?
Solved

Safe to change SID while joined to domain?

Posted on 2008-06-25
6
Medium Priority
?
1,947 Views
Last Modified: 2012-05-05
Hello,

I was just wondering... is it safe to change the SID of a client PC while it is still joined to the domain?  Would there be any repercussions?

I have found duplicate SIDs on the domain (found out sysprep was not regenerating SIDs!!!  arg!!!)  and I was wondering if I need to dis-join them from the domain, change the SID, the re-join the domain... that option would suck.

thanks
0
Comment
Question by:fbrsupport
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869017
You definitely need to unjoin the workstation from the domain, delete the original workstation account, and then change the SID, and the re-joing the domain.  The SID is an essential part of the computer's trust relationship with the domain, so the computer account will no longer work if you change the SID while still joined to the domain.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869026
Re-joing?  That makes a nasty sound... of course I meant re-join ;-)
0
 
LVL 11

Expert Comment

by:jkarnes12
ID: 21869037
I would recommend using NewSID to change the computer's SID.  You shouldn't have to rejoin the domain, however a reboot will be required.

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:fbrsupport
ID: 21869069
Thanks jkarnes12 and hypercat... so I guess you guys agree to disagree? =P
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 21869216
Well, OK I can agree to disagree.  I guess the point where it gets complicated is when you are giving domain user accounts rights to the local computer.  This is what we normally do, so the security of the local machine is tied to the SID because the domain accounts are using that SID to log on locally.  I think....anyway that's the assumption I always went by.  And I am willing to admit that I had never read that Nov. 2006 article before and it doesn't address that issue at all.  It clearly states that SIDs are not relevant in a domain environment, which I can't completely agree with even if it was written by Mark Russinovich (let no one accuse me of blindly accepting the opinion of anyone).   If that's the case, why does Microsoft make such a big deal about not supporting the changing of SIDs after the OS has been installed and the machine joined to a domain?
0
 

Author Comment

by:fbrsupport
ID: 21869351
Yup, I guess both of you could be right.  At the same time, the only sure fire way of making sure that no problems come up in the future and bite me in the @55, I should take the safe way out an disjoin, change SID, and rejoin...

Thanks again guys for your help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question