A security identifier (SID) is a variable-length, unchangeable identifier used to point to or identify a trustee (a user, user group, or security principal). The security principal can only have one security identification, which it keeps for the rest of its life and is linked to all of its properties, including its name. This configuration allows you to rename a principal without impacting the security properties of objects that refer to it.

An authority, such as the Windows Domain Controller, assigns a unique SID to each account on a Windows PC, which is subsequently kept in the security database. When a user logs on, the security database retrieves the SID assigned to that user and stores it in the access token for that user. For any subsequent interactions with Windows security, the system will utilize the SID in the access token to authenticate the user. A security identification can only be used as a unique identifier for one user or group at a time; once allocated, it cannot be reassigned to another user or user group.