This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cloning Machines, duplicated SID's?

DGoodwin
Engaged Sweeper

‎09-03-2009 07:04 PM

Add WMI scanning of duplicate Machine SID's and a report to show them.

I am sure there are a lot of people cloning images and this would help to eliminate the errors of security identifiers. Even though we here are in a domain that assigns a domain SID, the local machine SID could still be the same. We are using a sid changing utility to make sure this is not an issue just in case.

"When Windows XP is installed, a machine SID is configured to contain a statistically unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier."


It would be really helpful to find the sid's and verify that the are not the same.

Microsoft write up: http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
Labels:
0 Kudos
8 REPLIES 8
Hemoco
Lansweeper Alumni

‎11-20-2009 08:39 PM

I've already read the article some days ago.
While Mark Russinovich is probably one of the best known technical Microsoft guru's I think he is wrong with this.
Windows might nog have a problem with the duplicate SID but a lot of third party applications use the sid in one way or another.

I remember from some years ago that SMS 2.0 client simply didn't work with duplicate sids.
0 Kudos
DGoodwin
Engaged Sweeper

‎11-20-2009 04:29 PM

Interesting follow up, SID's are no longer going to need to be changed. NewSID will not run on Win7 and has been retired. It also breaks the local Admin accounts. The following explains it a little better than I can: SID Myth
We are looking at the possibility of not changing them anymore.

ps. Ghost Walker will work. (ghstwalk)
0 Kudos
Hemoco
Lansweeper Alumni

‎09-09-2009 06:31 AM

I see that you can already create a report to find duplicate sids.
The -500 account at the end means that this is the local administrator account.

Select Top 100 Percent tblUsers.SID, Count(tblUsers.UserID) As Total
From dbo.tblComputers Inner Join
  tblUsers On dbo.tblComputers.Computername = tblUsers.Computername
Group By tblUsers.SID
Having tblUsers.SID Like '%-500'


You can create reports based on this.
0 Kudos
DGoodwin
Engaged Sweeper

‎09-09-2009 12:32 AM

Found this which does work and have tested it on multiple machines (using newsid as a backup check)

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colAccounts = objWMIService.ExecQuery _
("Select * From Win32_UserAccount Where LocalAccount=True")

Result = ""
For Each objAccount in colAccounts
If Left (objAccount.SID, 6) = "S-1-5-" and Right(objAccount.SID, 4) = "-500" Then
CompSID=Left (objAccount.SID,len(objAccount.SID)-4)
Result = CompSID
End If
Next
MsgBox "SID is: " & Result


I found it Here

Modify it as you see fit.
0 Kudos
DGoodwin
Engaged Sweeper

‎09-04-2009 05:50 PM

A computer's SID is stored in the Registry's SECURITY hive under SECURITY\SAM\Domains\Account. This key has a value named F and a value named V. The V value is a binary value that has the computer SID embedded within it at the end of its data.

As far as i can tell, you have to grant rights to the admins to access this registry key. If not, the only the "system" account has access to it.

example:
"V"=hex:00,00,00,00,e0,00,00,00,02,00,01,00,e0,00,00,00,18,00,00,00,00,00,00,\
00,f8,00,00,00,00,00,00,00,00,00,00,00,f8,00,00,00,00,00,00,00,00,00,00,00,\
01,00,14,80,c0,00,00,00,d0,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,\
00,00,00,02,c0,14,00,7a,04,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,\
14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,7c,00,05,00,00,\
00,00,00,14,00,85,03,02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,\
85,03,02,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,00,00,18,00,df,\
07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,d5,03,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,18,00,d5,03,02,\
00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,\
04,00,00,00,00,00,05,15,00,00,00,21,58,8a,12,2c,2b,74,58,27,30,c9,dc

the SID I'm searching in this now is:
S-1-5-21-311056417-1484008236-3704172583
0 Kudos
Hemoco
Lansweeper Alumni

‎09-04-2009 05:31 PM

Lansweeper uses only WMI and registry to get it's information
0 Kudos
Anonymous
Not applicable

‎09-04-2009 05:05 PM

Maybe using the same API as for any account? I've tested here for my hostname account and I could read it right using LookupAccountName function from AdvAPI32.dll
0 Kudos
Hemoco
Lansweeper Alumni

‎09-04-2009 12:14 PM

Any idea to get the computer sid out of the registry?
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now