duplicates user account SID

Guys,
May I know if anyone here have good explanation about user SID's in windows ? for example when we create new user account in the server ( local account ), will this SID unique across the network / world,  or it can be some possibilities that it get duplicates with other account within a same organization network.
motioneyeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas UCommented:
It will be Unique, no matter what.

cheers Thomas
motioneyeAuthor Commented:
Hi,
I found it strange, I'm having same sid twice on multiple servers, I cross fingers how this could happens.
Thomas UCommented:
Servers cloned? with an image tool maybe? If its a local account...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JohnBusiness Consultant (Owner)Commented:
Microsoft has made it clear in past that make a new account with the same name (delete and recreate) will result in a new SID.

So cloning is the only possible way you could get a duplicate. Delete the account and re-create the same account.
Thomas UCommented:
I think the possibility of having the same SID for a local user is the same as your server will be hit by a meteor twice ;)

If you create a local user same name same everything, try it. Use https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid

then create LOCAL users on your servers, all the same name in cli
net user ABTESTBA somepassword /add
then
psgetsid ABTESTBA

the you'll see, all different. The only thing I can think of, was that the servers where cloned (without sysprep an such)
Shaun VermaakTechnical SpecialistCommented:
May I know if anyone here have good explanation about user SID's in windows ?
in a Workgroup environment security is based on local account SIDs. Thus, if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources, including files and Registry keys, that one user has access to, the other will as well.

Another instance where duplicate SIDs can cause problems is where there is removable media formatted with NTFS, and local account security attributes are applied to files and directories. If such a media is moved to a different computer that has the same SID, then local accounts that otherwise would not be able to access the files might be able to if their account IDs happened to match those in the security attributes. This is not be possible if computers have different SIDs.

https://docs.microsoft.com/en-us/sysinternals/downloads/newsid

can be some possibilities that it get duplicates with other account within a same organization network.
Funny how the conversation goes from unique not matter what to yes when the computer is cloned. This is not an issue is image uses SysPrep, the only Microsoft supported generalization process.
Thomas UCommented:
(Don't confuse Machine SID and User SID.)

@shaun
Initial statement:
If you have 2 computers and create a user with the same username on each computer -> not possible to have the same SID. Thats what his question was. So statement = $true

If you have a computer with an useraccount, clone the machine, then you will have the same user-SID on second computer "on the local account".

@motioneye
Don't worry. you will not have problems. you will not have access to a remote computer, if it has an account with the same SID...you need to authenticate everytime.

If you really wanna read through -> https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/
Mark Russinov is the guy. He knows...!
Shaun VermaakTechnical SpecialistCommented:
[quote]If you have 2 computers and create a user with the same username on each computer -> not possible to have the same SID. Thats what his question was.[/quote]
No, it was not. Go read it again.

Local user account SID is derived from the local computer SID. Users such as administrator is pre-created so without adding a user you will have duplicate user SIDs on cloned computers

And you will have issues. First is that Microsoft won't support your installation, secondly, some systems still use the local computer SID. One of these is SEP11 that is not synced to AD.

You will find one of my comment's in Mark's blog from 8 years ago. I don't know why you are repeating my comment
Thomas UCommented:
I think he made that on purpose asking this question, if  a duplicate Machine SID is a problem or not is a question going on for years.
good article as well: https://en.wikipedia.org/wiki/Security_Identifier#Duplicated_SIDs

I say No, if you join the computer to a domain afterwards no problem if you clone without sysprep (But I recommend it anytime you are able to sysprep -> do so)
If you clone a computer already joined, you will instantly have problems, so that will not be unnoticed.
If your cloned computers are in a workgroup -> Who cares, everything is local. Even MS says , may...could...can..etc.

your link does point to the NewSID tool
my link to the question why newSID, does we need it? is it a problem? the full explanation.
can't find your post..on "Mark's" blog, don't know what you mean with repeating your comment.

just to mention, we use citrix provisioning services to stream windows to Clients (approx 5x20 different images), 20 of a group have all the same MachineSID and even use the same useraccount. For years now, we never experienced any problem with those machines. It may have some 3rd party software that relies ONLY on the Machine SID...but you know what..I don't care.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
your link does point to the NewSID tool
my link to the question why newSID, does we need it? is it a problem? the full explanation.
can't find your post..on "Mark's" blog, don't know what you mean with repeating your comment.
How can you not find it, it is on the very top of the page titled Machine SID Duplication Myth

Who cares, everything is local. Even MS says , may...could...can..etc.
Like I said in my comment, the local admin SID of all the computers is the same. If you have one password for one of these computers, you can access all.

say No, if you join the computer to a domain afterwards no problem
Yes, it is a problem. The above still applies

It may have some 3rd party software that relies ONLY on the Machine SID...but you know what..I don't care.
Yes, ignorance is bliss until you have to fix 50k workstations because of a 3rd party software working with only SID
Read through those comments on his and see how many people disagree with him. Remember that Sysinternal was not Microsoft owned at that time.

don't know what you mean with repeating your comment.
Read my comment then read yours then tell me it is not the same.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.