MS-DTYP - SDDL Section 2.5.1 - Difference Between RA and RS? RRS feed

  • Question

  • I'm working on a SDDL parser and I'm using the MS-DTYP document as a guide for it. In section 2.5.1 there is a table that maps the SDDL short name for well-know SIDS. In that table there is an entry for "RA" (Remote Access Servers) and "RS" (RAS_SERVERS). Is this a mistake in the document? Or do they both alias the same well known SID (ie. S-1-5-21<var class="sbody-var">domain</var>-553)?

    The only other possible situation it could be is that RS refers to S-1-5-21 domain-553 while RA refers to S-1-5-32-575 (Which is a RDS Remote Access Server). Could someone please clarify what is correct here? If the situation is the later, it would be helpful to add the RDS acronym to make it more apparent.

    • Edited by Chad Sikorra Saturday, November 19, 2016 7:31 PM
    Saturday, November 19, 2016 7:18 PM

All replies

  • Hello Chad Sikorra,

    Thank you for contacting the Microsoft Open specifications Support forum.  One of the Open Specifications support team members will respond soon to begin working with you. 


    Thank you,

    Support Escalation Manager, Microsoft Protocols support


    Saturday, November 19, 2016 11:39 PM
  • Hello Chad, I will be assisting you on this issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.

    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Monday, November 21, 2016 7:17 PM
  • Hello Chad, below is the answer to your question. Let me know if you have any concerns.

        SID: S-1-5-21domain-553 maps to "RS" i.e. RAS_SERVERS
        Account Name: RAS and IAS Servers
        Type: domain local group.
        Description: By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.

        SID: S-1-5-32-575  maps to "RA" i.e. REMOTE ACCESS SERVERS
        Account Name: BUILTIN\RDS Remote Access Servers
        Type: Builtin Local group.
        Description: Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.

    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Wednesday, November 23, 2016 5:34 PM