Question on SIDs and Computer Accounts

[Bobby]

I have a quick question on the relationship of SIDs and computer accounts.
This much I understand:
If I have a computer account named WILLIAM on my Windows 2000 domain,
Windows 2000 automatically gives it a SID.
This much I don't understan:
What if I change the name of the account from WILLIAM to ROBERT and add it
back to the domain? Does the SID change? Or does it keep the original SID?

Basically do SIDs change when you change the name of the computer account?

We're using Ghost to image our workstations and the question arose about
SIDs. If we use the same image for 30 new workstations, are all 30
workstations going to have the same SID? I'm thinking "no", but I'm probably
wrong.

Thanks in advance for your thoughts.


Regards,


BT

 

[Miha Pihler]

Hi Bobby,

Changing computer name does not change SID. If you need to change SID you
can use "NewSID" tool from www.sysinternals.com (it's free download) or you
could use SysPrep from Windows 2000 CD (it is inside deploy.cab file).

I hope this helps,

Mike

 

[Bobby]

Thanks a ton. That answers my question. I have one more in relation to this:
Is there a way for me to view SIDs out on our network? A utility that would
allow me to compare the SIDs on several different machines to verify that
they are unique?

Thanks again...

 

[Miha Pihler]

Hi,

SID information is stored in AD so you can do LDAP query against it. If you
have any Windows 2003 DC in your domain then you can use DSGet Computer
command.

http://www.microsoft.com/windowsxp/...P/home/using/productdoc/en/dsget_computer.asp

Get Security ID
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/getsid-o.asp

Mike

 

[Torgeir Bakken \(MVP\)]

I have a quick question on the relationship of SIDs and computer accounts.
This much I understand:
If I have a computer account named WILLIAM on my Windows 2000 domain,
Windows 2000 automatically gives it a SID.
This much I don't understan:
What if I change the name of the account from WILLIAM to ROBERT and add it
back to the domain? Does the SID change? Or does it keep the original SID?

Basically do SIDs change when you change the name of the computer account?

Yes, the Domain SID will change if you remove the computer from the
domain, change the computer name, and then join the computer to the
domain again.

We're using Ghost to image our workstations and the question arose about
SIDs. If we use the same image for 30 new workstations, are all 30
workstations going to have the same SID? I'm thinking "no", but I'm probably
wrong.

The computer SID will be the same, but the domain SID for the
computers will be different, and that is what is important.

From
http://www.sysinternals.com/ntw2k/source/newsid.shtml

<quote>
Duplicate SIDs aren't an issue in a Domain-based environment since
domain accounts have SID's based on the Domain SID.
</quote>