What are the different object names in Windows?

When you right click a file or folder in Windows > properties > Advanced > Change Permissions > Add

Windows will prompt you to add specific object names. I've only known the following four so far from various videos and guides:

administrators
system
everyone
users

What do each of these object names (or groups) pertain to? are there any more "special" object names? Also are these object names only applicable to setting file permissions in Windows?


Solution 1:

There are many different types – they don't necessarily represent individual objects, but "security identifiers" (SIDs). Some types which you can enter in this dialog are:

  • User account names (either the username or the full name is accepted).
  • Group names (e.g. built-in groups such as "Administrators", "Users", "Backup Operators", but also custom groups created through lusrmgr.msc).
  • Computers (only in Active Directory networks). When a system service on computer A wants to access a resource on computer B, it doesn't have its own user account so it will use the computer's "machine account".
  • Special built-in users such as "SYSTEM" which represents system services (kinda similar to root on Linux).
  • Logon indicators such as "INTERACTIVE" (gained by all interactive sessions, i.e. when you log in via console or Remote Desktop), "NETWORK" (gained by all logons via File Sharing, or passwordless logons via WinRM/SSH), "BATCH" (Task Scheduler scheduled tasks).
  • Virtual "well-known groups" such as "Everyone" (this is mostly equal to "Authenticated Users" now), "Local Users" (i.e. not Active Directory users), and so on.
  • Template principals such as "CREATOR OWNER" which do nothing on their own, but are expanded into the actual user during inheritance. For example, if a folder grants Modify rights to "CREATOR OWNER", and you create a file inside, then your account is granted Modify rights.

If you click "Advanced" you get a search window which will list most of the above.

Windows will translate the input names into SIDs (security IDs), but there might even be some entities which have SIDs and show up in access control lists that you actually cannot enter in this window.

For example, each system service also has its own SID (separate from "SYSTEM"), and if I remember correctly each app installed through the Microsoft Store is given its own SID as well.

A process will be granted permissions through multiple SIDs at once – for example, if you run Notepad.exe it will have your "user" SID, of course, but it will also have group SIDs for all groups which you're a member of; it will also have the "INTERACTIVE" SID, the "Everyone" SID, and so on. (Programs such as whoami /groups, ProcExp, or Process Hacker can show this.)