fbreseal, sid, cloning

[Jeff]

From what I read in the documentation, fba has a phase which assigns the pc
name and generates a unique sid. It sounds to me like each PC that runs XP
is required to have a unique sid. Is this a technical requirement or a
license requirement?

If it is required by the licensing agreement, then I imagine that using
fbreseal is a requirement too. True?

-Jeff-

 

[Slobodan Brcin]

Jeff,

It is a technical requirement.

If you have devices that are connected in network it is a must to have
different SID's, otherwise all hell would get loose.
If your devices are stand alone then you don't have to bother with creating
unique SID.


Regards,
Slobodan

 

[KM]

Jeff,

You will need unique SIDs for devices running on domain-based network
environment.

Find more info here http://www.sysinternals.com/ntw2k/source/newsid.shtml
(read carefully "The SID Duplication Problem" section), or search google and
this NG archive.

KM

 

[Roy Hodgkinson]

Jeff,

Using fbreseal has significant technical merit in that it
also runs a Windows "mini-setup" that allows your XPE
image to load the drivers appropriate to any hardware
variations you may wish to support.

Also be aware that you can run fbreseal more than once.
When you have a "patched and perfect" XPE image running,
you can either incorporate the patches back into your TD
components or run fbreseal to create a "perfect" cloning
source image.

Roy

 

[Doug G]

Is there a limit to the number of times that fbreseal can be run? I use this
in my cloning process and I swear that, at least one time, I was
experimenting with changing configs and using fbreseal and all of a sudden
when I entered fbreseal I got an "'fbreseal' not recognized..." error.
Searching the disk, fbreseal.* was nowhere to be found, as if it had been
deleted somewhere along the line.

This actually seems like a good idea, as you would not want the customer to
be able to do his own cloning of the system that you sell him.

Doug G

 

[Stephen Woolhead]

Jeff,

You will need unique SIDs for devices running on domain-based network
environment.

Find more info here http://www.sysinternals.com/ntw2k/source/newsid.shtml
(read carefully "The SID Duplication Problem" section), or search google and
this NG archive.

Duplicate local SID's are not an issue in a domain based network, where
security uses the domain sid, but in a workgroup the computers SID is
important.

From your link above.

----------
Duplicate SIDs aren't an issue in a Domain-based environment since domain
accounts have SID's based on the Domain SID. But, according to Microsoft
Knowledge Base article Q162001, "Do Not Disk Duplicate Installed Versions of
Windows NT", in a Workgroup environment security is based on local account
SIDs. Thus, if two computers have users with the same SID, the Workgroup
will not be able to distinguish between the users. All resources, including
files and Registry keys, that one user has access to, the other will as
well.
----------

Either way it's good practice to fix the SID regardless if you are going to
participate on a windows network.

Stephen

 

[KM]

Stephen,

You are absolutely right. Workgroups are affected by the duplicated SIDs.
I should be more careful and read my posts before sending them out
Thanks for objective correcting me!

KM




SW> Duplicate local SID's are not an issue in a domain based network,
SW> where security uses the domain sid, but in a workgroup the computers
SW> SID is important.

SW> From your link above.

SW> ----------
SW> Duplicate SIDs aren't an issue in a Domain-based environment since
SW> domain accounts have SID's based on the Domain SID. But, according
SW> to Microsoft
SW> Knowledge Base article Q162001, "Do Not Disk Duplicate Installed
SW> Versions of
SW> Windows NT", in a Workgroup environment security is based on local
SW> account
SW> SIDs. Thus, if two computers have users with the same SID, the
SW> Workgroup will not be able to distinguish between the users. All
SW> resources, including files and Registry keys, that one user has
SW> access to, the other will as well.
SW> ----------

SW> Either way it's good practice to fix the SID regardless if you are
SW> going to participate on a windows network.

SW> Stephen


With best regards, KM. E-mail: (e-mail address removed)

 

[Doug Hoeffel]

Doug G:

MS deletes the fbreseal files after it is run. Win XP's sysprep works this
way as well. MS doesn't recomment to reseal more than once. Search old
posts about this. As I recall, someone from MS commented on why this is so.
I think the potential issues were with IIS.

HTH... Doug H.