David said:
We've been trying to troubleshoot some GPO problems lately and while doing so
determined that some of our computer labs had duplicate machine SIDs for our
XP clients. Some of the computers had exact duplicates of the SID. Others
had duplicate RIDs in the SID sub-authority components. Does it matter if
any portion of the SID is a duplicate of another? Or does the entire SID
have to be a duplicate for it to matter? What should I be looking for?
Thanks!
Hi
As far as I know, there is no big issue that you have duplicate machine
SIDs in a domain-based environment.
From
http://www.sysinternals.com/ntw2k/source/newsid.shtml
<quote>
Duplicate SIDs aren't an issue in a Domain-based environment since
domain accounts have SID's based on the Domain SID.
</quote>
And from
http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html
<quote>
There are two scenarios in which aliased SIDs confuse NT's
security mechanisms. The first scenario is a workgroup
environment. In a workgroup, a number of NT machines are connected
in a peer-based model, and they can share resources such as disks
and printers with one another through a network. When a user on a
workgroup member machine accesses a resource on another workgroup
member machine, the user's local SID (a workgroup has no domain
SIDs) identifies the user to the remote computer. Consider the
case Figure 2 shows, in which Mark on Computer1 accesses files on
a shared drive served off Computer2. If Computer1 and Computer2
are clones with the same computer SID, and if the Fred account on
Computer2 has the same RID as the Mark account, Mark will look
exactly like Fred to Computer2. Mark can therefore view all the
files Fred can view, including Fred's private files, and vice
versa.
The second scenario in which SID duplication causes security
confusion concerns removable media, such as Jaz drives, which can
include security information when their formatting includes NTFS.
In the example in Figure 2, Fred can view any files on removable
media that Mark can view, because neither Computer1 nor Computer2
can distinguish between the two users with respect to the security
permissions assigned to files on the removable drive.
Contrary to common belief, these two scenarios are the only known
situations where duplicate computer SIDs cause problems. Duplicate
computer SIDs will not cause networks to fail, nor will they cause
other problems in an upgrade from NT 4.0 to 5.0.
</quote>