The Machine SID Duplication Myth (and Why Sysprep Matters)

re: The Machine SID Duplication Myth (and Why Sysprep Matters)

kinokijuf — Sun, 19 Feb 2012 16:26:11 GMT

Is there a way to specify a sid in Vista at install-time? I would want to migrate from x86 to x64, but with retaining user profile and all.

re: The Machine SID Duplication Myth (and Why Sysprep Matters)

Fred Peterson — Fri, 22 Apr 2011 20:52:09 GMT

I'm amazed people keep bring up 3rd party software, even if that 3rd party software is WSUS or some other Microsoft software.

Mark's original post is commenting only with regard to the functionality of Windows the operating system. In frank words, he could give a flying rats ass about add-on MS or 3rd party software functionality and requirements - he wasn't commenting on that.

re: The Machine SID Duplication Myth (and Why Sysprep Matters)

Drewfus — Thu, 17 Mar 2011 07:38:45 GMT

Mark,

suppose files or folders on removable media were ACLed with the SID-RID of a local user. The machine is then reimaged or Windows setup is rerun after formatting %systemdrive%. The machine now has a different SID, at least in the latter case, and the user represented by SID-RID can possibly no longer access the files on the removable drive. Isn't this a case where cloning of SIDs is not only a non-problem, it's actually *desirable*? Furthermore, wouldn't it also be desirable for that same user to receive the same RID on the rebuilt system as they had previously? Is a mechanism required for this? I know RIDs on a local system are allocated sequentially, but would some mechanism for matching new accounts to a prefered RID be beneficial?

> net user username password /add /matchrid:@Users-RIDs.txt | \\MasterBrowser

That is, get the RID from a file that associates usernames with RIDs, or compare username to the same name on another computer in the workgroup.

re: The Machine SID Duplication Myth (and Why Sysprep Matters)

Joaoma — Fri, 04 Feb 2011 00:39:21 GMT

Hi Mark,

Just a correction for the blog post. the WSUS still requires a manual process to remove its own entries even when sysprep is used. support.microsoft.com/.../903262

re: The Machine SID Duplication Myth

Jani Anttila — Thu, 13 Jan 2011 07:10:49 GMT

Hi Mark,

Your post helped me to understand one very important thing. I also wrote my first blog post about it. You can read it from www.citrixpro.com/.../virtual-machine-cloning-and-sysprep

re: The Machine SID Duplication Myth

Kevin — Mon, 27 Dec 2010 23:39:11 GMT

Mark, please don't even bother to publish comments like cpmin's, who obviously did not read the whole article or any comments regarding sysprep. There were LOTS of them.

And thank you for this article. It has helped clear up a lot. We just imaged about 700 machines using MDT, and some I used the setup process with, some I didn't. None were joined to the domain. It's comforting to know it won't be an issue, and we don't use WSUS.

re: The Machine SID Duplication Myth

cpmin — Tue, 21 Dec 2010 02:28:23 GMT

I have to disagree with this completely. In fact, some of the labs in the Microsoft Exam prep for 70-642 are not possible if you are using virtual machines from a clone unless syspreped. After experiencing the problem with the labs I ran into it on a customer network. In the lab as well as at the customer, the member server was not able to resolve local machine security groups for use on file/folder or other security permissions. After syspreping the VM the problem went away both in the labs as well at the customer site.

re: The Machine SID Duplication Myth

Martyn James — Fri, 17 Dec 2010 15:05:57 GMT

The answer to any machine identification for an application seems to often be "the application puts its own identifier onto the system".

Computers get dropped, hard drives crash, or otherwise corrupted, applications get removed, something else (by design or accident) removes the local system identifier. At that point, the SID would be the only hope to identify whether this is the same machine - there is not much else (perhaps one can use the MAC address of the ethernet card(s)). If one is trying to recover data (or specifically recover your application whose custom identifier has been removed) to a machine that does not have the custom identifier; having a system identifier is pretty useful.

Even if we ignore the above argument, does it not seem wasteful to have every software vendor create their own identifier on every machine - wouldn't you want an operating system to provide such an identifier (especially if the OS used to, and decided to no longer support it).

re: The Machine SID Duplication Myth

Mark Russinovich — Fri, 19 Nov 2010 12:38:33 GMT

@Itsme

Sorry, but you're incorrect.

re: The Machine SID Duplication Myth

Itsme — Mon, 15 Nov 2010 17:28:08 GMT

I made a respectful comment some while ago on this blog suggesting that if Sysinternals were still independent from Microsoft, NewSID would have been updated instead of retired. For some reason that post never showed up here. I find it interesting that type of post would be censored here.