Significant sub-authorities in determining duplicate machi..

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

We've been trying to troubleshoot some GPO problems lately and while doing so
determined that some of our computer labs had duplicate machine SIDs for our
XP clients. Some of the computers had exact duplicates of the SID. Others
had duplicate RIDs in the SID sub-authority components. Does it matter if
any portion of the SID is a duplicate of another? Or does the entire SID
have to be a duplicate for it to matter? What should I be looking for?
Thanks!

--
David Shriner
Systems Administrator
Newport News Public Schools
7 answers Last reply
More about significant authorities determining duplicate machi
  1. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    The only thing I can tell you is that the Dupe Sids come from creating
    machines from Images (like Ghost) and then not using a tool (like
    GhostWalker) to create a fresh SID before the machine is put into service.
    If you don't do that every machine made from that image will have the same
    SID.

    1. Image a new machine with Ghost booted in "DOS"
    2. While still in "DOS", Alter the SID so it is unique using GhostWalker
    3. Put the machine in service.

    You can possibly correct the SID issue by making the machines "workgroup"
    machines by removing them from the Domain (make sure the machine account
    gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
    Domain. However the more time passes and the more the machine is changed
    from when it was originally "imaged" the greater chance something will go
    wrong if the SID is altered.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


    "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
    news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
    > We've been trying to troubleshoot some GPO problems lately and while doing
    so
    > determined that some of our computer labs had duplicate machine SIDs for
    our
    > XP clients. Some of the computers had exact duplicates of the SID.
    Others
    > had duplicate RIDs in the SID sub-authority components. Does it matter if
    > any portion of the SID is a duplicate of another? Or does the entire SID
    > have to be a duplicate for it to matter? What should I be looking for?
    > Thanks!
    >
    > --
    > David Shriner
    > Systems Administrator
    > Newport News Public Schools
  2. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    Thanks. I did know how duplicate SIDs are created. We hired a contractor to
    help us roll out over 2000 computers to our middle schools and have just
    discovered that there may have been some problems during the imaging process.
    However, this doesn't help me understand what constitutes a duplicate SID.
    Here's an example of what I've found:

    Computer SID
    LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
    LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe
    LABC16-02 S-1-5-21-3042452539-622697513-334337264
    LABF14-10 S-1-5-21-596957751-3725260815-359561344 exact dupe
    LABF14-12 S-1-5-21-596957751-3725260815-359561344 exact dupe
    LABC16-05 S-1-5-21-48506347-3646499915-426764551
    LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
    LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
    LABF14-02 S-1-5-21-1449542653-3364022493-502944281 dupe last RID
    LABC16-23 S-1-5-21-3978503659-1809067083-516276246
    LABF14-16 S-1-5-21-290470409-3091673561-677485609 dupe last 2 RIDs
    LABF14-20 S-1-5-21-1608279117-3091673561-677485609 dupe last 2 RIDs

    So when I scan my domain for duplicate machine SIDs I need to know whether
    to look for exact dupes only or if I should include partial dupes. This will
    help me provide specific information to our site support staff when I ask
    them to re-image the machines that have dupes. Thanks.

    Dave


    "Phillip Windell" wrote:

    > The only thing I can tell you is that the Dupe Sids come from creating
    > machines from Images (like Ghost) and then not using a tool (like
    > GhostWalker) to create a fresh SID before the machine is put into service.
    > If you don't do that every machine made from that image will have the same
    > SID.
    >
    > 1. Image a new machine with Ghost booted in "DOS"
    > 2. While still in "DOS", Alter the SID so it is unique using GhostWalker
    > 3. Put the machine in service.
    >
    > You can possibly correct the SID issue by making the machines "workgroup"
    > machines by removing them from the Domain (make sure the machine account
    > gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
    > Domain. However the more time passes and the more the machine is changed
    > from when it was originally "imaged" the greater chance something will go
    > wrong if the SID is altered.
    >
    > --
    >
    > Phillip Windell [MCP, MVP, CCNA]
    > www.wandtv.com
    >
    >
    > "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
    > news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
    > > We've been trying to troubleshoot some GPO problems lately and while doing
    > so
    > > determined that some of our computer labs had duplicate machine SIDs for
    > our
    > > XP clients. Some of the computers had exact duplicates of the SID.
    > Others
    > > had duplicate RIDs in the SID sub-authority components. Does it matter if
    > > any portion of the SID is a duplicate of another? Or does the entire SID
    > > have to be a duplicate for it to matter? What should I be looking for?
    > > Thanks!
    > >
    > > --
    > > David Shriner
    > > Systems Administrator
    > > Newport News Public Schools
    >
    >
    >
  3. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    David Shriner wrote:

    > We've been trying to troubleshoot some GPO problems lately and while doing so
    > determined that some of our computer labs had duplicate machine SIDs for our
    > XP clients. Some of the computers had exact duplicates of the SID. Others
    > had duplicate RIDs in the SID sub-authority components. Does it matter if
    > any portion of the SID is a duplicate of another? Or does the entire SID
    > have to be a duplicate for it to matter? What should I be looking for?
    > Thanks!
    Hi

    As far as I know, there is no big issue that you have duplicate machine
    SIDs in a domain-based environment.

    From
    http://www.sysinternals.com/ntw2k/source/newsid.shtml

    <quote>
    Duplicate SIDs aren't an issue in a Domain-based environment since
    domain accounts have SID's based on the Domain SID.
    </quote>


    And from
    http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html

    <quote>
    There are two scenarios in which aliased SIDs confuse NT's
    security mechanisms. The first scenario is a workgroup
    environment. In a workgroup, a number of NT machines are connected
    in a peer-based model, and they can share resources such as disks
    and printers with one another through a network. When a user on a
    workgroup member machine accesses a resource on another workgroup
    member machine, the user's local SID (a workgroup has no domain
    SIDs) identifies the user to the remote computer. Consider the
    case Figure 2 shows, in which Mark on Computer1 accesses files on
    a shared drive served off Computer2. If Computer1 and Computer2
    are clones with the same computer SID, and if the Fred account on
    Computer2 has the same RID as the Mark account, Mark will look
    exactly like Fred to Computer2. Mark can therefore view all the
    files Fred can view, including Fred's private files, and vice
    versa.

    The second scenario in which SID duplication causes security
    confusion concerns removable media, such as Jaz drives, which can
    include security information when their formatting includes NTFS.
    In the example in Figure 2, Fred can view any files on removable
    media that Mark can view, because neither Computer1 nor Computer2
    can distinguish between the two users with respect to the security
    permissions assigned to files on the removable drive.

    Contrary to common belief, these two scenarios are the only known
    situations where duplicate computer SIDs cause problems. Duplicate
    computer SIDs will not cause networks to fail, nor will they cause
    other problems in an upgrade from NT 4.0 to 5.0.
    </quote>


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  4. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    Yes, I read that too while researching this issue. I also read the following:

    from http://www.winnetmag.com/Article/ArticleID/14919/14919.html#
    <quote>
    What are the problems with workstations having the same SID?

    John Savill
    InstantDoc #14919
    John Savill's FAQ for Windows

    A. At the start of the GUI phase of installation each NT/2000 installation
    generates a
    unique Security IDentifier (SID). If you then clone a workstation each
    installation would have the same machine SID. This is not a problem in a
    Windows NT 4.0 domain as users have a SID generated by the domain controller
    and do not user the local workstation SID for security. It IS a problem in a
    Windows 2000 domain as the local machine SID is used in nearly all aspects of
    security and before migrating to 2000 you should resolve any duplicate SID
    issues which may have been caused by cloning installations.
    </quote>

    So there seems to be conflicting information with regard to how serious this
    problem is in a domain environment.

    Dave

    "Torgeir Bakken (MVP)" wrote:

    > David Shriner wrote:
    >
    > > We've been trying to troubleshoot some GPO problems lately and while doing so
    > > determined that some of our computer labs had duplicate machine SIDs for our
    > > XP clients. Some of the computers had exact duplicates of the SID. Others
    > > had duplicate RIDs in the SID sub-authority components. Does it matter if
    > > any portion of the SID is a duplicate of another? Or does the entire SID
    > > have to be a duplicate for it to matter? What should I be looking for?
    > > Thanks!
    > Hi
    >
    > As far as I know, there is no big issue that you have duplicate machine
    > SIDs in a domain-based environment.
    >
    > From
    > http://www.sysinternals.com/ntw2k/source/newsid.shtml
    >
    > <quote>
    > Duplicate SIDs aren't an issue in a Domain-based environment since
    > domain accounts have SID's based on the Domain SID.
    > </quote>
    >
    >
    > And from
    > http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html
    >
    > <quote>
    > There are two scenarios in which aliased SIDs confuse NT's
    > security mechanisms. The first scenario is a workgroup
    > environment. In a workgroup, a number of NT machines are connected
    > in a peer-based model, and they can share resources such as disks
    > and printers with one another through a network. When a user on a
    > workgroup member machine accesses a resource on another workgroup
    > member machine, the user's local SID (a workgroup has no domain
    > SIDs) identifies the user to the remote computer. Consider the
    > case Figure 2 shows, in which Mark on Computer1 accesses files on
    > a shared drive served off Computer2. If Computer1 and Computer2
    > are clones with the same computer SID, and if the Fred account on
    > Computer2 has the same RID as the Mark account, Mark will look
    > exactly like Fred to Computer2. Mark can therefore view all the
    > files Fred can view, including Fred's private files, and vice
    > versa.
    >
    > The second scenario in which SID duplication causes security
    > confusion concerns removable media, such as Jaz drives, which can
    > include security information when their formatting includes NTFS.
    > In the example in Figure 2, Fred can view any files on removable
    > media that Mark can view, because neither Computer1 nor Computer2
    > can distinguish between the two users with respect to the security
    > permissions assigned to files on the removable drive.
    >
    > Contrary to common belief, these two scenarios are the only known
    > situations where duplicate computer SIDs cause problems. Duplicate
    > computer SIDs will not cause networks to fail, nor will they cause
    > other problems in an upgrade from NT 4.0 to 5.0.
    > </quote>
    >
    >
    > --
    > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    > Administration scripting examples and an ONLINE version of
    > the 1328 page Scripting Guide:
    > http://www.microsoft.com/technet/scriptcenter/default.mspx
    >
  5. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
    news:4E6779FA-1759-4CCB-868A-F31C30F57BCC@microsoft.com...
    > Thanks. I did know how duplicate SIDs are created. We hired a contractor
    to
    > help us roll out over 2000 computers to our middle schools and have just
    > discovered that there may have been some problems during the imaging
    process.
    > However, this doesn't help me understand what constitutes a duplicate
    SID.

    If you want to find out just for curiosity's sake that is fine. But for
    practicalities sake it just isn't important. If you correct the dupe Sids
    like I outlined you wouldn't have the problem any more to begin with.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
  6. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    > . . . by removing them from the Domain (make sure the machine
    > account gets deleted), . . .

    but recognize that this will impact all machines that share that SID

    --
    Roger Abell

    "Phillip Windell" <@.> wrote in message
    news:%232ngQ6UCFHA.868@TK2MSFTNGP10.phx.gbl...
    > The only thing I can tell you is that the Dupe Sids come from creating
    > machines from Images (like Ghost) and then not using a tool (like
    > GhostWalker) to create a fresh SID before the machine is put into service.
    > If you don't do that every machine made from that image will have the same
    > SID.
    >
    > 1. Image a new machine with Ghost booted in "DOS"
    > 2. While still in "DOS", Alter the SID so it is unique using GhostWalker
    > 3. Put the machine in service.
    >
    > You can possibly correct the SID issue by making the machines "workgroup"
    > machines by removing them from the Domain (make sure the machine account
    > gets deleted), run Ghostwalker to change the SID,...then rejoin them to
    the
    > Domain. However the more time passes and the more the machine is changed
    > from when it was originally "imaged" the greater chance something will go
    > wrong if the SID is altered.
    >
    > --
    >
    > Phillip Windell [MCP, MVP, CCNA]
    > www.wandtv.com
    >
    >
    > "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
    > news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
    > > We've been trying to troubleshoot some GPO problems lately and while
    doing
    > so
    > > determined that some of our computer labs had duplicate machine SIDs for
    > our
    > > XP clients. Some of the computers had exact duplicates of the SID.
    > Others
    > > had duplicate RIDs in the SID sub-authority components. Does it matter
    if
    > > any portion of the SID is a duplicate of another? Or does the entire
    SID
    > > have to be a duplicate for it to matter? What should I be looking for?
    > > Thanks!
    > >
    > > --
    > > David Shriner
    > > Systems Administrator
    > > Newport News Public Schools
    >
    >
  7. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

    Identical SIDs are exact matches, in total.
    LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
    LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe

    Non-identical SIDs differing in RIDs other than the last are
    from different machines and/or domains
    LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
    LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
    and in the above example these accidentally received the same unique
    serialization RID (last RID) from their machines/domains (well, so it would
    be interpreted if it were not known this is a duplication artifact).

    The Microsoft Policy Concerning Disk Duplication of Windows XP Installations
    http://support.microsoft.com/default.aspx?scid=kb;en-us;314828
    indicates one example issue, with ACL'd removable media, that results
    (or can) from having identical SIDs .
    Since in a domain multiple physical machines would be sharing account
    objects when looked up via SID you have the possibility for one of the
    physical machines being force out of sync with its domain membership
    by actions of the other machine.


    fyi, although likely not applicable in your situation
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_sids_tools.asp
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
    news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
    > We've been trying to troubleshoot some GPO problems lately and while doing
    so
    > determined that some of our computer labs had duplicate machine SIDs for
    our
    > XP clients. Some of the computers had exact duplicates of the SID.
    Others
    > had duplicate RIDs in the SID sub-authority components. Does it matter if
    > any portion of the SID is a duplicate of another? Or does the entire SID
    > have to be a duplicate for it to matter? What should I be looking for?
    > Thanks!
    >
    > --
    > David Shriner
    > Systems Administrator
    > Newport News Public Schools
Ask a new question

Read More

Security Microsoft Windows XP