Hi Jay,
AD Lockdown policy evaluated directly inside the AdMonitor library loaded into the LSASS process. So, we can’t spend much time there to get any additional information (like CN, DN, and others), therefore in this case we use what we have to make a blocking decision as fast as possible. We get SID in the access token of the processing thread in the LSASS process and compare it with the SID in the filter.
Also for AD Lockdown policy particular you can see nice “Rule Preview” tab which shows exactly what we will do. Here is an example:
- BlkUsers=S-1-5-21-1102125718-4133486684-1617187724-501
- BlkGroups=S-1-5-21-1102125718-4133486684-1617187724-512
- Operations=Add|Remove|Modify|Rename
So, as you can see from this - if you selected group or account in AD Perpetrators for AD Lockdown policy then we will use SID values.