Sign in with
Sign up | Sign in
Your question

Significant sub-authorities in determining duplicate machi..

Last response: in Windows XP
Share
Anonymous
a b 8 Security
February 2, 2005 11:17:05 AM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

We've been trying to troubleshoot some GPO problems lately and while doing so
determined that some of our computer labs had duplicate machine SIDs for our
XP clients. Some of the computers had exact duplicates of the SID. Others
had duplicate RIDs in the SID sub-authority components. Does it matter if
any portion of the SID is a duplicate of another? Or does the entire SID
have to be a duplicate for it to matter? What should I be looking for?
Thanks!

--
David Shriner
Systems Administrator
Newport News Public Schools
Anonymous
a b 8 Security
February 2, 2005 2:42:26 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

The only thing I can tell you is that the Dupe Sids come from creating
machines from Images (like Ghost) and then not using a tool (like
GhostWalker) to create a fresh SID before the machine is put into service.
If you don't do that every machine made from that image will have the same
SID.

1. Image a new machine with Ghost booted in "DOS"
2. While still in "DOS", Alter the SID so it is unique using GhostWalker
3. Put the machine in service.

You can possibly correct the SID issue by making the machines "workgroup"
machines by removing them from the Domain (make sure the machine account
gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
Domain. However the more time passes and the more the machine is changed
from when it was originally "imaged" the greater chance something will go
wrong if the SID is altered.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
> We've been trying to troubleshoot some GPO problems lately and while doing
so
> determined that some of our computer labs had duplicate machine SIDs for
our
> XP clients. Some of the computers had exact duplicates of the SID.
Others
> had duplicate RIDs in the SID sub-authority components. Does it matter if
> any portion of the SID is a duplicate of another? Or does the entire SID
> have to be a duplicate for it to matter? What should I be looking for?
> Thanks!
>
> --
> David Shriner
> Systems Administrator
> Newport News Public Schools
Anonymous
a b 8 Security
February 2, 2005 2:42:27 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

Thanks. I did know how duplicate SIDs are created. We hired a contractor to
help us roll out over 2000 computers to our middle schools and have just
discovered that there may have been some problems during the imaging process.
However, this doesn't help me understand what constitutes a duplicate SID.
Here's an example of what I've found:

Computer SID
LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-02 S-1-5-21-3042452539-622697513-334337264
LABF14-10 S-1-5-21-596957751-3725260815-359561344 exact dupe
LABF14-12 S-1-5-21-596957751-3725260815-359561344 exact dupe
LABC16-05 S-1-5-21-48506347-3646499915-426764551
LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
LABF14-02 S-1-5-21-1449542653-3364022493-502944281 dupe last RID
LABC16-23 S-1-5-21-3978503659-1809067083-516276246
LABF14-16 S-1-5-21-290470409-3091673561-677485609 dupe last 2 RIDs
LABF14-20 S-1-5-21-1608279117-3091673561-677485609 dupe last 2 RIDs

So when I scan my domain for duplicate machine SIDs I need to know whether
to look for exact dupes only or if I should include partial dupes. This will
help me provide specific information to our site support staff when I ask
them to re-image the machines that have dupes. Thanks.

Dave


"Phillip Windell" wrote:

> The only thing I can tell you is that the Dupe Sids come from creating
> machines from Images (like Ghost) and then not using a tool (like
> GhostWalker) to create a fresh SID before the machine is put into service.
> If you don't do that every machine made from that image will have the same
> SID.
>
> 1. Image a new machine with Ghost booted in "DOS"
> 2. While still in "DOS", Alter the SID so it is unique using GhostWalker
> 3. Put the machine in service.
>
> You can possibly correct the SID issue by making the machines "workgroup"
> machines by removing them from the Domain (make sure the machine account
> gets deleted), run Ghostwalker to change the SID,...then rejoin them to the
> Domain. However the more time passes and the more the machine is changed
> from when it was originally "imaged" the greater chance something will go
> wrong if the SID is altered.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
> news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
> > We've been trying to troubleshoot some GPO problems lately and while doing
> so
> > determined that some of our computer labs had duplicate machine SIDs for
> our
> > XP clients. Some of the computers had exact duplicates of the SID.
> Others
> > had duplicate RIDs in the SID sub-authority components. Does it matter if
> > any portion of the SID is a duplicate of another? Or does the entire SID
> > have to be a duplicate for it to matter? What should I be looking for?
> > Thanks!
> >
> > --
> > David Shriner
> > Systems Administrator
> > Newport News Public Schools
>
>
>
Anonymous
a b 8 Security
February 2, 2005 10:24:49 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

David Shriner wrote:

> We've been trying to troubleshoot some GPO problems lately and while doing so
> determined that some of our computer labs had duplicate machine SIDs for our
> XP clients. Some of the computers had exact duplicates of the SID. Others
> had duplicate RIDs in the SID sub-authority components. Does it matter if
> any portion of the SID is a duplicate of another? Or does the entire SID
> have to be a duplicate for it to matter? What should I be looking for?
> Thanks!
Hi

As far as I know, there is no big issue that you have duplicate machine
SIDs in a domain-based environment.

From
http://www.sysinternals.com/ntw2k/source/newsid.shtml

<quote>
Duplicate SIDs aren't an issue in a Domain-based environment since
domain accounts have SID's based on the Domain SID.
</quote>


And from
http://www.winntmag.com/Windows/Articles/ArticleID/3469...

<quote>
There are two scenarios in which aliased SIDs confuse NT's
security mechanisms. The first scenario is a workgroup
environment. In a workgroup, a number of NT machines are connected
in a peer-based model, and they can share resources such as disks
and printers with one another through a network. When a user on a
workgroup member machine accesses a resource on another workgroup
member machine, the user's local SID (a workgroup has no domain
SIDs) identifies the user to the remote computer. Consider the
case Figure 2 shows, in which Mark on Computer1 accesses files on
a shared drive served off Computer2. If Computer1 and Computer2
are clones with the same computer SID, and if the Fred account on
Computer2 has the same RID as the Mark account, Mark will look
exactly like Fred to Computer2. Mark can therefore view all the
files Fred can view, including Fred's private files, and vice
versa.

The second scenario in which SID duplication causes security
confusion concerns removable media, such as Jaz drives, which can
include security information when their formatting includes NTFS.
In the example in Figure 2, Fred can view any files on removable
media that Mark can view, because neither Computer1 nor Computer2
can distinguish between the two users with respect to the security
permissions assigned to files on the removable drive.

Contrary to common belief, these two scenarios are the only known
situations where duplicate computer SIDs cause problems. Duplicate
computer SIDs will not cause networks to fail, nor will they cause
other problems in an upgrade from NT 4.0 to 5.0.
</quote>


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Anonymous
a b 8 Security
February 2, 2005 10:24:50 PM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

Yes, I read that too while researching this issue. I also read the following:

from http://www.winnetmag.com/Article/ArticleID/14919/14919....
<quote>
What are the problems with workstations having the same SID?

John Savill
InstantDoc #14919
John Savill's FAQ for Windows

A. At the start of the GUI phase of installation each NT/2000 installation
generates a
unique Security IDentifier (SID). If you then clone a workstation each
installation would have the same machine SID. This is not a problem in a
Windows NT 4.0 domain as users have a SID generated by the domain controller
and do not user the local workstation SID for security. It IS a problem in a
Windows 2000 domain as the local machine SID is used in nearly all aspects of
security and before migrating to 2000 you should resolve any duplicate SID
issues which may have been caused by cloning installations.
</quote>

So there seems to be conflicting information with regard to how serious this
problem is in a domain environment.

Dave

"Torgeir Bakken (MVP)" wrote:

> David Shriner wrote:
>
> > We've been trying to troubleshoot some GPO problems lately and while doing so
> > determined that some of our computer labs had duplicate machine SIDs for our
> > XP clients. Some of the computers had exact duplicates of the SID. Others
> > had duplicate RIDs in the SID sub-authority components. Does it matter if
> > any portion of the SID is a duplicate of another? Or does the entire SID
> > have to be a duplicate for it to matter? What should I be looking for?
> > Thanks!
> Hi
>
> As far as I know, there is no big issue that you have duplicate machine
> SIDs in a domain-based environment.
>
> From
> http://www.sysinternals.com/ntw2k/source/newsid.shtml
>
> <quote>
> Duplicate SIDs aren't an issue in a Domain-based environment since
> domain accounts have SID's based on the Domain SID.
> </quote>
>
>
> And from
> http://www.winntmag.com/Windows/Articles/ArticleID/3469...
>
> <quote>
> There are two scenarios in which aliased SIDs confuse NT's
> security mechanisms. The first scenario is a workgroup
> environment. In a workgroup, a number of NT machines are connected
> in a peer-based model, and they can share resources such as disks
> and printers with one another through a network. When a user on a
> workgroup member machine accesses a resource on another workgroup
> member machine, the user's local SID (a workgroup has no domain
> SIDs) identifies the user to the remote computer. Consider the
> case Figure 2 shows, in which Mark on Computer1 accesses files on
> a shared drive served off Computer2. If Computer1 and Computer2
> are clones with the same computer SID, and if the Fred account on
> Computer2 has the same RID as the Mark account, Mark will look
> exactly like Fred to Computer2. Mark can therefore view all the
> files Fred can view, including Fred's private files, and vice
> versa.
>
> The second scenario in which SID duplication causes security
> confusion concerns removable media, such as Jaz drives, which can
> include security information when their formatting includes NTFS.
> In the example in Figure 2, Fred can view any files on removable
> media that Mark can view, because neither Computer1 nor Computer2
> can distinguish between the two users with respect to the security
> permissions assigned to files on the removable drive.
>
> Contrary to common belief, these two scenarios are the only known
> situations where duplicate computer SIDs cause problems. Duplicate
> computer SIDs will not cause networks to fail, nor will they cause
> other problems in an upgrade from NT 4.0 to 5.0.
> </quote>
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.m...
>
Anonymous
a b 8 Security
February 3, 2005 11:31:28 AM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

"David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
news:4E6779FA-1759-4CCB-868A-F31C30F57BCC@microsoft.com...
> Thanks. I did know how duplicate SIDs are created. We hired a contractor
to
> help us roll out over 2000 computers to our middle schools and have just
> discovered that there may have been some problems during the imaging
process.
> However, this doesn't help me understand what constitutes a duplicate
SID.

If you want to find out just for curiosity's sake that is fine. But for
practicalities sake it just isn't important. If you correct the dupe Sids
like I outlined you wouldn't have the problem any more to begin with.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Anonymous
a b 8 Security
February 5, 2005 4:00:20 AM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

> . . . by removing them from the Domain (make sure the machine
> account gets deleted), . . .

but recognize that this will impact all machines that share that SID

--
Roger Abell

"Phillip Windell" <@.> wrote in message
news:%232ngQ6UCFHA.868@TK2MSFTNGP10.phx.gbl...
> The only thing I can tell you is that the Dupe Sids come from creating
> machines from Images (like Ghost) and then not using a tool (like
> GhostWalker) to create a fresh SID before the machine is put into service.
> If you don't do that every machine made from that image will have the same
> SID.
>
> 1. Image a new machine with Ghost booted in "DOS"
> 2. While still in "DOS", Alter the SID so it is unique using GhostWalker
> 3. Put the machine in service.
>
> You can possibly correct the SID issue by making the machines "workgroup"
> machines by removing them from the Domain (make sure the machine account
> gets deleted), run Ghostwalker to change the SID,...then rejoin them to
the
> Domain. However the more time passes and the more the machine is changed
> from when it was originally "imaged" the greater chance something will go
> wrong if the SID is altered.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
> news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
> > We've been trying to troubleshoot some GPO problems lately and while
doing
> so
> > determined that some of our computer labs had duplicate machine SIDs for
> our
> > XP clients. Some of the computers had exact duplicates of the SID.
> Others
> > had duplicate RIDs in the SID sub-authority components. Does it matter
if
> > any portion of the SID is a duplicate of another? Or does the entire
SID
> > have to be a duplicate for it to matter? What should I be looking for?
> > Thanks!
> >
> > --
> > David Shriner
> > Systems Administrator
> > Newport News Public Schools
>
>
Anonymous
a b 8 Security
February 5, 2005 6:18:43 AM

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin (More info?)

Identical SIDs are exact matches, in total.
LABF14-04 S-1-5-21-2326369520-3253555194-74049757 exact dupe
LABC16-07 S-1-5-21-2326369520-3253555194-74049757 exact dupe

Non-identical SIDs differing in RIDs other than the last are
from different machines and/or domains
LABF14-15 S-1-5-21-2796713857-2210005112-502944281 dupe last RID
LABC16-17 S-1-5-21-3689853989-2888764536-502944281 dupe last RID
and in the above example these accidentally received the same unique
serialization RID (last RID) from their machines/domains (well, so it would
be interpreted if it were not known this is a duplication artifact).

The Microsoft Policy Concerning Disk Duplication of Windows XP Installations
http://support.microsoft.com/default.aspx?scid=kb;en-us;314828
indicates one example issue, with ACL'd removable media, that results
(or can) from having identical SIDs .
Since in a domain multiple physical machines would be sharing account
objects when looked up via SID you have the possibility for one of the
physical machines being force out of sync with its domain membership
by actions of the other machine.


fyi, although likely not applicable in your situation
http://www.microsoft.com/resources/documentation/Window...
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"David Shriner" <DavidShriner@discussions.microsoft.com> wrote in message
news:FC14550F-6110-4DC0-ACE1-B70CBC9B5962@microsoft.com...
> We've been trying to troubleshoot some GPO problems lately and while doing
so
> determined that some of our computer labs had duplicate machine SIDs for
our
> XP clients. Some of the computers had exact duplicates of the SID.
Others
> had duplicate RIDs in the SID sub-authority components. Does it matter if
> any portion of the SID is a duplicate of another? Or does the entire SID
> have to be a duplicate for it to matter? What should I be looking for?
> Thanks!
>
> --
> David Shriner
> Systems Administrator
> Newport News Public Schools
!