Solved

Safe to change SID while joined to domain?

Posted on 2008-06-25
6
1,933 Views
Last Modified: 2012-05-05
Hello,

I was just wondering... is it safe to change the SID of a client PC while it is still joined to the domain?  Would there be any repercussions?

I have found duplicate SIDs on the domain (found out sysprep was not regenerating SIDs!!!  arg!!!)  and I was wondering if I need to dis-join them from the domain, change the SID, the re-join the domain... that option would suck.

thanks
0
Comment
Question by:fbrsupport
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
You definitely need to unjoin the workstation from the domain, delete the original workstation account, and then change the SID, and the re-joing the domain.  The SID is an essential part of the computer's trust relationship with the domain, so the computer account will no longer work if you change the SID while still joined to the domain.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Re-joing?  That makes a nasty sound... of course I meant re-join ;-)
0
 
LVL 11

Expert Comment

by:jkarnes12
Comment Utility
I would recommend using NewSID to change the computer's SID.  You shouldn't have to rejoin the domain, however a reboot will be required.

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:fbrsupport
Comment Utility
Thanks jkarnes12 and hypercat... so I guess you guys agree to disagree? =P
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
Comment Utility
Well, OK I can agree to disagree.  I guess the point where it gets complicated is when you are giving domain user accounts rights to the local computer.  This is what we normally do, so the security of the local machine is tied to the SID because the domain accounts are using that SID to log on locally.  I think....anyway that's the assumption I always went by.  And I am willing to admit that I had never read that Nov. 2006 article before and it doesn't address that issue at all.  It clearly states that SIDs are not relevant in a domain environment, which I can't completely agree with even if it was written by Mark Russinovich (let no one accuse me of blindly accepting the opinion of anyone).   If that's the case, why does Microsoft make such a big deal about not supporting the changing of SIDs after the OS has been installed and the machine joined to a domain?
0
 

Author Comment

by:fbrsupport
Comment Utility
Yup, I guess both of you could be right.  At the same time, the only sure fire way of making sure that no problems come up in the future and bite me in the @55, I should take the safe way out an disjoin, change SID, and rejoin...

Thanks again guys for your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now