How to get user SIDs from Local Group Sid in kernel

Hello, NTDEV!
I’m developing kernel driver. So I have SID of Local some Group and SID of some User, I need to know whether this user is a member of this group.

I use this to get Users SID:
PTOKEN_OWNER Owner;
Status = SeQueryInformationToken(Token, TokenOwner, &Owner);
RtlConvertSidToUnicodeString(SidUniString, Owner->Owner, TRUE);

That’s an unusual requirement. Usually, you would have a security principal, and a security descriptor that controls access to some resource, and you want to know if that security descriptor grants or denies access to that resource for that security principal. The security descriptor can reference a single group, or several (along with specific security principals) for both access control and access audit. In UM, this is typically done with the AccessCheck family of APIs. In KM, this kind of checking is usually done by the OS before your driver is invoked - at the time that the handle is opened

in my opinion, it is always a misfeature to limit access to a certain resource to a specific single group. Microsoft have made this mistake with the SetPerTcpConnectionEStats family of APIs being limited to members of the builtin\administrators group - which makes it impossible to grant access to a user to perform this limited function, without granting them full admin privileges to the machine.

re your specific question, the SID of the security principal is irrelevant. what you need is the SID of the group, and the SIDs of the groups that this security principal is a member - directly and indirectly via nested group membership (taking into account group membership loops of course). The UM API CheckTokenMembership does this job, but I am not aware of a KM equivalent. Others may know more

1 Like