what's the difference between computer account and computer SID?

what's the difference between computer account and computer SID?
bubukoAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:

The term 'Computer Account' is just a generic term which refers to the account created for a computer object in Active Directory. It encompasses everything to do with (all the parameters) of a particular computer.

The Computer SID is one of the parameters of a computer account. SID stands for Security IDentifier. It is essentially a string of characters which is the unique, internal reference to a computer account in Active Directory. Active Directory contains a reference to the SID, and each computer will know its own SID; using this and the Computer Account's password, every computer able to log in to and authenticate with Active Directory.

-Matt
0
 
1781Commented:
hello,
every computer running microsoft windows NT, 2000, XP or server 2003 that joins a domain has a computer account, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources.
an SID is an alphanumeric structure thet is issued when an account is created and thet uniquely identifies a security principal (a security principal is an account thet can be authenticated)
every account have is own SID, if you delete account and add a new one with the same name like the one that you deleted the account will have diffrent SID.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Your Name Is to Your Social Security Number as a Computer Account is to a Computer Security ID (SID).
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
bubukoAuthor Commented:
Hi leew. this is a good analogy! but I think in AD environment, we are not allowed to have same computer name right? But we can have same name but different Social Security Number......

And let say, I make a image without sysprep. Even I rename the computer name, but still if I am in same AD environment, there will be a problem right? same SID not allowed?
And if I did sysprep, but I didn't rename the computer name, what message will I see?



0
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
True - it doesn't hold up on DEEP scrutiny, but it's similar.  Every computer must have a name and a SID, similarly, every citizen must have a name and a social security number.

When it comes to duplication, you are correct - you cannot have two computers with the same name - for that matter, you cannot have two accounts with the same name - including users - you cannot (without causing issues) have a computer called "bubuko" and a user called "bubuko" - you CAN have a computer named "bubukopc" and a user called "bubuko".  And this includes domain names - you cannot call your domain name "bubuko" or "bubukopc"

Exactly what happens - to be honest, I don't remember.  I know I've seen this stuff (and the consequences) years ago, but I just know not to do it and the reasoning has somewhat left my memory.

Sysprep, as I recall, will FORCE you to rename the computer - it should prompt you to enter a new computer name when the sysprep'd image is first booted next time.
0
 
bubukoAuthor Commented:
thank you. and why computer account by default is changing every 30 days? for what kind of security reason? is that really necessary?

and what should be the correct steps to repair out of sync of a computer account? I think the microsoft way is to reset computer in AD and then rejoing the domain.... but usually what I do is just delete the computer object and rejoin the domain....

But also I heard if I just rejoin (no reset or delete computer object) a pc to a domain, computer account and computer SID will be reset/updated.. which one is true?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The computer account isn't changing - the computer account password is being reset.  Yes, for security.  And if you don't like the frequency, you should be able to change the default time to something much longer or disable entirely.  I wouldn't do that, so I can't be sure it's still possible in XP, but here's the link to documentation for NT/2000 - http://support.microsoft.com/kb/154501

Either way is fine and essentially has the same effect.

If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.
0
 
bubukoAuthor Commented:
Sorry it was typo. I meant  "computer account password "..... For what kind of security? why just by changing the password, we think it's safe?

>>If this was true it would be a potential security risk because anyone could rejoin their PC as someone elses and get access to the network.

Because in my company, we replaced defective pcs very often. What we are doing is just send back the defective one and hook up the replaced imaged one, use the same name as the defective one. And then join it to the domain.

we never touch its computer object in AD. And I don't see any problem there....
0
 
tigermattConnect With a Mentor Commented:

Hooking up a new PC using the same name as the old one won't affect anything on a standard network. It has implications on an SBS domain, but not on a standard network.

As I understand it, rejoining a PC to the network will cause a new SID and computer account password to be negotiated between Active Directory and the computer, and that will be stored in its computer account. In essence, the computer account in Active Directory is being updated to match the newly imaged PC joining the network.

I re-install PCs all the time and then simply join them back to the network with the same name, and never have any issues.

-Matt
0
 
bubukoAuthor Commented:
Thanx Matt!  What do you mean "standard network"?? windows 2003 standard version?

so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?
0
 
tigermattConnect With a Mentor Commented:
>> What do you mean "standard network"?? windows 2003 standard version?

Any vanilla Active Directory environment running on Server 2003/2008 Standard/Enterprise edition.

>> so when the pc is out of sync, and if I don't reset computer account or delete it in AD, it still will work if I just re-join pc to the domain right?

As I understand it, yes. Dropping the PC back to a workgroup and then re-joining it to the domain will re-establish communications with the domain by renegotiating a computer account SID and computer account password, for establishing communications with the domain.

-Matt
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.