Try this Microsoft Tool
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx 

Thanx Noam for prompt response. I have seen this tool but I read some where that never use it when system is on Domain. First disjoin from the domain and then run this tool and again re join the domain which is not possible for sure.

Najam

The machine SID consists of the Domain SID + the local SID. To the best of my knowledge, you cannot change the local SID while joined to the domain, because your machine would then not be recognized.
Therefore, the process is to disjoin the domain (join workgroup), change the PC SID, then rejoin the domain.
Consider the consequenses of what you're asking to do:
You have some groups of machines with the same SID for that group.
If there were a tool that would change the local machine and the domain SID to match, you would immediately remove rights from all of the other PC's that shared the SID, because their local SID was NOT changed. This is a MUCH more significant impact than the following:
You have some groups of machines with the same SID for that group.
You disjoin the first PC from the domain (making sure you have the local admin password set FIRST!), reboot, change the local SID, reboot, rejoin the domain (to get the new machine SID) The rest of the machines in the group are unaffected :) Repeat on each one.
I don't understand why the domain disjoin is an issue?

Because repeating this on procedure on 500 machines is not an easy task and time consuming as well therefore I am hesitating in dis joining domain.

Is NewSID change Domain SID only?

Newsid only changes computer SID. Domain SID of computer account has nothing to do with computer SID.

My understanding is that the new SID is created at the time of adding a machine to the Domain - whether it is a clone or not.
In the (bad old) NT days, adding cloned boxes required something like 'New SID' from SysInternals (now MS) - but no longer.

Take a look at PSGETSID (Free Sysinternals tool). At domain join, the domain SID is prepended to the local SID.

From what i read you can use NewSID v4.10 on joined clients. I would test this in a test enviroment though before full deployment.

Then what is the recommendation in the case of 500+ machines in the network?

Moreover, when we run the tool PSGETSID, or when we view SID through ADSIEDIT, which SID is shown to us?

if computer was cloned without syspreping it first, computer SID will be the same.

We had a long discussion about SIDs about a year ago, can you please check the following link: https://www.experts-exchange.com/questions/23252623/SID-discovery.html

It contains detailed explanation, behaviour was teseted in virtual environment.

I would be more inclined to try to identify the specific problem before taking any further action.

If memory serves, you should be seeing Event Viewer errors for Event ID 40961 or 9 - or anything else that relates to 'authentication errors'.

If you can check for errors on any of the affected workstations, I'll dig out some old notes on how I used to solve this.

My understanding is the same as younghv's understanding of this. The act of joining a domain is enough to generate a new Domain SID for that computer object. That is because that is a value formed from the Domain SID + an ID from the RID pool, which is managed by the DC holding the RID Master FSMO role.

If it is an issue with the domain identifiers which you are having, then the act of disjoining and rejoining to the domain should generate a new SID. I would look at disjoining, removing the computer account and then rejoining to be absolutely sure.

However, in the event you have imaged some systems, it is possible the local SID is the same. In this case you may need the New SID tool. In this case since it is Domain related tasks which are causing issues, I would suggest that this is not the case.

-Matt

Again, agreed with younghv here. You need to isolate the fact that it is a duplicate SIDs causing these issues.

Do you clone your workstations?

-Matt

Yeah as I told that we clone our systems. It means there is no way to change Computer SID. Therefore, I asked before, when I run NEwSID, what will be changed?

We have no problems but WSUS server could update many machines. When I run PSGETSID, it shows same SID (dont know which one) for many computers.

Sorry typo mistake, I meant to say that WSUS server couldn't update many machines.

It will change computer SID, then you have to rejoin domain, but users will not be affected.  WSUS is completeley different story because WSUS Client ID is stored in registry you will need a script which you can find here:
http://msmvps.com/blogs/athif/pages/66376.aspx

I don't have an answer for Symantec.

I am a little intimidated by all the Sages and Wizards here but here goes.
There are numerous articles about both Symantec AV and WSUS and issues with imaged computers that where not prepared with Sysprep or WSUS.
I have had these issues within my own orginazation in the past as well.
I think trying the NewSid approach in a test enviroment is the easiest and fasted way to either fix this issue or rule it out.
A1opus: NewSID will change the Computer SID not the Domain SID
Qoute fromthe NewSID web site
"
NewSID starts by reading the existing computer SID. A computer's SID is stored in the Registry's SECURITY hive under SECURITY\SAM\Domains\Account. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data. NewSID ensures that this SID is in a standard format (3 32-bit subauthorities preceded by three 32-bit authority fields).
Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."

@Noam don't be intimidated by anyone who has higher rank.:D It doesn't mean that higher ranking expert is smarter or more experienced, higher ranking expert only has more points and T-shirts. ;) Question Alert was sent out and I guess too many "Qualified experts" have responded.
I hope this post does not offend anyone. :D

;-) I know ... I was just kidding ... Didnt sign up till last month ....
It was just fun to see the big influx of people.
Thanks for the kind words though.

Yeah..this issue was addressed many times, won't hurt to do it again :)
As some of you already addressed but to make it more clear on the WSUS and SID(local or domain)
Not sure about symantec, but for WSUS, yes, WSUS clients will not show up in the WSUS console and is a know problem due to identical local computer SID. This has nothing to do with domain computer object SID as each time you join the domain, you will get a new SID. The problem is on the local computer SID and changing it should not affect users and do not need to join and rejoin to the domain.

Here's the tool(mentioned above) you can use to troubleshoot your PCs and see if you have the same SID on many machines. If so, you need to get rid of it as WSUS will not be able to communicate to multiple machine with the same local SID, unfortunately, it's a known issue.

http://technet.microsoft.com/en-us/sysinternals/default.aspx

Look for PSTools>psgetsid.exe to report local SID of your machines.
Look for NewSid to change your machine SID.

For test purpose, after you have change the SID of a PC, run the command on the PC wuauclt /detectnow tol force it to talk to the wsus server. After a few minute or less, the computer should appear in your WSUS console.

Wow Guys! You are all great and provided such a good information. Now what I got from your conversation:

1. Computer SID is different
2. Domain SID is different
3. WSUS Client ID is different.

I think our computer SIDs are same because of imaging and cloning hard disks.

So now the final question is this. Should I run NewSID on domain joined systems? If yes, would be there any issue after running it?

Someone posted the script as well for WSUS clients. Should I run it on client or WSUS server?

In fact what is being happened with me; I created a new computer group for testing and add two machines in it, for example, WACO1.abc.com and WACO2.abc.com. No w after some I noticed that WACO2.abc.com has disappeared and there is another machine burgundy.abc.com. And moreover after some time again that burgundy.abc.com has disappeared and new machine appeared instead of it.

I really confused. Is this a case of same computer SID?

Yes, what you are seeing is the effect of WSUS Client ID.

Run the script I posted on each workstation - not the server.

You can test it on the two workstations you just posted about and they should then show up and stay visible.  It make take a little while for them to show up after the script is run.

YOu only need to change local computer SID. No need to make any change of Domain SID as alll computer in the domain have unique SID, otherwise you can't join the domain.

So, to solve your WSUS problem, you need  to make sure the local computer SID is unique in other for the client to appear in your WSUS console.

SUSClientID - once populated needs to be changed in order for it to be unique within WSUS.  SUSClientID is not related to computer SID.

Thanks guys. It means that when we clone or image the system, the SUSClientID will be the same and we have to make them unique by running that script?

You are right with his current computer status.
Be to clarify, each computer has a unique SID.
WSUS ID, a unique identifier found in the registry of every computer on your network, these WSUS IDs are generated based upon the SID of a computer. If you configured your image so that it would generate a new SID upon pasting then you likely wont have this problem, but this step is commonly forgotten. The WSUS ID is stored in these three registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PingID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SusClientId

In order to generate a new WSUS ID, you will need to delete these keys on the client machine in question. After doing this, restart the Automatic Update service and run the command wuauclt.exe /resetauthorization /detectnow. You should see the computer in the WSUS console shortly after that.

I think now EE should allot me more numbers so that I can distribute it  to you guys.... :) U guys done a perfect job..... I appreciate it.

@Americom - you really should read an entire thread before adding input.  I have already posted a script that does everything you posted in your last post.  

SUSClientID has nothing to do with the OS SID.  It is built using a Hardware Validation Routine and from version 7 of the AU client onwards when connecting to a WSUS 3 server it should recreate the SUSClientID value automatically.

Netman,

I was asking that why it is happened? Because we do cloning and imaging.

What Americom said, seems logical.

There was two parts of question, i.e. WSUS Client Update Issue and Symantec AV client update issue so therefore points should be alloted equally.

In this thread, it was very difficult for me to assign point because all guys suggested best of their knowledge. Toniur suggested the script first but he stated that it will reset your computer SID whereas it will reset SUS client ID so the right answer was come by NetMan then. Jimmymcp02 was the only guy who suggested about Symantec AV issue so therefore he got half points.

Glad i could help :o)