Changing SID (with NEWSID or SYSPREP) for cloned computers

By subspace_1
in Microsoft (Windows)

 Share

Recommended Posts

Rookie

subspace_1

Posted
Posted

A collegue of mine insists that changing the sid on the cloned computers is not necessary before joining the domain as the computer account created in the AD is a different one each time.

In fact for the machines (XP laptops, all the same branded laptop model) are cloned without new SID!

What do you say about this?

Do the same things apply to win7 and win2008r2?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc).

You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment.

http://windowsitpro.com/article/articleid/14919/what-are-the-problems-with-workstations-having-the-same-sid.html

http://download.cnet.com/DSM-Duplicate-SID-Monitor/3000-2094_4-11011883.html

when you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.

Veteran

Owen W Veteran

Posted
  • Veteran
Posted
  On 02/02/2010 at 23:38, sc302 said:

what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc).

You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment.

http://windowsitpro.com/article/articleid/14919/what-are-the-problems-with-workstations-having-the-same-sid.html

http://download.cnet.com/DSM-Duplicate-SID-Monitor/3000-2094_4-11011883.html

when you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.

Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.

As the link above suggests:

"In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it."

Grand Master

Joel

Posted
Posted
  On 02/02/2010 at 23:43, Owenw said:

Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.

As the link above suggests:

"In other words, it?s not the SID that ultimately gates access to a computer, but an account?s user name and password: simply knowing the SID of an account on a remote system doesn?t allow you access to the computer or any resources on it."

You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.

Veteran

Owen W Veteran

Posted
  • Veteran
Posted
  On 02/02/2010 at 23:52, Joel said:

You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.

OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

I was just reading, the generalize option in windows 7 sysprep will regenerate the machine sid.

there are other docs/sites that go over this, but this covers it

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep/

Also within imaging utilities like acronis and ghost, they have options to regenerate the sid during imaging so that you don't have to run sysprep.

Rookie

subspace_1

Posted
  • Author
Posted

thanx guys for your massive response!

I 'm looking into the sources you gave, just one aspect that i didnt figured out: if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?

Grand Master

Joel

Posted
Posted
  On 03/02/2010 at 00:12, Owenw said:

OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?

He said the machines are XP.

  On 03/02/2010 at 08:21, subspace_1 said:

if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?

Change it anyway. Run sysprep before taking your image and restore your machines using that image.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.