We help IT Professionals succeed at work.

Do we have a SID duplicate isse because computer SID last 4 digfits are unique!

Hello Everyone and as always a big thanks to everyone for their time and expert insights.
Kind of a silly question as it has never come up before until Windows 10 and the need for WSUS.
We did not traditionally sysprep desktops since unique identifiers changed enough when joining domain and we did not use WSUS so SID issue was not really applicable.
Never had nay problems with W7, but now need to use WSUS (2016) for W10 and aware of SID problems with it.
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?
Ran
Get-WmiObject -class Win32_UserAccount | Select AccountType, Caption, Domain, SID, FullName, Name | Export-CSV C:\exports\Computerlist.csv -NoTypeInformation
and
dsquery computer -name "is004109" | dsget computer -SID

Examples in image include 4 x W7 desktops from same image, 4 x W10 desktops from same image and a variety of physical and virtual servers with various roles. Note last 4 digits are different
So does that mean that we do not have a SID duplication issue?
The SID I am displaying was queued from domain bound machines that are in AD!
We do generally not promote machines into a domain before we make an image of them. Servers tend to have the sysprep run with OOBE or are one off servers built from ground up without image.
SID.jpg
Comment
Watch Question

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
since the complete sid is not duplicated then you are fine.
Adam BrownSenior Systems Admin
CERTIFIED EXPERT
Top Expert 2010

Commented:
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?

Yes, that's normal. https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers has some good info on how the SIDs work and what they mean. SIDs won't get duplicated in AD. You can have two computers with the exact same image on them and AD will only allow one of them to connect to the domain.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
To be clear, the local SID is different than the domain SID.  And yes, there are instances where a duplicate local SID can be a problem.

Instead of the queries you have run. I recommend using psgetsid (a sys internals tool) to get the *local* SID and ensure they aren't duplicates.
Senior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
Never had nay problems with W7, but now need to use WSUS (2016) for W10 and aware of SID problems with it.
This is not a problem with the local computer SID, this is an issue with SusClientId

Run this on clients
@Echo off
net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow

Open in new window

Author

Commented:
Thanks everyone..
Shaun cheers for that very much