Duplicate SID report issues

Thank you for the time and energy spent on this 😃 Will definitely look into those missing use cases, but not sure we will purchase. Their support really leaves a lot to be desired.

Right I think i said that above in some convoluted way.

I think it may play a role in non-domain machines, but I haven't researched it enough.


Plus, on a side note but kind of related, reports in general such as 'missing X' or 'missing Y' cannot be fully trusted either, unless you join to the error table to make sure that SOFTWARE was successfully scanned, or REGISTRY was successfully scanned - just as examples.

Doesn't really happen in smaller environments, but you get some of those in larger ones.

You are correct in you assertion that it is essentialy ./administratorSIDs, which is useless.

The articles I linked show why its a useless report, because SIDs never leave the local computer. You dont auth with a sid against another computer ever, you only auth with THAT computers sid.

Annoying oversight on part of LS team.

lol man you confused me now.

the -500 in Lansweeper report is for a local administrator like ./administrator or whatever you named it to.


so the tool psgetsid64.exe localadminname and you get the SID.

I don't see that in your output in the image - as it will have the -500 in it.


I'll have to run that tool on the computers that say their dupe in my report... but that's what I call "Friday Work" hehe so I'll have to wait until then.

But, I did confirm for my local admin named 'localadmin' for example.. that it was the same on two of the machines.

Am i making sense? You might be getting the domain machine SID, not the local machine SID (the original SID pre-domain).

If you query for the local administrator account on the machine in question, and compare with another one on the report, if it's the same (which it will be unless WMI is lying - it pulls from WMI), you will know that the *local* machine SID is the same as well, as that's how the local users and groups are formed (machine SID plus -500 for local administrator account)

Am I making sense? The report is basically ./administrator SIDs.

So I guess my point is that when I look at the SID in lansweeper, its incorrect. I check it with PSgetSID and the sids dont match.

https://imgur.com/a/YAcbfg6

The top rows are my checks, and then the bottom are the same computers and the info that lansweeper is putting out.

Something is not matching up.

so for my environment, my duplicate SID report shows me about 5% of my windows machines weren't deployed properly (where it generates a new machine SID and thus new SID's for local administrator acct)


To recap, if local administrator SID is the same on two machines, then the two machines' local SID is the same... which means they weren't sysprepped properly.

The local 'administrator' SID is based off of the machine SID + 500


i verified via psgetsid64



also in that first URL:

Even before you create the first user account on a system, Windows defines several built-in users and groups, including the Administrator and Guest accounts. Instead of generating new random SIDs for these accounts, Windows ensures their uniqueness by simply appending a per-account unique number, called a Relative Identifier (RID), to the machine SID. The RIDs for these initial accounts are predefined, so the Administrator user always has a RID of 500:

As far as I know, the administrator account is always the same across all windows installations. It is always denoted by the "-500" at the end of the SID.

I am also referencing these articles:

https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/

https://blogs.msdn.microsoft.com/aaron_margosis/2009/11/05/machine-sids-and-domain-sids/