Skip to content

Security Principal Format

When working with Transparent Lock Screen settings at a low level, such as the registry, AD group policies, or directly with RFID card data files, you may need to specify Windows security principals (users, groups, or computers) in a format specific to Transparent Lock Screen. The format is designed to work both with and without Active Directory.

Security principals can be specified in one of the following formats:

sid:<PrincipalSID>

Example
sid:S-1-5-32-544

user:<UserName>

Examples
user:Contoso\JohnSmith
user:.\john
user:john

group:<GroupName>

Examples
group:Contoso\Domain Users
group:.\Sunday Workers
group:Administrators

computer:<ComputerName>

Example
computer:WORKSTATION-01
Use the plain NetBIOS computer name.

Notes

  • If you are specifying multiple security principals, use one per line.
  • The principal type prefix (sid:, user:, group:, or computer:) is mandatory.
  • When specifying by name, both domain and local accounts are supported.
  • Using SIDs is strongly recommended in Active Directory environments to avoid issues if a user, group, or computer is renamed.
    In environments without Active Directory, SIDs can be used only if settings are not distributed between multiple machines.
  • In these examples, Contoso represents the Active Directory domain name. Use . to specify a local user or group.
    If no domain or . is specified, the system will check both local and domain accounts.
    Using . allows settings to be distributed across multiple machines in a workgroup environment.