AD SID vs Local SID

[Guest]

Hi

I just need to have one thing explained to me.
The thing is that I am in a discussion with a colleague of mine and he claimes that we need to change the SID with a third party software from Sysinternals called "NewSID" after we have cloned a system.

I claim that it is not necessary since the SID is automatically changed as soon as we make this client computer a member of our AD domain.

Which one is it?

Just to check I enumerated all the computer accounts SID from AD and although all machines have been cloned there was no duplicates.
This I would say speaks in my favour.

However, just for fun I also checked the SID on my local computer in order to verfy that it is the same as the computer accounts SID in AD.
Surprisingly they are different!

I don't get it!

Can someone explain it?

Regards
Wayne

 

[Nathan]

He's familiar with an old problem, but there is no
reason "not to" change the SID after a clone.

While you are right that the SID's are CREATED (not
exactly changed) when the computer comes into AD, the
computer still has it's own SID that was "created"
(cloned) at installation time.

Just make this one step of hopefully many in the system
creation process.

-----Original Message-----
Hi

I just need to have one thing explained to me.
The thing is that I am in a discussion with a colleague

of mine and he claimes that we need to change the SID with
a third party software from Sysinternals called "NewSID"
after we have cloned a system.

I claim that it is not necessary since the SID is

automatically changed as soon as we make this client
computer a member of our AD domain.

Which one is it?

Just to check I enumerated all the computer accounts SID

from AD and although all machines have been cloned there
was no duplicates.

This I would say speaks in my favour.

However, just for fun I also checked the SID on my local

computer in order to verfy that it is the same as the
computer accounts SID in AD.

 

[Guest]

Hi Nathan

Thanks for your reply.
So in the end the computer objects SID in Active Directory and the local computers SID are two unrelated things?

Cheers
Wayne

 

[Nathan]

So in the end the computer objects SID in Active
Directory and

the local computers SID are two unrelated things?

Yeah, AD creates that SID at join time, so nothing to
worry about. I would still change the SID's at
installation time if only for sanity reasons. You never
know when some legacy problem will sneak up on you.

 

[Lanwench [MVP - Exchange]]

Absolutely. It takes only a few seconds to run ghostwalker, SIDWalker, IIRC.

 

[Joe Richards [MVP]]

Correct, those SIDS are completely unrelated. The AD SID is the SID for the
computer object in relation to Active Directory. The SID on the computer is the
computers own SID.

 

[ptwilliams]

And you can still have local to local problems. Afterall, the LSA is still
there and people have a nasty habit of using local users and groups from
time to time...

I asked a question on the exact problems of not doing this not too long ago;
you may find the answer(s) interesting:
- http://x220.minasi.com/forum/topic.asp?TOPIC_ID=9536


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Hi Nathan

Thanks for your reply.
So in the end the computer objects SID in Active Directory and the local
computers SID are two unrelated things?

Cheers
Wayne