cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dharris_jbs
Engaged Sweeper
Hey all,

So as we are getting LS stood up, we noticed that around 80% of our computers are coming back as having duplicate sids. Upon investigation, it seems that this is not the case. When I check machines SIDS manually, they are not coming back with the same SID that lansweeper is reporting. I took a look at the SQL and it looks like its just checking the administrator account, denoted by the "'%-500'" listed in the report.

Does this report need to be customized? If so, how do I see duplicate machines SIDs in the environment? If not, what is the point of checking the admin account SID? Its always the same across windows computers.

Could definitely use some clarification on this as it caused quite a stir only to be shown as false upon further investigation. Not a great impression for LS.

Thanks!
10 REPLIES 10
JacobH
Champion Sweeper III
I've been using LS for years... with 40,000+ assets with global scan servers... it's a really great product if you know SQL and use your imagination... the built-in reports are just the tip of the iceberg.

Support is great - the forum is, well... kinda sparse.

Email support@lansweeper.com. they are super helpful and in my experience, respond within 24 hours (they are in Europe)

I even talk to a few engineers online...


I have out-shined many programs that cost 13k/month with LS...

dharris_jbs
Engaged Sweeper
Thank you for the time and energy spent on this 😃 Will definitely look into those missing use cases, but not sure we will purchase. Their support really leaves a lot to be desired.

JacobH
Champion Sweeper III
Right I think i said that above in some convoluted way.

I think it may play a role in non-domain machines, but I haven't researched it enough.


Plus, on a side note but kind of related, reports in general such as 'missing X' or 'missing Y' cannot be fully trusted either, unless you join to the error table to make sure that SOFTWARE was successfully scanned, or REGISTRY was successfully scanned - just as examples.

Doesn't really happen in smaller environments, but you get some of those in larger ones.
dharris_jbs
Engaged Sweeper
You are correct in you assertion that it is essentialy ./administratorSIDs, which is useless.

The articles I linked show why its a useless report, because SIDs never leave the local computer. You dont auth with a sid against another computer ever, you only auth with THAT computers sid.

Annoying oversight on part of LS team.
JacobH
Champion Sweeper III
lol man you confused me now.

the -500 in Lansweeper report is for a local administrator like ./administrator or whatever you named it to.


so the tool psgetsid64.exe localadminname and you get the SID.

I don't see that in your output in the image - as it will have the -500 in it.


I'll have to run that tool on the computers that say their dupe in my report... but that's what I call "Friday Work" hehe so I'll have to wait until then.

But, I did confirm for my local admin named 'localadmin' for example.. that it was the same on two of the machines.

Am i making sense? You might be getting the domain machine SID, not the local machine SID (the original SID pre-domain).

If you query for the local administrator account on the machine in question, and compare with another one on the report, if it's the same (which it will be unless WMI is lying - it pulls from WMI), you will know that the *local* machine SID is the same as well, as that's how the local users and groups are formed (machine SID plus -500 for local administrator account)

Am I making sense? The report is basically ./administrator SIDs.
dharris_jbs
Engaged Sweeper
So I guess my point is that when I look at the SID in lansweeper, its incorrect. I check it with PSgetSID and the sids dont match.

https://imgur.com/a/YAcbfg6

The top rows are my checks, and then the bottom are the same computers and the info that lansweeper is putting out.

Something is not matching up.
JacobH
Champion Sweeper III
so for my environment, my duplicate SID report shows me about 5% of my windows machines weren't deployed properly (where it generates a new machine SID and thus new SID's for local administrator acct)


To recap, if local administrator SID is the same on two machines, then the two machines' local SID is the same... which means they weren't sysprepped properly.

JacobH
Champion Sweeper III
The local 'administrator' SID is based off of the machine SID + 500


i verified via psgetsid64



also in that first URL:

Even before you create the first user account on a system, Windows defines several built-in users and groups, including the Administrator and Guest accounts. Instead of generating new random SIDs for these accounts, Windows ensures their uniqueness by simply appending a per-account unique number, called a Relative Identifier (RID), to the machine SID. The RIDs for these initial accounts are predefined, so the Administrator user always has a RID of 500:


dharris_jbs
Engaged Sweeper
As far as I know, the administrator account is always the same across all windows installations. It is always denoted by the "-500" at the end of the SID.

I am also referencing these articles:

https://blogs.technet.microsoft.com/markrussinovich/2009/11/03/the-machine-sid-duplication-myth-and-why-sysprep-matters/

https://blogs.msdn.microsoft.com/aaron_margosis/2009/11/05/machine-sids-and-domain-sids/