Unique identifier for user profiles in Windows

Question

For a client/server application I need to centrally store parts of the configuration information that usually goes into the users profile directory.

The client application would on first use write a file or registry entry with a GUID into the current profile. This GUID would subsequently be used as a key in the configuration database on the server.

Now I'm wondering if Windows user profiles already have unique identifiers I could use instead of generating my own GUIDs.

The username won't work because users might have multiple profiles. Combining it with the computer name won't work because there might be roaming profiles.

Update:

I just looked at the SIDs in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList on two computers in the same domain. Roaming is not enabled, so my user account has a separate profile on each machine. Both profiles are listed with the same SID. This means I have to keep generating my own GUIDs.

Answer 1

Windows users and groups use security identifiers (SIDs).

A security identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems.

There is a list of predefined SIDs that Windows has built-in. Other SIDs are generated by combining the current computer's (randomly generated, 96-bit) SID with an incremented number.

SIDs of users that have accounts on a computer are stored in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

Sample SIDs (taken from The Microsoft policy concerning disk duplication of Windows XP installations):

The following example displays the SIDs for four local user accounts. Note that only the last four digits are incremented as new accounts are added.

• S-1-5-21-191058668-193157475-1542849698-500 Administrator
• S-1-5-21-191058668-193157475-1542849698-1000 User 1
• S-1-5-21-191058668-193157475-1542849698-1001 User 2
• S-1-5-21-191058668-193157475-1542849698-1002 User 3

Because of how SIDs are generated, they should be unique. Since they are part of the windows profile system, roaming profiles should have the same SID on every system.

Answer 2

You could use the user profile's security identifier (SID).

The LookupAccountName() Win32 API takes a user name and computer name as input and gives you back the associated SID.

Answer 3

R Bemrose and snowccrash are correct, the account SID is precisely what you have requested. You are correct that in order for this solution to work you much enable roaming profiles; that's why they're called roaming profiles.

If you don't want to use domain authentication to identify users then your other option is WAS (Windows Authentication Services). This is typically but not necessarily implemented atop Microsoft SQL Server in the ubiquitous ASPNETDB database.

WAS is a dotnet solution, with elaborate support for ASP.NET that is also available for desktop software. If you don't like that either, you can roll your own but this seems to me a suboptimal application of resources. If you aren't building dotnet software you could still exploit WAS but it won't be quite so convenient.

Answer 4

I might use a more LDAP-centric solution to this problem, but it might be a lot more work for your app.

There are a few unique fields in AD for user. You could use the whole DN of a User record (i.e. DC=com,DC=example,CN=Users,DN=bob smith). That's what uniquely identifies a record in AD. However, MS also has a field called UPN, which looks like an email address (sometimes it is) and takes the form user@domain.

Of course, this information requires read access to AD and that may not be practical for your app.