Significant sub-authorities in determining duplicate machine SIDs

[Guest]

We've been trying to troubleshoot some GPO problems lately and while doing so
determined that some of our computer labs had duplicate machine SIDs for our
XP clients. Some of the computers had exact duplicates of the SID. Others
had duplicate RIDs in the SID sub-authority components. Does it matter if
any portion of the SID is a duplicate of another? Or does the entire SID
have to be a duplicate for it to matter? What should I be looking for?
Thanks!

 

[Phillip Windell]

The only thing I can tell you is that the Dupe Sids come from creating
machines from Images (like Ghost) and then not using a tool (like
GhostWalker) to create a fresh SID before the machine is put into service.
If you don't do that every machine made from that image will have the same
SID.

1. Image a new machine with Ghost booted in "DOS"
2. While still in "DOS", Alter the SID so it is unique using GhostWalker
3. Put the machine in service.

You can possibly correct the SID issue by making the machines "workgroup"
machines by removing them from the Domain (make sure the machine account
gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
Domain. However the more time passes and the more the machine is changed
from when it was originally "imaged" the greater chance something will go
wrong if the SID is altered.

 

[Torgeir Bakken \(MVP\)]

We've been trying to troubleshoot some GPO problems lately and while doing so
determined that some of our computer labs had duplicate machine SIDs for our
XP clients. Some of the computers had exact duplicates of the SID. Others
had duplicate RIDs in the SID sub-authority components. Does it matter if
any portion of the SID is a duplicate of another? Or does the entire SID
have to be a duplicate for it to matter? What should I be looking for?
Thanks!

Hi

As far as I know, there is no big issue that you have duplicate machine
SIDs in a domain-based environment.

From
http://www.sysinternals.com/ntw2k/source/newsid.shtml

<quote>
Duplicate SIDs aren't an issue in a Domain-based environment since
domain accounts have SID's based on the Domain SID.
</quote>


And from
http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html

<quote>
There are two scenarios in which aliased SIDs confuse NT's
security mechanisms. The first scenario is a workgroup
environment. In a workgroup, a number of NT machines are connected
in a peer-based model, and they can share resources such as disks
and printers with one another through a network. When a user on a
workgroup member machine accesses a resource on another workgroup
member machine, the user's local SID (a workgroup has no domain
SIDs) identifies the user to the remote computer. Consider the
case Figure 2 shows, in which Mark on Computer1 accesses files on
a shared drive served off Computer2. If Computer1 and Computer2
are clones with the same computer SID, and if the Fred account on
Computer2 has the same RID as the Mark account, Mark will look
exactly like Fred to Computer2. Mark can therefore view all the
files Fred can view, including Fred's private files, and vice
versa.

The second scenario in which SID duplication causes security
confusion concerns removable media, such as Jaz drives, which can
include security information when their formatting includes NTFS.
In the example in Figure 2, Fred can view any files on removable
media that Mark can view, because neither Computer1 nor Computer2
can distinguish between the two users with respect to the security
permissions assigned to files on the removable drive.

Contrary to common belief, these two scenarios are the only known
situations where duplicate computer SIDs cause problems. Duplicate
computer SIDs will not cause networks to fail, nor will they cause
other problems in an upgrade from NT 4.0 to 5.0.
</quote>

 

[Guest]

Yes, I read that too while researching this issue. I also read the following:

from http://www.winnetmag.com/Article/ArticleID/14919/14919.html#
<quote>
What are the problems with workstations having the same SID?

John Savill
InstantDoc #14919
John Savill's FAQ for Windows

A. At the start of the GUI phase of installation each NT/2000 installation
generates a
unique Security IDentifier (SID). If you then clone a workstation each
installation would have the same machine SID. This is not a problem in a
Windows NT 4.0 domain as users have a SID generated by the domain controller
and do not user the local workstation SID for security. It IS a problem in a
Windows 2000 domain as the local machine SID is used in nearly all aspects of
security and before migrating to 2000 you should resolve any duplicate SID
issues which may have been caused by cloning installations.
</quote>

So there seems to be conflicting information with regard to how serious this
problem is in a domain environment.

Dave

 

[Guest]

Thanks. I did know how duplicate SIDs are created. We hired a contractor to
help us roll out over 2000 computers to our middle schools and have just
discovered that there may have been some problems during the imaging process.
However, this doesn't help me understand what constitutes a duplicate SID.
Here's an example of what I've found:

Computer SID
LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-02 S-1-5-21-3042452539-622697513-334337264
LABF14-10 S-1-5-21-596957751-3725260815-359561344 exact dupe
LABF14-12 S-1-5-21-596957751-3725260815-359561344 exact dupe
LABC16-05 S-1-5-21-48506347-3646499915-426764551
LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
LABF14-02 S-1-5-21-1449542653-3364022493-502944281 dupe last RID
LABC16-23 S-1-5-21-3978503659-1809067083-516276246
LABF14-16 S-1-5-21-290470409-3091673561-677485609 dupe last 2 RIDs
LABF14-20 S-1-5-21-1608279117-3091673561-677485609 dupe last 2 RIDs

So when I scan my domain for duplicate machine SIDs I need to know whether
to look for exact dupes only or if I should include partial dupes. This will
help me provide specific information to our site support staff when I ask
them to re-image the machines that have dupes. Thanks.

Dave

The only thing I can tell you is that the Dupe Sids come from creating
machines from Images (like Ghost) and then not using a tool (like
GhostWalker) to create a fresh SID before the machine is put into service.
If you don't do that every machine made from that image will have the same
SID.

1. Image a new machine with Ghost booted in "DOS"
2. While still in "DOS", Alter the SID so it is unique using GhostWalker
3. Put the machine in service.

You can possibly correct the SID issue by making the machines "workgroup"
machines by removing them from the Domain (make sure the machine account
gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
Domain. However the more time passes and the more the machine is changed
from when it was originally "imaged" the greater chance something will go
wrong if the SID is altered.

 

[Phillip Windell]

Thanks. I did know how duplicate SIDs are created. We hired a contractor to
help us roll out over 2000 computers to our middle schools and have just
discovered that there may have been some problems during the imaging process.
However, this doesn't help me understand what constitutes a duplicate

SID.

If you want to find out just for curiosity's sake that is fine. But for
practicalities sake it just isn't important. If you correct the dupe Sids
like I outlined you wouldn't have the problem any more to begin with.

 

[Roger Abell]

. . . by removing them from the Domain (make sure the machine

account gets deleted), . . .

but recognize that this will impact all machines that share that SID

--
Roger Abell

The only thing I can tell you is that the Dupe Sids come from creating
machines from Images (like Ghost) and then not using a tool (like
GhostWalker) to create a fresh SID before the machine is put into service.
If you don't do that every machine made from that image will have the same
SID.

1. Image a new machine with Ghost booted in "DOS"
2. While still in "DOS", Alter the SID so it is unique using GhostWalker
3. Put the machine in service.

You can possibly correct the SID issue by making the machines "workgroup"
machines by removing them from the Domain (make sure the machine account
gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
Domain. However the more time passes and the more the machine is changed
from when it was originally "imaged" the greater chance something will go
wrong if the SID is altered.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

We've been trying to troubleshoot some GPO problems lately and while

doing

 

[Roger Abell]

Identical SIDs are exact matches, in total.
LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe

Non-identical SIDs differing in RIDs other than the last are
from different machines and/or domains
LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
and in the above example these accidentally received the same unique
serialization RID (last RID) from their machines/domains (well, so it would
be interpreted if it were not known this is a duplication artifact).

The Microsoft Policy Concerning Disk Duplication of Windows XP Installations
http://support.microsoft.com/default.aspx?scid=kb;en-us;314828
indicates one example issue, with ACL'd removable media, that results
(or can) from having identical SIDs .
Since in a domain multiple physical machines would be sharing account
objects when looked up via SID you have the possibility for one of the
physical machines being force out of sync with its domain membership
by actions of the other machine.


fyi, although likely not applicable in your situation
http://www.microsoft.com/resources/.../2003/all/techref/en-us/w2k3tr_sids_tools.asp