What is the difference between a 'Built-in' account and a 'Well-known' account? (NETIQKB1468)

  • 7701468
  • 02-Feb-2007
  • 24-Aug-2007



Built-in accounts are part of a special container called 'BUILTIN'. This includes the local groups that exist on a default NT installation, such as Administrators (SID: S-1-5-32-544), Print Operators (SID: S-1-5-32-550), etc. These groups have a special SID that is the same on every machine (therefore they don't need to be migrated).

Well-known accounts have SIDs that identify generic users or generic groups. Such would include the global groups (Domain Admins (SID: S-1-5-domain-512), Domain Users (SID: S-1-5-domain-513), Domain Guests SID: S-1-5-domain-514, Administrator (SID: S-1-5-domain-500), and Guest (SID: S-1-5-domain-501). They have a Well-known RID (last part of the SID), but their SID also contains domain-specific information.

Based on the definitions of 'Well-known' and 'Built-in' accounts, we can see how it looks below:

  • 'Domain1\Administrators' and 'Domain2\Administrators' will always have the same SID (S-1-5-32-544 is the SID for BUILTIN\Administrators).
  • 'Domain1\Domain Admins' and 'Domain2\Domain Admins' will have different SIDs, although both will end with the same RID (512).

Microsoft defines 'Well-known' accounts and lists them in the Knowledge Base article Q243330.

Additional Information

Formerly known as NETIQKB1468