Solved

what's the difference between computer account and computer SID?

Posted on 2009-04-07
11
684 Views
Last Modified: 2012-05-06
what's the difference between computer account and computer SID?
0
Comment
Question by:bubuko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24089833

The term 'Computer Account' is just a generic term which refers to the account created for a computer object in Active Directory. It encompasses everything to do with (all the parameters) of a particular computer.

The Computer SID is one of the parameters of a computer account. SID stands for Security IDentifier. It is essentially a string of characters which is the unique, internal reference to a computer account in Active Directory. Active Directory contains a reference to the SID, and each computer will know its own SID; using this and the Computer Account's password, every computer able to log in to and authenticate with Active Directory.

-Matt
0
 

Expert Comment

by:1781
ID: 24090361
hello,
every computer running microsoft windows NT, 2000, XP or server 2003 that joins a domain has a computer account, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources.
an SID is an alphanumeric structure thet is issued when an account is created and thet uniquely identifies a security principal (a security principal is an account thet can be authenticated)
every account have is own SID, if you delete account and add a new one with the same name like the one that you deleted the account will have diffrent SID.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 24094745
Your Name Is to Your Social Security Number as a Computer Account is to a Computer Security ID (SID).
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:bubuko
ID: 24107436
Hi leew. this is a good analogy! but I think in AD environment, we are not allowed to have same computer name right? But we can have same name but different Social Security Number......

And let say, I make a image without sysprep. Even I rename the computer name, but still if I am in same AD environment, there will be a problem right? same SID not allowed?
And if I did sysprep, but I didn't rename the computer name, what message will I see?



0
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 50 total points
ID: 24111806
True - it doesn't hold up on DEEP scrutiny, but it's similar.  Every computer must have a name and a SID, similarly, every citizen must have a name and a social security number.

When it comes to duplication, you are correct - you cannot have two computers with the same name - for that matter, you cannot have two accounts with the same name - including users - you cannot (without causing issues) have a computer called "bubuko" and a user called "bubuko" - you CAN have a computer named "bubukopc" and a user called "bubuko".  And this includes domain names - you cannot call your domain name "bubuko" or "bubukopc"

Exactly what happens - to be honest, I don't remember.  I know I've seen this stuff (and the consequences) years ago, but I just know not to do it and the reasoning has somewhat left my memory.

Sysprep, as I recall, will FORCE you to rename the computer - it should prompt you to enter a new computer name when the sysprep'd image is first booted next time.
0
 

Author Comment

by:bubuko
ID: 24122588
thank you. and why computer account by default is changing every 30 days? for what kind of security reason? is that really necessary?

and what should be the correct steps to repair out of sync of a computer account? I think the microsoft way is to reset computer in AD and then rejoing the domain.... but usually what I do is just delete the computer object and rejoin the domain....

But also I heard if I just rejoin (no reset or delete computer object) a pc to a domain, computer account and computer SID will be reset/updated.. which one is true?
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 24122955
The computer account isn't changing - the computer account password is being reset.  Yes, for security.  And if you don't like the frequency, you should be able to change the default time to something much longer or disable entirely.  I wouldn't do that, so I can't be sure it's still possible in XP, but here's the link to documentation for NT/2000 - http://support.microsoft.com/kb/154501

Either way is fine and essentially has the same effect.

If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.
0
 

Author Comment

by:bubuko
ID: 24123421
Sorry it was typo. I meant  "computer account password "..... For what kind of security? why just by changing the password, we think it's safe?

>>If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.

Because in my company, we replaced defective pcs very often. What we are doing is just send back the defective one and hook up the replaced imaged one, use the same name as the defective one. And then join it to the domain.

we never touch its computer object in AD. And I don't see any problem there....
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24124963

Hooking up a new PC using the same name as the old one won't affect anything on a standard network. It has implications on an SBS domain, but not on a standard network.

As I understand it, rejoining a PC to the network will cause a new SID and computer account password to be negotiated between Active Directory and the computer, and that will be stored in its computer account. In essence, the computer account in Active Directory is being updated to match the newly imaged PC joining the network.

I re-install PCs all the time and then simply join them back to the network with the same name, and never have any issues.

-Matt
0
 

Author Comment

by:bubuko
ID: 24126694
Thanx Matt!  What do you mean "standard network"?? windows 2003 standard version?

so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24128339
>> What do you mean "standard network"?? windows 2003 standard version?

Any vanilla Active Directory environment running on Server 2003/2008 Standard/Enterprise edition.

>> so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?

As I understand it, yes. Dropping the PC back to a workgroup and then re-joining it to the domain will re-establish communications with the domain by renegotiating a computer account SID and computer account password, for establishing communications with the domain.

-Matt
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question