WIN 7 SID: System Identifier

http://www.neowin.net/forum/topic/871854-changing-sid-with-newsid-or-sysprep-for-cloned-computers/ Neowin

 Menu 

Changing SID (with NEWSID or SYSPREP) for cloned computers

subspace_102 Feb 2010

A collegue of mine insists that changing the sid on the cloned computers is not necessary before joining the domain as the computer account created in the AD is a different one each time.In fact for the machines (XP laptops, all the same branded laptop model) are cloned without new SID!What do you say about this?Do the same things apply to win7 and win2008r2?

s0nic6902 Feb 2010

this should help you.http://blogs.technet...03/3291024.aspx

sc30202 Feb 2010

what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc). You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment. http://windowsitpro....e-same-sid.htmlhttp://download.cnet...4-11011883.htmlwhen you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.

Owen W02 Feb 2010

 sc302, on 02 February 2010 - 23:38, said:what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc). You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment. http://windowsitpro....e-same-sid.htmlhttp://download.cnet...4-11011883.htmlwhen you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.As the link above suggests:"In other words, it's not the SID that ultimately gates access to a computer, but an account's user name and password: simply knowing the SID of an account on a remote system doesn't allow you access to the computer or any resources on it."Quote

Joel02 Feb 2010

 Owenw, on 02 February 2010 - 23:43, said:Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.As the link above suggests:"In other words, it's not the SID that ultimately gates access to a computer, but an account's user name and password: simply knowing the SID of an account on a remote system doesn't allow you access to the computer or any resources on it."You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.Quote

Owen W03 Feb 2010

 Joel, on 02 February 2010 - 23:52, said:You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?

sc30203 Feb 2010

I was just reading, the generalize option in windows 7 sysprep will regenerate the machine sid.there are other docs/sites that go over this, but this covers ithttp://www.brajkovic...-using-sysprep/Also within imaging utilities like acronis and ghost, they have options to regenerate the sid during imaging so that you don't have to run sysprep.

subspace_103 Feb 2010

thanx guys for your massive response!I 'm looking into the sources you gave, just one aspect that i didnt figured out: if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?

Joel03 Feb 2010

 Owenw, on 03 February 2010 - 00:12, said:OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?He said the machines are XP. subspace_1, on 03 February 2010 - 08:21, said:if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?Change it anyway. Run sysprep before taking your image and restore your machines using that image.

sc30203 Feb 2010

The system identifier gets put on during the install process, not during a join of the domain. Sysprep it before you image it.Share  Share © Neowin LLC, Since 2000.View Desktop Version  |  Top of Page