[_private/top-advert.htm]
[_private/nav.htm]
  Home > Articles > Problems with Duplicate SIDs

 The Problems With Duplicate SIDs

The "SID Issue" isn't as critical of a problem as many people believe; how big of a deal it is all depends on your point of view. Here are some details on just what the problem means to you and some tools for resolving it. 

Microsoft's Stance on Cloning

"Microsoft supports the use of disk-image copying as a method of deployment for Windows NT® operating system version 4.0 if the disk is copied at the point in setup after the second reboot and before the graphical mode portion. 

Microsoft also supports the use of disk-image copying of fully installed, fully configured copies of Windows NT 4.0 under the following conditions:

  • You must use the Microsoft Windows NT System Preparation tool to prepare the master disk image.
  • The "master" computer and the "target computer" must have identical hardware configurations.
  • If disk-image copying has been used to deploy Windows NT Server, the server must be a stand-alone server. It cannot be part of a Windows NT domain. Neither primary domain controllers nor backup domain controllers can be deployed using disk-image copying.

If Microsoft product support determines that the disk image–copying installation method is not the cause for the instability, Microsoft product support will work to resolve an issue on a system that was installed using disk-image copying until:

  • It becomes apparent that the method of installation is the cause of the problem.
  • The issue cannot be reproduced in any way except on a system installed using disk-image copying.
  • Reinstallation of the OS with the Microsoft Windows NT Setup program, Winnt.exe or Winnt32.exe, resolves the issue.

Microsoft recommends that you install the base OS and any applications using the conventional Setup program prior to calling Microsoft product support to resolve any installation challenges."

The above is from Microsoft's paper,  Disk-Image Copying of Microsoft Windows Operating Systems.

What is a SID?

SID stands for "Security Identifier" and is used within NT/2000 to uniquely identify an object like a user or group. The SID assigned to a user becomes part of the access token and is attached to any action or process attempted by that user or group. Because users, groups and users are seen by the system as SIDs and not usernames, group names or computer names, duplicates on a network could cause problems in allowing the system to differentiate between these objects.

What's the real problem anyway?

The issue of duplicate SIDs are not a problem at all in a Domain-based NT network because domain accounts have SID's based on the Domain SID. For most networks where security is an issue, a domain based configuration is standard. However in a Workgroup environment security is based on local account SIDs. This means that if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources that one user has access to, the other will also have access to. So if security is a concern and you are in a workgroup environment- duplicate SIDs will cause you concern.

Duplicate SIDs can also cause problems for removable media formatted with NTFS when local account security attributes are applied to files and/or directories. If this removable media is moved to a different computer that has the same SID, the local accounts that otherwise would not be able to access the files might be able to (if the account IDs happened to match those in the security attributes). 

Tools

  • SysPrep (Microsoft)
  • NewSID (Sysinternals- freeware with source code)

All of the imaging tools on the market today come with some kind of solution for handling this issue:

Other Resources

   Bob Kelly
AppDeploy.com

[_private/footer.htm]