Cloning

[Amir M.]

Hi,

I've read that "dupicate SIDs aren't an issue in a domain-
based environment since domain accounts have SID's based
on the Domain SID". When they say duplicate SIDs, do they
mean computer SID or user account SID, or both? In a
domain-based environment, is it OK to have duplicate
computer SIDs?

Thanks

 

[Shenan Stanley]

I've read that "dupicate SIDs aren't an issue in a domain-
based environment since domain accounts have SID's based
on the Domain SID". When they say duplicate SIDs, do they
mean computer SID or user account SID, or both? In a
domain-based environment, is it OK to have duplicate
computer SIDs?

In a domain environment, it won't happen to a computer. When you join the
computer to the domain, you get a unique SID assigned to you from the
Domain. (Theoretically, with SLOW networks, YOU COULD have a duplicate SID,
and that would be an issue, but an issue caused by another issue.)

Same thing with User SIDs.. Having duplicate user SIDs would be difficult in
a DOMAIN environment, requiring something else to be wrong originally and
cause the duplication.

The computer itself can have the same original (non-domain assigned) SID as
its thousands of friends near it - when it is in the same workgroup - this
might be a security risk, but when it is joined to the domain and its
thousands of friends are joined to that same domain, they all obtain new
SIDs in the DOMAIN.

 

[Amir M]

Thanks, your reply was very helpful.

Are duplicate GUIDs an issue in a domain?

 

[Travis]

Shenan, I beg to differ. Each user account, group, and computer each have
thier own SID. The computer SID is randomly generated at the time you
install the OS. Amir, I believe the duplicate SIDs you are referring to are
computer SIDs. Duplicate computer SIDs are of a concern when you clone an
image and do not use a SID regenerator like sysprep.

-Travis

 

[Shenan Stanley]

Shenan, I beg to differ. Each user account, group, and computer each
have thier own SID. The computer SID is randomly generated at the
time you install the OS. Amir, I believe the duplicate SIDs you are
referring to are computer SIDs. Duplicate computer SIDs are of a
concern when you clone an image and do not use a SID regenerator like
sysprep.

Duplicate SIDs aren't an issue in a Domain-based environment since domain
accounts have SID's based on the Domain SID. But, according to Microsoft
Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of
Windows NT", in a Workgroup environment security is based on local account
SIDs. Thus, if two computers have users with the same SID, the Workgroup
will not be able to distinguish between the users. All resources, including
files and Registry keys, that one user has access to, the other will as
well.

Another instance where duplicate SIDs can cause problems is where there is
removable media formated with NTFS, and local account security attributes
are applied to files and directories. If such a media is moved to a
different computer that has the same SID, then local accounts that otherwise
would not be able to access the files might be able to if their account IDs
happened to match those in the security attributes. This is not be possible
if computers have different SIDs.

An article Mark has written, entitled "NT Rollout Options", was published in
the June issue of Windows NT Magazine. It discusses the duplicate SID issue
in more detail, and presents Microsoft's official stance on cloning. The
relevant section is near the middle:
http://www.winntmag.com/Articles/ArticleID/3469/pg/2/2.html