Had a hard time finding this on the net:

new SDDL tokens introduced in XP/2003:

• AN - Anonymous Logon (SDDL_ANONYMOUS)
• LS - Local Service Account (SDDL_LOCAL_SERVICE)
• NS - Network Service Account (SDDL_NETWORK_SERVICE)
• RD - Remote Desktop Users (SDDL_REMOTE_DESKTOP)
• NO - Network Configuration Operators (SDDL_NETWORK_CONFIGURATION_OPS)
• MU - Performance Monitor Users (SDDL_PERFMON_USERS)
• LU - Performance Log Users (SDDL_PERFLOG_USERS)

ConvertStringSecurityDescriptorToSecurityDescriptor will fail with 0x00000539 - The security ID structure is invalid on win2k box with these...