Concrete Examples of Duplicate SID problems--Do y'all have any?

[Guest]

Hi,

We are running Windows XP clients in a Server 2003 environment with AD. We
use Ghost to image machines. I have been reading everything I can concerning
issues with duplicate SIDs being created if you use Ghost without running
sysprep or some other 3rd party SID changer. (Although I know 3rd party
products are not supported by MS)

The majority of the documentation seems to indicate that you will have major
problems if you have duplicate SIDs in a workgroup setting, but you should
not have such problems in a network setting. (Something to do with the RIDs?)
I have not seen anyone post concrete examples of how duplicate SIDs causes
problems on a network. (I have read about the removeable media security
issue) Can anyone offer some concrete examples of how duplicate SIDs can
negatively impact a network?

 

[Carey Frisch [MVP]]

Do not disk duplicate installed versions of Windows
http://support.microsoft.com/kb/162001/en-us

How to change the SID on a Windows XP, Windows 2000, or Windows NT computer
http://service1.symantec.com/SUPPORT/ghost.nsf/docid/1999050308324125

The Microsoft Policy Concerning Disk Duplication of Windows XP Installations
http://support.microsoft.com/default.aspx?scid=kb;en-us;314828&Product=winxp

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| Hi,
|
| We are running Windows XP clients in a Server 2003 environment with AD. We
| use Ghost to image machines. I have been reading everything I can concerning
| issues with duplicate SIDs being created if you use Ghost without running
| sysprep or some other 3rd party SID changer. (Although I know 3rd party
| products are not supported by MS)
|
| The majority of the documentation seems to indicate that you will have major
| problems if you have duplicate SIDs in a workgroup setting, but you should
| not have such problems in a network setting. (Something to do with the RIDs?)
| I have not seen anyone post concrete examples of how duplicate SIDs causes
| problems on a network. (I have read about the removeable media security
| issue) Can anyone offer some concrete examples of how duplicate SIDs can
| negatively impact a network?
| --
| You want me to do what?!?!

 

[Guest]

I have read all of these, but perhaps you could explain the significance. I
feel thick-headed, but can you give a real-life example of the concepts they
are talking about?

 

[Jean-Philippe Breton]

Computer acting weird:

- Unable to sync time with DC
- Unable to join domain
- Error message in event Viewer

Any reason why you don't want to use sysprep?

 

[Guest]

Thank you! That is exactly what I needed!!! Let me put it this way--there is
no reason I did not want to use sysprep but the image creators did not like
the fact that they had to go thorugh the mini setup. My inability to give
some concrete examples of why we should use sysprep other than "Everybody
says it should be done this way" did not further my cause in convicing them.
You pointed out some unexplicable issues we have had that will go a long way
towards convincing them of the need.

 

[Hunter01]

Computer acting weird:

- Unable to sync time with DC

Not true, despite the fact we enforce SID changing (to be on the safe
side) we've had a few occasions where people have decided to short-cut
(and been summarily executed for doing so) and that was never a result
from that, in one case with over 60 machines going out with the same SID.

- Unable to join domain

As above, very notably so, or not one of them would've gone out.

- Error message in event Viewer

Being? I'm curious now, does anyone have any real real-world examples of
duplicate SID problems?? We've always just played safe where I work, but
has anyone really seen that big bad bugbear Microsoft tells us to fear
with duplicate machine SID's in a domain environment?

Any reason why you don't want to use sysprep?

Actually you'd be a fool to use Sysprep merely to change a SID when
there are much better tools around which aren't remotely as intrusive,
don't take a fraction of the time and don't mangle things. Sysprep's
main realistic purpose is to make an image as hardware independent as
possible, and if I could find a third party tool that did the same job
without the Microsoft enforced mangle-ation of customisations I'd bin
Sysprep in a second, I really hope Altiris get around to it, as they've
covered pretty much every other base and now acquired WISE for package
development, so that's all that is missing for a complete desktop
management solution. But this is starting to feel like going over old
and obvious ground over and over, so I wont bother going into any more
detail.

 

[Hunter01]

Thank you! That is exactly what I needed!!! Let me put it this way--there is
no reason I did not want to use sysprep but the image creators did not like
the fact that they had to go thorugh the mini setup. My inability to give
some concrete examples of why we should use sysprep other than "Everybody
says it should be done this way" did not further my cause in convicing them.
You pointed out some unexplicable issues we have had that will go a long way
towards convincing them of the need.

Except they're all wrong, at least we've never experienced any of them
in our domain environment (hence they are not results of not changing
the SID in a domain environment, unless possibly mixed with other
pre-existing situations which we obviously do not have) when we've had
PC's deployed with duplicate SIDs. And again... Why knock down walls
when all you need is a paint job?

Sysinternals have a much better tool for changing the SID if you're not
looking for "one image fits all" and aren't willing to spend money.

Perhaps you should hear your image creators out... The only reason we
bother to change the SID is we don't want to take any risks and it ain't
a big drama anyway. And even then we only now use Sysprep to gain that
"one image fits all", prior to that we happily operated under a Ghost
license using Ghostwalk for a longggg time. What propelled us into
change was an amalgamation that near doubled our size, which led us into
the land of Altiris, and the sudden onslaught of new hardware types led
us into Sysprep.

Prior to that situation we would've summarily executed anyone that used
Sysprep to change the SID on a dedicated platform image, due to the
incredibly large waste of time post-image, and the severe mangalation of
customisations.

 

[Shenan Stanley]

Except they're all wrong, at least we've never experienced any of
them in our domain environment (hence they are not results of not
changing the SID in a domain environment, unless possibly mixed
with other pre-existing situations which we obviously do not have)
when we've had PC's deployed with duplicate SIDs. And again... Why
knock down walls when all you need is a paint job?

Sysinternals have a much better tool for changing the SID if you're
not looking for "one image fits all" and aren't willing to spend
money.
Perhaps you should hear your image creators out... The only reason
we bother to change the SID is we don't want to take any risks and
it ain't a big drama anyway. And even then we only now use Sysprep
to gain that "one image fits all", prior to that we happily
operated under a Ghost license using Ghostwalk for a longggg time.
What propelled us into change was an amalgamation that near doubled
our size, which led us into the land of Altiris, and the sudden
onslaught of new hardware types led us into Sysprep.

Prior to that situation we would've summarily executed anyone that
used Sysprep to change the SID on a dedicated platform image, due
to the incredibly large waste of time post-image, and the severe
mangalation of customisations.

Using GhostWalker or NewSID or some other tool after imaging a machine
always worked great for me - and didn't have the weird feeling that SysPrep
gave some people.

iT can CAUSE all the problems listed above as well as other weirdness - not
changing the SID.. And when you consider it is (at most) 60 seconds to add
that to an after-script <- I say why not change the SID and avoid the
possibilities.. It certainly does not harm and gets rid of one more suspect
when trying to track down issues in the future.

 

[Hunter01]

Using GhostWalker or NewSID or some other tool after imaging a machine
always worked great for me - and didn't have the weird feeling that SysPrep
gave some people.

Nor the driver excision (which is exactly what you want if you are using
a multiple platform image) or the mutilation of customisations (which is
not something that anyone wants, but for some bizarre reason Microsoft
do it anyway). Sysprep simply isn't a valid tool for SID changing, it's
a valid tool for hardware independence.

iT can CAUSE all the problems listed above as well as other weirdness - not
changing the SID..

I have yet to actually meet anyone that has experienced any of this
though, and know of other sites that don't change their SID's at all.
Regardless of having never met anyone that's had any problems I sort of
consider that insanity to be honest, a proper SID tool will only take a
couple of minutes to run, but if something ever raises its' ugly head as
a problem, and you haven't being doing it, it's way too late 2000 PC's
later. Although thinking on that, Altiris could fix the SID's on those
2000 PC's in no time I suppose if that site had Altiris...

And when you consider it is (at most) 60 seconds to add
that to an after-script <- I say why not change the SID and avoid the
possibilities.. It certainly does not harm and gets rid of one more suspect
when trying to track down issues in the future.

I agree entirely, I'm more curious than anything else if anyone has ever
really encountered any problems first hand. In fact to be honest the
pedant in me would probly force me to do it even if Microsoft didn't
claim problems with not doing it. It gives me a bad feeling having
something that is supposed to be a unique ID for the PC the same on all
PC's, even if the domain does take care of that with its' own
identifier, something about the whole concept of leaving the SID's the
same makes me shudder.

 

[Guest]

Did some fairly extensive benchtests on this, and AFAICS in the situation
where two computers have an identical user-account/password pair it makes no
odds whether SIDs of the accounts are identical or not. Microsoft seem to
indicate that having differing SIDs should provide security between the two
computers.. but it doesn't, as is easily demonstrated.

Over the course of my career I've imaged numerous 2000/XP computers, and
never seen these purported problems 'in the wild.' I use NewSID, but I'm
unsure whether it makes any measurable difference.

I don't regard sysprep as being a usable tool, mainly because it loses the
default userprofile setup. What is the point of sysprepping, if the settings,
so painstakingly done, are lost? You might as well start from scratch in that
case.

Usual policy these days for new computers is to image from a stock copy for
that model, then change the serial and re-activate.

As far as I can tell from the write-ups, the SID question does not apply to
domain accounts either, only to local accounts.

 

[Shenan Stanley]

Did some fairly extensive benchtests on this, and AFAICS in the
situation where two computers have an identical
user-account/password pair it makes no odds whether SIDs of the
accounts are identical or not. Microsoft seem to indicate that
having differing SIDs should provide security between the two
computers.. but it doesn't, as is easily demonstrated.

Over the course of my career I've imaged numerous 2000/XP
computers, and never seen these purported problems 'in the wild.' I
use NewSID, but I'm unsure whether it makes any measurable
difference.

I don't regard sysprep as being a usable tool, mainly because it
loses the default userprofile setup. What is the point of
sysprepping, if the settings, so painstakingly done, are lost? You
might as well start from scratch in that case.

Usual policy these days for new computers is to image from a stock
copy for that model, then change the serial and re-activate.

As far as I can tell from the write-ups, the SID question does not
apply to domain accounts either, only to local accounts.

Haven't researched sysprep in a while, eh?
http://support.microsoft.com/kb/887816

As far as the SID - again - 60 seconds of automated time vs potential issues
(even if no one has actually seen them in years.. - although that could be
because most change the SID and/or join domains now..) leads me to the
decision to continue chaning the SIDs on newly images systems..

 

[Hunter01]

Haven't researched sysprep in a while, eh?
http://support.microsoft.com/kb/887816

I have, I use it daily, and I agree with everything he said. All that
article points out is that Microsoft no longer think we have the
intelligence to set up our own "default user" profiles and decided to
use the local administrator profile to rebuild the "default user"
profile in effect. Easily worked around by using the local admin profile
to set up your default user profile.

That doesn't address the rest of the mangleations that you don't
encounter if you don't use Sysprep. Firewall being turned back on for
instance, the security database being randomly mangled as well. A few
other things, all of which we've managed to work around with a
post-image job using Altiris, but not everyone has Altiris or a
comparable desktop management environment.

As far as the SID - again - 60 seconds of automated time vs potential issues
(even if no one has actually seen them in years.. - although that could be
because most change the SID and/or join domains now..) leads me to the
decision to continue chaning the SIDs on newly images systems..

Agree with you entirely. Use sysprep if you want a one image fits all
model and are willing to work around the mangleations, or if you have
only a few hardware platforms use a dedicated image for each, use a
proper SID changing tool, and steer well-clear of Sysprep. Best advice I
can think to give in the real world environments we all work in.

 

[Guest]

We have run into some issues with WSUS and duplicate SIDs. Not quite sure
why, but running a script to change the SID at startup seemed to work.