Solved

Safe to change SID while joined to domain?

Posted on 2008-06-25
6
1,937 Views
Last Modified: 2012-05-05
Hello,

I was just wondering... is it safe to change the SID of a client PC while it is still joined to the domain?  Would there be any repercussions?

I have found duplicate SIDs on the domain (found out sysprep was not regenerating SIDs!!!  arg!!!)  and I was wondering if I need to dis-join them from the domain, change the SID, the re-join the domain... that option would suck.

thanks
0
Comment
Question by:fbrsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869017
You definitely need to unjoin the workstation from the domain, delete the original workstation account, and then change the SID, and the re-joing the domain.  The SID is an essential part of the computer's trust relationship with the domain, so the computer account will no longer work if you change the SID while still joined to the domain.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 21869026
Re-joing?  That makes a nasty sound... of course I meant re-join ;-)
0
 
LVL 11

Expert Comment

by:jkarnes12
ID: 21869037
I would recommend using NewSID to change the computer's SID.  You shouldn't have to rejoin the domain, however a reboot will be required.

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:fbrsupport
ID: 21869069
Thanks jkarnes12 and hypercat... so I guess you guys agree to disagree? =P
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 21869216
Well, OK I can agree to disagree.  I guess the point where it gets complicated is when you are giving domain user accounts rights to the local computer.  This is what we normally do, so the security of the local machine is tied to the SID because the domain accounts are using that SID to log on locally.  I think....anyway that's the assumption I always went by.  And I am willing to admit that I had never read that Nov. 2006 article before and it doesn't address that issue at all.  It clearly states that SIDs are not relevant in a domain environment, which I can't completely agree with even if it was written by Mark Russinovich (let no one accuse me of blindly accepting the opinion of anyone).   If that's the case, why does Microsoft make such a big deal about not supporting the changing of SIDs after the OS has been installed and the machine joined to a domain?
0
 

Author Comment

by:fbrsupport
ID: 21869351
Yup, I guess both of you could be right.  At the same time, the only sure fire way of making sure that no problems come up in the future and bite me in the @55, I should take the safe way out an disjoin, change SID, and rejoin...

Thanks again guys for your help.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Know what services you can and cannot, should and should not combine on your server.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question