How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...


T

-|Tree=Bonz|-

How to change the SID on a Windows XP, Windows 2000, or Windows NT computer

Situation:
You are copying a Windows XP, Windows 2000, or Windows NT computer to another computer, and you want to know how to change the Security Identifier (SID) afterward.

Solution:
Need to change the SID
When you clone a Windows NT/2000/XP installation to many computers, the destination computers have the same SID and computer name as the source Windows installation. Because Windows NT/2000/XP networks use each computer's SID and computer name to uniquely identify the computer on the network, you must change the SID and computer name on each destination (client) computer after cloning.

Overview of ways to change the SID after cloning

* Ghost Walker
Ghost Walker is a Ghost utility included in the corporate Ghost versions and Norton Ghost 2003. Ghost Walker is a DOS program that allows you to change the SID and computer name at each client computer after cloning, that is, before restarting the computer into Windows.
* Ghost Console
The option SID Change is available on the Task you create in Ghost Console. When you use this option, Ghost remotely runs Ghost Walker at each client computer. That is, Ghost does not require that you visit each client computer to change the SID.
* Microsoft's System Preparation Tool (SysPrep)
Microsoft provides the SysPrep utility for preparing a source computer before creating an image of that computer. SysPrep allows you to change the SID, computer name, and other configuration information. When used on a Windows 2000/XP installation, SysPrep also prompts the client computers to rebuild their Plug and Play driver database.
* Third party utilities



Problems with changing SIDs
When the SID changer cannot locate and change all of the files that it needs to change, some applications or Windows features may not work on the destination computer.

Example of need to remove features before creating an image file
For instance, Windows 2000 NTFS File Encryption and Windows NT and Windows 2000 Protected Storage use a SID as a unique token. When you change the SID, Windows can no longer access encrypted files or Protected Storage media. To prevent the problem, these features must be removed before creating the image file.

Test the image file before rolling it out
For these reasons we advise that you prepare for mass rollouts or upgrades by first testing the image file on the various computer environments that you will rollout the image to, including testing the applications after cloning to a new computer.

Which SID changer to use
Each method for changing the SID has its own advantages and disadvantages. Use the SID changer recommended for the operating system being cloned.:

Note: Because Microsoft support varies depending upon the operating system, method of cloning, and method of changing the SID, refer to the Microsoft document Do Not Disk Duplicate Installed Versions of Windows (Article ID 162001) for more detailed information.

* Windows 2000 or Windows XP installation: Use Microsoft's System Preparation (SysPrep) tool.

Although Ghost Walker successfully changes the SID on Windows 2000/XP computers, Microsoft's System Preparation (SysPrep) tool changes the SID and prompts Windows 2000/XP to rebuild its Plug-and-Play driver database.

Alternatively, instead of using SysPrep for all configuration changes, you can use SysPrep to rebuild the driver database and use Ghost to change the SID and computer name. Here are the general steps:
1. Disable the SysPrep feature that changes the SID.
2. Run SysPrep at the source Windows 2000 computer immediately before cloning.
3. Use Ghost to create an image file of the source computer.
4. Check the SID Change option on the Task that you create in Ghost Console.
5. Run the Task to rollout the image.
* Windows NT installation: Use Ghost Walker or the SID Change option in Ghost Console.

Because Ghost Walker is more thorough than SysPrep at changing all instances of the SID, and Windows NT does not have a Plug and Play driver database for the Windows NT SysPrep utility to rebuild, Ghost Walker is a better choice for changing the SID and computer name on Windows NT installations.
* Other Windows installations, such as Windows 95/98/Me: Use Ghost Walker or the SID Change option in Ghost Console. Use the SID Change option when running a Task in Ghost Enterprise Console and use Ghost Walker when cloning with Ghost Multicast Server.

If you use a third party SID changer, make sure that the SID changer changes all instances of the old SID where the SID is used to control access to files, registry settings, and so on. If the SID changer does not update old instances of the SID, some application programs may not work. In addition, Windows will no longer recognize the security settings, resulting in either no access to selected system resources or global access to system resources, increasing security risks on the system.


Ghost Walker
Run Ghstwalk.exe at the target computer after you write the disk or partition image to the computer. Ghost Walker changes the SID for all user profiles on the computer to a statistically-unique, randomly-generated value. Because both Ghost.exe and Ghost Walker run in DOS, changing the SID with Ghost Walker does not require an additional restart.

Number of characters in the new name
The new name must contain the same number of characters as the computer name of the source computer. Ghost Walker can change the computer name on all supported Windows operating systems.

Available in these Ghost versions

* Symantec Ghost 7.0
* Symantec Ghost 7.5
* Symantec Ghost 8.x
* Norton Ghost 2003


SID Change option on Ghost Console
This option is available in all Ghost versions that include the feature Ghost Console.

Use this option

* For cloning Windows NT installations when you want Ghost to remotely change the SID on the client computers. To change the SID automatically, check the "SID Change" option on the Clone tab in the Task. To change other configuration items, check the Configuration option on the General tab in the Task, and then choose an option in the Configuration tab.
* If you decide to use the SID Change option for cloning a Windows 2000/XP installation, use either the SysPrep option that changes the SID or the Ghost Console SID Change option, but not both options.


SysPrep
Although Ghost successfully changes the SID on Windows 2000/XP computers, Microsoft's System Preparation (SysPrep) tool changes the SID and prompts Windows 2000/XP to rebuild its Plug-and-Play driver database.
Advantages to using SysPrep

* Rebuilding the driver database is a significant advantage because the rebuild decreases the amount of user intervention required at the client computers when the source computer and client computers do not have exactly the same hardware.
* It invokes the Windows 2000/XP Setup Wizard, which is normally only seen during installation. The Wizard enables you to enter details regarding new users, licensing information, and other identification information.
* It allows you to install different drivers for the hard disk controller on the first startup after cloning. When the client computer requires different hard drive controller drivers than the source computer, the new drivers are loaded before the Plug and Play detection begins.
* It can be configured to have Windows 2000/XP to rebuild its Plug-and-Play driver database on the first startup after cloning. The rebuild process removes drivers for devices that are not on the client computer and adds Windows drivers for devices that are on the client computer but were not on the source computer.
* It supports most of the unattended installation parameters, including computer name, domain, and network settings. These parameters are command-line arguments for the Windows installation command.
* It can be configured to run automatically, without having to visit the client computers.


No Symantec technical support for SysPrep
Symantec does not provide technical support for SysPrep. SysPrep is written, maintained, and supported by Microsoft.

To use SysPrep
See the document How to use SysPrep with Ghost. Note that SysPrep requires an additional restart after cloning.


Technical Information:
SIDs, workgroups, and domains
For more information on why you must change the SID for workgroups and domains, see the section "Security identifier (SID) for workstations participating in a domain" in the document Introduction to cloning a Windows NT, Windows 2000, or Windows XP computer.
SIDs and security
Many programs, including Windows itself, base security features on the SID and the computer name.
The parts the SID changer needs to change
When the SID changer cannot locate and change all instances of the SID and computer name, or locate and change proprietary calculated values that are based on the SID and computer name, some applications or Windows features may not work on the destination computer after changing the SID.



References:
GhostWalker
Introduction to Ghost Walker
How to run Ghost Walker from a command line.

Cloning Windows servers
Cloning a Windows NT or Windows 2000/2003 Server

Separator
Translations of this Document:
Given the time needed to translate documents into other languages, the
translated versions of this document may vary in content if the English
document was updated with new information during the translation process.
The English document always contains the most up-to-date information.
 
Ad

Advertisements

J

Jason Tan

Hello,

Thank you for your information sharing here. However, to make our newsgroup
more clear, I would like to suggest you do not cross-post the same
information in multiple newsgroups in the future. Your understanding and
cooperation is appreciated.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "-|Tree=Bonz|-" <[email protected]>
| Subject: How to change the SID on a Windows XP, Windows 2000, or Windows
NT computer...
| User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table)
| Message-ID: <[email protected]|Tree=Bonz|->
| Newsgroups:
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
active.directory.interfaces,microsoft.public.win2000,microsoft.public.win200
0.active_directory,microsoft.public.win2000.networking,microsoft.public.win2
000.registry,microsoft.public.win2000.setup_deployment,microsoft.public.win2
000.setup,microsoft.public.windowsxp.setup_deployment,alt.religion.dake-bono
ism
| MIME-Version: 1.0
| Content-Type: text/plain; charset=windows-1252
| Content-Transfer-Encoding: 8bit
| Lines: 119
| Date: Tue, 13 Sep 2005 00:49:06 GMT
| NNTP-Posting-Host: 69.134.206.223
| X-Complaints-To: (e-mail address removed)
| X-Trace: twister.southeast.rr.com 1126572546 69.134.206.223 (Mon, 12 Sep
2005 20:49:06 EDT)
| NNTP-Posting-Date: Mon, 12 Sep 2005 20:49:06 EDT
| Organization: Road Runner - NC
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!hwmnpeer01.lga!hwmedia!news-server.columbus.rr.com!cycl
one2.kc.rr.com!news2.kc.rr.com!news-post.tampabay.rr.com!twister.southeast.r
r.com.POSTED!53ab2750!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.active.directory.interfaces:3105
microsoft.public.win2000.active_directory:33437
microsoft.public.win2000.networking:26937
microsoft.public.win2000.registry:4953
microsoft.public.win2000.setup_deployment:3302
microsoft.public.win2000.setup:8919
microsoft.public.windowsxp.setup_deployment:35412
microsoft.public.exchange2000.active.directory.integration:4140
| X-Tomcat-NG: microsoft.public.win2000.setup_deployment
|
| How to change the SID on a Windows XP, Windows 2000, or Windows NT
computer
|
| Situation:
| You are copying a Windows XP, Windows 2000, or Windows NT computer to
another computer, and you want to know how to change the Security
Identifier (SID) afterward.
|
| Solution:
| Need to change the SID
| When you clone a Windows NT/2000/XP installation to many computers, the
destination computers have the same SID and computer name as the source
Windows installation. Because Windows NT/2000/XP networks use each
computer's SID and computer name to uniquely identify the computer on the
network, you must change the SID and computer name on each destination
(client) computer after cloning.
|
| Overview of ways to change the SID after cloning
|
| * Ghost Walker
| Ghost Walker is a Ghost utility included in the corporate Ghost
versions and Norton Ghost 2003. Ghost Walker is a DOS program that allows
you to change the SID and computer name at each client computer after
cloning, that is, before restarting the computer into Windows.
| * Ghost Console
| The option SID Change is available on the Task you create in Ghost
Console. When you use this option, Ghost remotely runs Ghost Walker at each
client computer. That is, Ghost does not require that you visit each client
computer to change the SID.
| * Microsoft's System Preparation Tool (SysPrep)
| Microsoft provides the SysPrep utility for preparing a source
computer before creating an image of that computer. SysPrep allows you to
change the SID, computer name, and other configuration information. When
used on a Windows 2000/XP installation, SysPrep also prompts the client
computers to rebuild their Plug and Play driver database.
| * Third party utilities
|
|
|
| Problems with changing SIDs
| When the SID changer cannot locate and change all of the files that it
needs to change, some applications or Windows features may not work on the
destination computer.
|
| Example of need to remove features before creating an image file
| For instance, Windows 2000 NTFS File Encryption and Windows NT and
Windows 2000 Protected Storage use a SID as a unique token. When you change
the SID, Windows can no longer access encrypted files or Protected Storage
media. To prevent the problem, these features must be removed before
creating the image file.
|
| Test the image file before rolling it out
| For these reasons we advise that you prepare for mass rollouts or
upgrades by first testing the image file on the various computer
environments that you will rollout the image to, including testing the
applications after cloning to a new computer.
|
| Which SID changer to use
| Each method for changing the SID has its own advantages and
disadvantages. Use the SID changer recommended for the operating system
being cloned.:
|
| Note: Because Microsoft support varies depending upon the operating
system, method of cloning, and method of changing the SID, refer to the
Microsoft document Do Not Disk Duplicate Installed Versions of Windows
(Article ID 162001) for more detailed information.
|
| * Windows 2000 or Windows XP installation: Use Microsoft's System
Preparation (SysPrep) tool.
|
| Although Ghost Walker successfully changes the SID on Windows
2000/XP computers, Microsoft's System Preparation (SysPrep) tool changes
the SID and prompts Windows 2000/XP to rebuild its Plug-and-Play driver
database.
|
| Alternatively, instead of using SysPrep for all configuration
changes, you can use SysPrep to rebuild the driver database and use Ghost
to change the SID and computer name. Here are the general steps:
| 1. Disable the SysPrep feature that changes the SID.
| 2. Run SysPrep at the source Windows 2000 computer immediately
before cloning.
| 3. Use Ghost to create an image file of the source computer.
| 4. Check the SID Change option on the Task that you create in
Ghost Console.
| 5. Run the Task to rollout the image.
| * Windows NT installation: Use Ghost Walker or the SID Change option
in Ghost Console.
|
| Because Ghost Walker is more thorough than SysPrep at changing all
instances of the SID, and Windows NT does not have a Plug and Play driver
database for the Windows NT SysPrep utility to rebuild, Ghost Walker is a
better choice for changing the SID and computer name on Windows NT
installations.
| * Other Windows installations, such as Windows 95/98/Me: Use Ghost
Walker or the SID Change option in Ghost Console. Use the SID Change option
when running a Task in Ghost Enterprise Console and use Ghost Walker when
cloning with Ghost Multicast Server.
|
| If you use a third party SID changer, make sure that the SID
changer changes all instances of the old SID where the SID is used to
control access to files, registry settings, and so on. If the SID changer
does not update old instances of the SID, some application programs may not
work. In addition, Windows will no longer recognize the security settings,
resulting in either no access to selected system resources or global access
to system resources, increasing security risks on the system.
|
|
| Ghost Walker
| Run Ghstwalk.exe at the target computer after you write the disk or
partition image to the computer. Ghost Walker changes the SID for all user
profiles on the computer to a statistically-unique, randomly-generated
value. Because both Ghost.exe and Ghost Walker run in DOS, changing the SID
with Ghost Walker does not require an additional restart.
|
| Number of characters in the new name
| The new name must contain the same number of characters as the computer
name of the source computer. Ghost Walker can change the computer name on
all supported Windows operating systems.
|
| Available in these Ghost versions
|
| * Symantec Ghost 7.0
| * Symantec Ghost 7.5
| * Symantec Ghost 8.x
| * Norton Ghost 2003
|
|
| SID Change option on Ghost Console
| This option is available in all Ghost versions that include the feature
Ghost Console.
|
| Use this option
|
| * For cloning Windows NT installations when you want Ghost to
remotely change the SID on the client computers. To change the SID
automatically, check the "SID Change" option on the Clone tab in the Task.
To change other configuration items, check the Configuration option on the
General tab in the Task, and then choose an option in the Configuration tab.
| * If you decide to use the SID Change option for cloning a Windows
2000/XP installation, use either the SysPrep option that changes the SID or
the Ghost Console SID Change option, but not both options.
|
|
| SysPrep
| Although Ghost successfully changes the SID on Windows 2000/XP computers,
Microsoft's System Preparation (SysPrep) tool changes the SID and prompts
Windows 2000/XP to rebuild its Plug-and-Play driver database.
| Advantages to using SysPrep
|
| * Rebuilding the driver database is a significant advantage because
the rebuild decreases the amount of user intervention required at the
client computers when the source computer and client computers do not have
exactly the same hardware.
| * It invokes the Windows 2000/XP Setup Wizard, which is normally only
seen during installation. The Wizard enables you to enter details regarding
new users, licensing information, and other identification information.
| * It allows you to install different drivers for the hard disk
controller on the first startup after cloning. When the client computer
requires different hard drive controller drivers than the source computer,
the new drivers are loaded before the Plug and Play detection begins.
| * It can be configured to have Windows 2000/XP to rebuild its
Plug-and-Play driver database on the first startup after cloning. The
rebuild process removes drivers for devices that are not on the client
computer and adds Windows drivers for devices that are on the client
computer but were not on the source computer.
| * It supports most of the unattended installation parameters,
including computer name, domain, and network settings. These parameters are
command-line arguments for the Windows installation command.
| * It can be configured to run automatically, without having to visit
the client computers.
|
|
| No Symantec technical support for SysPrep
| Symantec does not provide technical support for SysPrep. SysPrep is
written, maintained, and supported by Microsoft.
|
| To use SysPrep
| See the document How to use SysPrep with Ghost. Note that SysPrep
requires an additional restart after cloning.
|
|
| Technical Information:
| SIDs, workgroups, and domains
| For more information on why you must change the SID for workgroups and
domains, see the section "Security identifier (SID) for workstations
participating in a domain" in the document Introduction to cloning a
Windows NT, Windows 2000, or Windows XP computer.
| SIDs and security
| Many programs, including Windows itself, base security features on the
SID and the computer name.
| The parts the SID changer needs to change
| When the SID changer cannot locate and change all instances of the SID
and computer name, or locate and change proprietary calculated values that
are based on the SID and computer name, some applications or Windows
features may not work on the destination computer after changing the SID.
|
|
|
| References:
| GhostWalker
| Introduction to Ghost Walker
| How to run Ghost Walker from a command line.
|
| Cloning Windows servers
| Cloning a Windows NT or Windows 2000/2003 Server
|
| Separator
| Translations of this Document:
| Given the time needed to translate documents into other languages, the
| translated versions of this document may vary in content if the English
| document was updated with new information during the translation process.
| The English document always contains the most up-to-date information.
|
 
B

Bruce Chambers

-|Tree=Bonz|- said:
How to change the SID on a Windows XP, Windows 2000, or Windows NT computer



Very old information snipped. Was there a question there? If so, I
certainly couldn't find it.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
Ad

Advertisements

C

Curtis Smallboner

Why would anyone go to the trouble of changing the SID. I've been
ghosting systems on my network for years, without ghostwalker, sysprep,
or nothing. It hasn't caused any problems that I can see.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top