DavidShriner
Wed Feb 02 12:43:03 CST 2005
Yes, I read that too while researching this issue. I also read the following:
from
http://www.winnetmag.com/Article/ArticleID/14919/14919.html#
<quote>
What are the problems with workstations having the same SID?
John Savill
InstantDoc #14919
John Savill's FAQ for Windows
A. At the start of the GUI phase of installation each NT/2000 installation
generates a
unique Security IDentifier (SID). If you then clone a workstation each
installation would have the same machine SID. This is not a problem in a
Windows NT 4.0 domain as users have a SID generated by the domain controller
and do not user the local workstation SID for security. It IS a problem in a
Windows 2000 domain as the local machine SID is used in nearly all aspects of
security and before migrating to 2000 you should resolve any duplicate SID
issues which may have been caused by cloning installations.
</quote>
So there seems to be conflicting information with regard to how serious this
problem is in a domain environment.
Dave
"Torgeir Bakken (MVP)" wrote:
> David Shriner wrote:
>
> > We've been trying to troubleshoot some GPO problems lately and while doing so
> > determined that some of our computer labs had duplicate machine SIDs for our
> > XP clients. Some of the computers had exact duplicates of the SID. Others
> > had duplicate RIDs in the SID sub-authority components. Does it matter if
> > any portion of the SID is a duplicate of another? Or does the entire SID
> > have to be a duplicate for it to matter? What should I be looking for?
> > Thanks!
> Hi
>
> As far as I know, there is no big issue that you have duplicate machine
> SIDs in a domain-based environment.
>
> From
>
http://www.sysinternals.com/ntw2k/source/newsid.shtml
>
> <quote>
> Duplicate SIDs aren't an issue in a Domain-based environment since
> domain accounts have SID's based on the Domain SID.
> </quote>
>
>
> And from
>
http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html
>
> <quote>
> There are two scenarios in which aliased SIDs confuse NT's
> security mechanisms. The first scenario is a workgroup
> environment. In a workgroup, a number of NT machines are connected
> in a peer-based model, and they can share resources such as disks
> and printers with one another through a network. When a user on a
> workgroup member machine accesses a resource on another workgroup
> member machine, the user's local SID (a workgroup has no domain
> SIDs) identifies the user to the remote computer. Consider the
> case Figure 2 shows, in which Mark on Computer1 accesses files on
> a shared drive served off Computer2. If Computer1 and Computer2
> are clones with the same computer SID, and if the Fred account on
> Computer2 has the same RID as the Mark account, Mark will look
> exactly like Fred to Computer2. Mark can therefore view all the
> files Fred can view, including Fred's private files, and vice
> versa.
>
> The second scenario in which SID duplication causes security
> confusion concerns removable media, such as Jaz drives, which can
> include security information when their formatting includes NTFS.
> In the example in Figure 2, Fred can view any files on removable
> media that Mark can view, because neither Computer1 nor Computer2
> can distinguish between the two users with respect to the security
> permissions assigned to files on the removable drive.
>
> Contrary to common belief, these two scenarios are the only known
> situations where duplicate computer SIDs cause problems. Duplicate
> computer SIDs will not cause networks to fail, nor will they cause
> other problems in an upgrade from NT 4.0 to 5.0.
> </quote>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
>
http://www.microsoft.com/technet/scriptcenter/default.mspx
>