Hi Alex, IMO RtlEqualPrefixSid has been designed (by Micrsoft) in a very short-sighted way because the number of sub-authorities must be the same for both SIDs. Quote from http://msdn.microsoft.com/en-us/library/windows/hardware/ff552256%28v=vs.85… (Remarks section): It is advisable to modify the SID for a domain before comparing it with a group or user SID. If the SID for RemoteDomain is S-1-1234-8, each group or user SID for that domain will have S-1-1234-8 as its prefix. To compare the SIDs by using RtlEqualPrefixSid, the caller copies the domain SID and adds any subauthority relative identifier value to the copy, thereby creating an SID in the form S-1-1234-8-0. (The relative identifier, or RID, is the portion of a SID that identifies a user or group in relation to the authority that issued the SID.) The caller then uses the modified domain SID as a template against which the group and user SIDs are compared. My comment: BULLSHIT! My implementation, which is BTW based on your implementation, handles shorter prefix SIDs. Comparing S-1-5-5 and S-1-5-5-xx-yy works without the need to extend the prefix sid. That is the reason why I am using LsapIsPrefixSid instead of RtlEqualPrefixSid. Regards, Eric Am 07.10.2012 21:47, schrieb Alex Ionescu: