Do we have a SID duplicate isse because computer SID last 4 digfits are unique!
Hello Everyone and as always a big thanks to everyone for their time and expert insights.
Kind of a silly question as it has never come up before until Windows 10 and the need for WSUS.
We did not traditionally sysprep desktops since unique identifiers changed enough when joining domain and we did not use WSUS so SID issue was not really applicable.
Never had nay problems with W7, but now need to use WSUS (2016) for W10 and aware of SID problems with it.
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?
Ran
Get-WmiObject -class Win32_UserAccount | Select AccountType, Caption, Domain, SID, FullName, Name | Export-CSV C:\exports\Computerlist.cs
and
dsquery computer -name "is004109" | dsget computer -SID
Examples in image include 4 x W7 desktops from same image, 4 x W10 desktops from same image and a variety of physical and virtual servers with various roles. Note last 4 digits are different
So does that mean that we do not have a SID duplication issue?
The SID I am displaying was queued from domain bound machines that are in AD!
We do generally not promote machines into a domain before we make an image of them. Servers tend to have the sysprep run with OOBE or are one off servers built from ground up without image.
SID.jpg
Kind of a silly question as it has never come up before until Windows 10 and the need for WSUS.
We did not traditionally sysprep desktops since unique identifiers changed enough when joining domain and we did not use WSUS so SID issue was not really applicable.
Never had nay problems with W7, but now need to use WSUS (2016) for W10 and aware of SID problems with it.
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?
Ran
Get-WmiObject -class Win32_UserAccount | Select AccountType, Caption, Domain, SID, FullName, Name | Export-CSV C:\exports\Computerlist.cs
and
dsquery computer -name "is004109" | dsget computer -SID
Examples in image include 4 x W7 desktops from same image, 4 x W10 desktops from same image and a variety of physical and virtual servers with various roles. Note last 4 digits are different
So does that mean that we do not have a SID duplication issue?
The SID I am displaying was queued from domain bound machines that are in AD!
We do generally not promote machines into a domain before we make an image of them. Servers tend to have the sysprep run with OOBE or are one off servers built from ground up without image.
SID.jpg
David Johnson, CD
since the complete sid is not duplicated then you are fine.
I ran a few queries ( ) out of curiosity against W7 computer SIDS and some DC (both 2016 install from ground up, i.e. not a template or clone image) and the SIDS are al different, but only the last two digits and that makes me wonder and worry a bit. Is that normal?
Yes, that's normal. https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers has some good info on how the SIDs work and what they mean. SIDs won't get duplicated in AD. You can have two computers with the exact same image on them and AD will only allow one of them to connect to the domain.
To be clear, the local SID is different than the domain SID. And yes, there are instances where a duplicate local SID can be a problem.
Instead of the queries you have run. I recommend using psgetsid (a sys internals tool) to get the *local* SID and ensure they aren't duplicates.
Instead of the queries you have run. I recommend using psgetsid (a sys internals tool) to get the *local* SID and ensure they aren't duplicates.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone..
Shaun cheers for that very much
Shaun cheers for that very much