator user always has a RID of 500: After installation, Windows assigns new local user and group accounts with RIDs starting at 1000.
The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise.
I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue.Here you can see my interactive logon session, displayed with the Sysinternals Logon Sessions utility: And here you can see a token Lsass has created for the session in Process Explorer’s handle view.