On the internal Directory Services mailing list, John Sanz (a Premier Field Engineer) posted this handy dissection of a user's SID. The original question was whether or not someone could determine whether or not a particular SID was created on an NT 4.0 domain -- and while you can't easily tell, if you have a reference SID, you could check the SIDs against each other to determine which domain it originated from.
With John's permission, I've re-posted it (and web-ified it) here for my/your reference:
The formula: "S"-R-I-S-S-S…
S: Identifies this is a SID
R: Revision level
I: Identifier Authority (see http://msdn2.microsoft.com/en-us/library/aa379649.aspx for values)
S: First subauthority
S: Second subauthority (typically the domain RID)
S: Third subauthority (typically the RID of the object within it’s domain)
Example:
S-1-5-21-1234567890-0987654321-4258828080-70640209
"S" - Identifies this string of characters as a SID
R = 1 Revision level of 1 I = 5 Identifier Authority is "SECURITY_NT_AUTHORITY" S = 21 First Subauthority is "SECURITY_NT_NON_UNIQUE" S = 1234567890-0987654321-4258828080 This is the RID of the domain S = 7064020 This is the RID of the group/user
R = 1 Revision level of 1
I = 5 Identifier Authority is "SECURITY_NT_AUTHORITY"
S = 21 First Subauthority is "SECURITY_NT_NON_UNIQUE"
S = 1234567890-0987654321-4258828080 This is the RID of the domain
S = 7064020 This is the RID of the group/user
(Any resemblance to any actual SIDs is unintended and coincidental in nature. I'll be interested to see a domain RID that matches the Microsoft Corporate Campus main telephone number (425-882-8080).)
Thanks John!
(Edited to remove the table that was getting eaten up by the blog style sheet.)