Safe to change SID while joined to domain?

Hello,

I was just wondering... is it safe to change the SID of a client PC while it is still joined to the domain?  Would there be any repercussions?

I have found duplicate SIDs on the domain (found out sysprep was not regenerating SIDs!!!  arg!!!)  and I was wondering if I need to dis-join them from the domain, change the SID, the re-join the domain... that option would suck.

thanks
fbrsupportAsked:
Who is Participating?
 
Hypercat (Deb)Connect With a Mentor Commented:
Well, OK I can agree to disagree.  I guess the point where it gets complicated is when you are giving domain user accounts rights to the local computer.  This is what we normally do, so the security of the local machine is tied to the SID because the domain accounts are using that SID to log on locally.  I think....anyway that's the assumption I always went by.  And I am willing to admit that I had never read that Nov. 2006 article before and it doesn't address that issue at all.  It clearly states that SIDs are not relevant in a domain environment, which I can't completely agree with even if it was written by Mark Russinovich (let no one accuse me of blindly accepting the opinion of anyone).   If that's the case, why does Microsoft make such a big deal about not supporting the changing of SIDs after the OS has been installed and the machine joined to a domain?
0
 
Hypercat (Deb)Commented:
You definitely need to unjoin the workstation from the domain, delete the original workstation account, and then change the SID, and the re-joing the domain.  The SID is an essential part of the computer's trust relationship with the domain, so the computer account will no longer work if you change the SID while still joined to the domain.
0
 
Hypercat (Deb)Commented:
Re-joing?  That makes a nasty sound... of course I meant re-join ;-)
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
jkarnes12Commented:
I would recommend using NewSID to change the computer's SID.  You shouldn't have to rejoin the domain, however a reboot will be required.

http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

0
 
fbrsupportAuthor Commented:
Thanks jkarnes12 and hypercat... so I guess you guys agree to disagree? =P
0
 
fbrsupportAuthor Commented:
Yup, I guess both of you could be right.  At the same time, the only sure fire way of making sure that no problems come up in the future and bite me in the @55, I should take the safe way out an disjoin, change SID, and rejoin...

Thanks again guys for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.