Changing SID (with NEWSID or SYSPREP) for cloned computers

[subspace_1]

A collegue of mine insists that changing the sid on the cloned computers is not necessary before joining the domain as the computer account created in the AD is a different one each time.

In fact for the machines (XP laptops, all the same branded laptop model) are cloned without new SID!

What do you say about this?

Do the same things apply to win7 and win2008r2?

[s0nic69]

this should help you.

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

[sc302 Veteran]

what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc).

You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment.

http://windowsitpro.com/article/articleid/14919/what-are-the-problems-with-workstations-having-the-same-sid.html

http://download.cnet.com/DSM-Duplicate-SID-Monitor/3000-2094_4-11011883.html

when you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.

[Owen W Veteran]

what happens is the computer has a identifier (very long key), that identifier gets put into the dc when the pc is joined. if that identifier is duplicated amongst all or most or some of the computers and computer level securities (like group policies) will not get applied properly and you will have a ton of issues. To save from that headache of the domain seeing all of the same computer (even though you may change the name of the pc it does not change the identifiers in the registry or the identifiers in active directory) it is best to use some sort of sid regenerator (new sid, sysprep, ghost walker, etc).

You want a ton of random domain issues keep doing it the way he is without regenerating the sid at each deployment.

http://windowsitpro.com/article/articleid/14919/what-are-the-problems-with-workstations-having-the-same-sid.html

http://download.cnet.com/DSM-Duplicate-SID-Monitor/3000-2094_4-11011883.html

when you start dealing with this issue on a large scale (1000+ pc's) you start to see the reason behind newsid and sysprep.

Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.

As the link above suggests:

"In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it."

[Joel]

Windows 7 does not use SID's for computers, but rather, unique SID identifiers per user. SID changing is not compatible with Windows 7 or Windows Server 2008 R2.

As the link above suggests:

"In other words, it?s not the SID that ultimately gates access to a computer, but an account?s user name and password: simply knowing the SID of an account on a remote system doesn?t allow you access to the computer or any resources on it."

You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.

[Owen W Veteran]

You're confusing user SIDs with machine SIDs. As sc02 said, if you clone a currently-joined computer and deploy that image throughout the domain, you WILL have issues. There is a reason that sysprep includes the option to change machine SIDs, and newsid just took it one step further for ease of use.

OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?

[sc302 Veteran]

I was just reading, the generalize option in windows 7 sysprep will regenerate the machine sid.

there are other docs/sites that go over this, but this covers it

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep/

Also within imaging utilities like acronis and ghost, they have options to regenerate the sid during imaging so that you don't have to run sysprep.

[subspace_1]

thanx guys for your massive response!

I 'm looking into the sources you gave, just one aspect that i didnt figured out: if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?

[Joel]

OK, fair point, but you do know they removed SID changing from Windows 7's version of SYSPREP, right?

He said the machines are XP.

if i have a system image PRIOR to joining to the domain will joining it to the domain CHANGE the Computer SIDs anyway, so i wont have to bother at all?

Change it anyway. Run sysprep before taking your image and restore your machines using that image.

[sc302 Veteran]

The system identifier gets put on during the install process, not during a join of the domain. Sysprep it before you image it.