Solved

Safe to change SID while joined to domain?

Posted on 2008-06-25
6
1,936 Views
Last Modified: 2012-05-05
Hello,

I was just wondering... is it safe to change the SID of a client PC while it is still joined to the domain?  Would there be any repercussions?

I have found duplicate SIDs on the domain (found out sysprep was not regenerating SIDs!!!  arg!!!)  and I was wondering if I need to dis-join them from the domain, change the SID, the re-join the domain... that option would suck.

thanks
0
Comment
Question by:fbrsupport
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869017
You definitely need to unjoin the workstation from the domain, delete the original workstation account, and then change the SID, and the re-joing the domain.  The SID is an essential part of the computer's trust relationship with the domain, so the computer account will no longer work if you change the SID while still joined to the domain.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869026
Re-joing?  That makes a nasty sound... of course I meant re-join ;-)
0
 
LVL 11

Expert Comment

by:jkarnes12
ID: 21869037
I would recommend using NewSID to change the computer's SID.  You shouldn't have to rejoin the domain, however a reboot will be required.

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:fbrsupport
ID: 21869069
Thanks jkarnes12 and hypercat... so I guess you guys agree to disagree? =P
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 21869216
Well, OK I can agree to disagree.  I guess the point where it gets complicated is when you are giving domain user accounts rights to the local computer.  This is what we normally do, so the security of the local machine is tied to the SID because the domain accounts are using that SID to log on locally.  I think....anyway that's the assumption I always went by.  And I am willing to admit that I had never read that Nov. 2006 article before and it doesn't address that issue at all.  It clearly states that SIDs are not relevant in a domain environment, which I can't completely agree with even if it was written by Mark Russinovich (let no one accuse me of blindly accepting the opinion of anyone).   If that's the case, why does Microsoft make such a big deal about not supporting the changing of SIDs after the OS has been installed and the machine joined to a domain?
0
 

Author Comment

by:fbrsupport
ID: 21869351
Yup, I guess both of you could be right.  At the same time, the only sure fire way of making sure that no problems come up in the future and bite me in the @55, I should take the safe way out an disjoin, change SID, and rejoin...

Thanks again guys for your help.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Requesting private key file from web certificate 4 44
Connecting two servers 30 87
how to export this list 4 61
Troubleshooting Windows Server VM memory usage issue ? 4 50
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question