Solved

what's the difference between computer account and computer SID?

Posted on 2009-04-07
11
633 Views
Last Modified: 2012-05-06
what's the difference between computer account and computer SID?
0
Comment
Question by:bubuko
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 24089833

The term 'Computer Account' is just a generic term which refers to the account created for a computer object in Active Directory. It encompasses everything to do with (all the parameters) of a particular computer.

The Computer SID is one of the parameters of a computer account. SID stands for Security IDentifier. It is essentially a string of characters which is the unique, internal reference to a computer account in Active Directory. Active Directory contains a reference to the SID, and each computer will know its own SID; using this and the Computer Account's password, every computer able to log in to and authenticate with Active Directory.

-Matt
0
 

Expert Comment

by:1781
ID: 24090361
hello,
every computer running microsoft windows NT, 2000, XP or server 2003 that joins a domain has a computer account, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources.
an SID is an alphanumeric structure thet is issued when an account is created and thet uniquely identifies a security principal (a security principal is an account thet can be authenticated)
every account have is own SID, if you delete account and add a new one with the same name like the one that you deleted the account will have diffrent SID.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24094745
Your Name Is to Your Social Security Number as a Computer Account is to a Computer Security ID (SID).
0
 

Author Comment

by:bubuko
ID: 24107436
Hi leew. this is a good analogy! but I think in AD environment, we are not allowed to have same computer name right? But we can have same name but different Social Security Number......

And let say, I make a image without sysprep. Even I rename the computer name, but still if I am in same AD environment, there will be a problem right? same SID not allowed?
And if I did sysprep, but I didn't rename the computer name, what message will I see?



0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 50 total points
ID: 24111806
True - it doesn't hold up on DEEP scrutiny, but it's similar.  Every computer must have a name and a SID, similarly, every citizen must have a name and a social security number.

When it comes to duplication, you are correct - you cannot have two computers with the same name - for that matter, you cannot have two accounts with the same name - including users - you cannot (without causing issues) have a computer called "bubuko" and a user called "bubuko" - you CAN have a computer named "bubukopc" and a user called "bubuko".  And this includes domain names - you cannot call your domain name "bubuko" or "bubukopc"

Exactly what happens - to be honest, I don't remember.  I know I've seen this stuff (and the consequences) years ago, but I just know not to do it and the reasoning has somewhat left my memory.

Sysprep, as I recall, will FORCE you to rename the computer - it should prompt you to enter a new computer name when the sysprep'd image is first booted next time.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:bubuko
ID: 24122588
thank you. and why computer account by default is changing every 30 days? for what kind of security reason? is that really necessary?

and what should be the correct steps to repair out of sync of a computer account? I think the microsoft way is to reset computer in AD and then rejoing the domain.... but usually what I do is just delete the computer object and rejoin the domain....

But also I heard if I just rejoin (no reset or delete computer object) a pc to a domain, computer account and computer SID will be reset/updated.. which one is true?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 24122955
The computer account isn't changing - the computer account password is being reset.  Yes, for security.  And if you don't like the frequency, you should be able to change the default time to something much longer or disable entirely.  I wouldn't do that, so I can't be sure it's still possible in XP, but here's the link to documentation for NT/2000 - http://support.microsoft.com/kb/154501

Either way is fine and essentially has the same effect.

If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.
0
 

Author Comment

by:bubuko
ID: 24123421
Sorry it was typo. I meant  "computer account password "..... For what kind of security? why just by changing the password, we think it's safe?

>>If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.

Because in my company, we replaced defective pcs very often. What we are doing is just send back the defective one and hook up the replaced imaged one, use the same name as the defective one. And then join it to the domain.

we never touch its computer object in AD. And I don't see any problem there....
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24124963

Hooking up a new PC using the same name as the old one won't affect anything on a standard network. It has implications on an SBS domain, but not on a standard network.

As I understand it, rejoining a PC to the network will cause a new SID and computer account password to be negotiated between Active Directory and the computer, and that will be stored in its computer account. In essence, the computer account in Active Directory is being updated to match the newly imaged PC joining the network.

I re-install PCs all the time and then simply join them back to the network with the same name, and never have any issues.

-Matt
0
 

Author Comment

by:bubuko
ID: 24126694
Thanx Matt!  What do you mean "standard network"?? windows 2003 standard version?

so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 24128339
>> What do you mean "standard network"?? windows 2003 standard version?

Any vanilla Active Directory environment running on Server 2003/2008 Standard/Enterprise edition.

>> so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?

As I understand it, yes. Dropping the PC back to a workgroup and then re-joining it to the domain will re-establish communications with the domain by renegotiating a computer account SID and computer account password, for establishing communications with the domain.

-Matt
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now