Back to Blog
Duplicate windows 7 user6/7/2023 The RIDs for these initial accounts are predefined, so the Administrator user always has a RID of 500:Īfter installation, Windows assigns new local user and group accounts with RIDs starting at 1000. Instead of generating new random SIDs for these accounts, Windows ensures their uniqueness by simply appending a per-account unique number, called a At one point during the design of Windows NT, the machine SID might have been used for network identification, so in order to assure uniqueness, the SID that Setup generates has one fixed subauthority value (21) and three randomly-generated subauthority values (the numbers following “S-1-5-21” in the output).Įven before you create the first user account on a system, Windows defines several built-in users and groups, including the Administrator and Guest accounts. Here, the revision number is 1, the authority is 5, and there are four subauthority values. Tool to view a machine’s SID by running it with no command-line arguments: Subauthority values identify trustees relative to the issuing authority, and RIDs are simply a way for Windows to create unique SIDs based on a common base SID. The authority value identifies the agent that issued the SID, and this agent is typically a Windows local system or a domain. A SID is a variable-length numeric value that consists of a structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values. Names are simply user-friendly representations for SIDs, allowing you to rename an account and not have to update access control lists (ACLs) that reference the account to reflect the change. Security principals include machines, domain computer accounts, users and security groups. Windows uses SIDs to represent not just machines, but all Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft's support policy will still require cloned systems to be made unique with Sysprep. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that - with one exception - Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. At that point the decision to retire NewSID became obvious. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right? At least that’s been the conventional wisdom. If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. Tool, and Sysprep doesn’t support changing the SIDs of computers that have applications installed. I wrote NewSID in 1997 (its original name was NTSID) because the only tool available at the time for changing machine SIDs was the Microsoft First published on TechNet on Nov 03, 2009
0 Comments
Read More
Leave a Reply. |