Computer SID question

G

Guest

I have a question regarding a computers SID within Active Directory.
When ever I join a computer to our Active Directory I just right-click on MY
computer, computer name and select Change, type in the domain name, ect..
Someone I work with stated that that is not the correct way to join the
domain, in order for Active Directory to have the SID for the computer the
wizard needs to be run. I just wonder if I've been doing this wrong the whole
time but it does not make sense to me that it would not hae a SID from
"manually" joining the computer to the domain.
Also, we have images for computers that we use, the standard image is not
joined to the domain, once we image the computer, rename it, then it is
joined to the domain. Could this also effect the SID information?
Hope this makes sense.
Thanks
 
B

Brandon McCombs

John said:
I have a question regarding a computers SID within Active Directory.
When ever I join a computer to our Active Directory I just right-click on MY
computer, computer name and select Change, type in the domain name, ect..
Someone I work with stated that that is not the correct way to join the
domain, in order for Active Directory to have the SID for the computer the
wizard needs to be run. I just wonder if I've been doing this wrong the whole
time but it does not make sense to me that it would not hae a SID from
"manually" joining the computer to the domain.
Click to expand...

That's what wizards do to people: dumb them down. I never go through the wizard
and join the machine to the domain in exactly the way you described and never
have trouble. I personally didn't even know there was a wizard available for
that. Also, what I consider manual is manually creating the machine account
first in ADS and then joining the machine to the domain.
Also, we have images for computers that we use, the standard image is not
joined to the domain, once we image the computer, rename it, then it is
joined to the domain. Could this also effect the SID information?
Click to expand...

It could for the accounts on the machine but not the machine itself. If you don't
run a tool like Ghostwalker to change the SID for administrator on each of those
machines then every admin account on all those machines would be the same. I've
never seen any problems arise from this but it is best to make/keep them all
unique. As for affecting the machine's SID, beyond the imaging part you are
using the same method as you mentioned above for adding the machine to the domain
and since the image is 1) of the machine and not the domain controller you aren't
duplicating them and 2) the image was made prior to the machine being on the
domain and thus doesn't even SID on the DC yet.
Hope this makes sense.
Thanks
Click to expand...

hope this helps ;)
 
C

Cary Shultz

John,

As Brandon stated, you are not doing things incorrectly. The process that
you describe is exactly the way that I have been doing it since 1999! So, I
believe that it is safe to say that all of the computer accounts and
computer account objects that I have created in those six / seven years have
not had a correct SID!

And, if you first install the OS and simply join the computer to a
workgroup - which is the way that a lot of people do this - then you have
two choices as to joining it to the domain. Clicking on the Change...
button ( as you do ) or clicking on the Network ID button ( as your
colleague does ). Either way accomplishes the same thing.

As a side-note: I just used the Network ID button about two months ago in a
WIN2003 AD environment ( with WINXP Pro SP2 systems in a school lab ). It
is quite nice! But, I repeat: it is simply another way to reach the same
place.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
 
J

Joe Richards [MVP]

You just tell it to join and enter the proper password and it is joined. The SID
for the computer in AD and the SID of the machine itself are completely
different and not at all connected. The SID on the machine will not change to
reflect SID from AD.

With your images, you should be using some form of sid changer software like
newsid or something like that after copying the image when you rename the
machine. You definitely don't want to image joined machines as you would have to
rejoin them anyway.
 
P

Paul Bergson

Use the SID walker, I have seen problems with printing back in NT.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

moving accounts retaining SID 5
The SID question?! 2
Only SID is displayed under Members 3
Why bother using Sysprep (or ghostwalker or anyother sid changer) if you are using a Domain? 6
Does the Domain SID linger after being removed from the domain? 1
"Access is Denied" when rejoining domain with thin client 1
AD SID vs Local SID 6
[NewBee] Cannot access to active directory 2

Top