The Problems With
The "SID Issue" isn't as critical of a problem
as many people believe; how big of a deal it is all depends on your point of
view. Here are some details on just what the problem means to you and some tools
for resolving it.
Microsoft's Stance on Cloning
"Microsoft supports the use of disk-image
copying as a method of deployment for Windows NT® operating system version 4.0
if the disk is copied at the point in setup after the second reboot and before
the graphical mode portion.
Microsoft also supports the use of disk-image
copying of fully installed, fully configured copies of Windows NT 4.0 under the
- You must use the Microsoft
Windows NT System Preparation tool to prepare the master disk image.
- The "master"
computer and the "target computer" must have identical hardware
- If disk-image copying has
been used to deploy Windows NT Server, the server must be a stand-alone
server. It cannot be part of a Windows NT domain. Neither primary domain
controllers nor backup domain controllers can be deployed using disk-image
If Microsoft product support determines that the
disk image–copying installation method is not the cause for the instability,
Microsoft product support will work to resolve an issue on a system that was
installed using disk-image copying until:
- It becomes apparent that the
method of installation is the cause of the problem.
- The issue cannot be
reproduced in any way except on a system installed using disk-image copying.
- Reinstallation of the OS
with the Microsoft Windows NT Setup program, Winnt.exe or Winnt32.exe,
resolves the issue.
Microsoft recommends that you install the base OS
and any applications using the conventional Setup program prior to calling
Microsoft product support to resolve any installation challenges."
The above is from Microsoft's paper, Disk-Image
Copying of Microsoft Windows Operating Systems.
What is a SID?
SID stands for "Security Identifier" and is used
within NT/2000 to uniquely identify an object like a user or group. The SID
assigned to a user becomes part of the access token and is attached to any
action or process attempted by that user or group. Because users, groups and
users are seen by the system as SIDs and not usernames, group names or computer
names, duplicates on a network could cause problems in allowing the system to
differentiate between these objects.
What's the real problem anyway?
The issue of duplicate SIDs are
not a problem at all in a Domain-based NT network because domain accounts have
SID's based on the Domain SID. For most networks where security is an issue, a
domain based configuration is standard. However in a Workgroup environment
security is based on local account SIDs. This means that if two computers have
users with the same SID, the Workgroup will not be able to distinguish between
the users. All resources that one user has access to, the other will also have
access to. So if security is a concern and you are in a workgroup environment-
duplicate SIDs will cause you concern.
Duplicate SIDs can also cause problems for removable media formatted with NTFS
when local account security attributes are applied to files and/or directories.
If this removable media is moved to a different computer that has the same SID,
the local accounts that otherwise would not be able to access the files might be
able to (if the account IDs happened to match those in the security
(Sysinternals- freeware with source code)
All of the imaging tools
on the market today come with some kind of solution for handling this issue: