Hi,

We are running Windows XP clients in a Server 2003 environment with AD. We
use Ghost to image machines. I have been reading everything I can concerning
issues with duplicate SIDs being created if you use Ghost without running
sysprep or some other 3rd party SID changer. (Although I know 3rd party
products are not supported by MS)

The majority of the documentation seems to indicate that you will have major
problems if you have duplicate SIDs in a workgroup setting, but you should
not have such problems in a network setting. (Something to do with the RIDs?)
I have not seen anyone post concrete examples of how duplicate SIDs causes
problems on a network. (I have read about the removeable media security
issue) Can anyone offer some concrete examples of how duplicate SIDs can
negatively impact a network?
--
You want me to do what?!?!

Do not disk duplicate installed versions of Windows
http://support.microsoft.com/kb/162001/en-us

How to change the SID on a Windows XP, Windows 2000, or Windows NT computer
http://service1.symantec.com/SUPPORT...99050308324125

The Microsoft Policy Concerning Disk Duplication of Windows XP Installations
http://support.microsoft.com/default...&Product=winxp

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------Â*----------------

"Tech_in_the_woods" wrote:

| Hi,
|
| We are running Windows XP clients in a Server 2003 environment with AD. We
| use Ghost to image machines. I have been reading everything I can concerning
| issues with duplicate SIDs being created if you use Ghost without running
| sysprep or some other 3rd party SID changer. (Although I know 3rd party
| products are not supported by MS)
|
| The majority of the documentation seems to indicate that you will have major
| problems if you have duplicate SIDs in a workgroup setting, but you should
| not have such problems in a network setting. (Something to do with the RIDs?)
| I have not seen anyone post concrete examples of how duplicate SIDs causes
| problems on a network. (I have read about the removeable media security
| issue) Can anyone offer some concrete examples of how duplicate SIDs can
| negatively impact a network?
| --
| You want me to do what?!?!

I have read all of these, but perhaps you could explain the significance. I
feel thick-headed, but can you give a real-life example of the concepts they
are talking about?
--
You want me to do what?!?!


"Carey Frisch [MVP]" wrote:

Computer acting weird:

- Unable to sync time with DC
- Unable to join domain
- Error message in event Viewer

Any reason why you don't want to use sysprep?
--
Jean-Philippe Breton
Alphamosaik


"Tech_in_the_woods" <Techinthewoods@discussions.microsoft.com> wrote in
message news:8FEF8A92-DE07-4C90-B8AD-090421468188@microsoft.com...

Thank you! That is exactly what I needed!!! Let me put it this way--there is
no reason I did not want to use sysprep but the image creators did not like
the fact that they had to go thorugh the mini setup. My inability to give
some concrete examples of why we should use sysprep other than "Everybody
says it should be done this way" did not further my cause in convicing them.
You pointed out some unexplicable issues we have had that will go a long way
towards convincing them of the need.
--
You want me to do what?!?!


"Jean-Philippe Breton" wrote:

Jean-Philippe Breton wrote:

Not true, despite the fact we enforce SID changing (to be on the safe
side) we've had a few occasions where people have decided to short-cut
(and been summarily executed for doing so) and that was never a result
from that, in one case with over 60 machines going out with the same SID.



As above, very notably so, or not one of them would've gone out.



Being? I'm curious now, does anyone have any real real-world examples of
duplicate SID problems?? We've always just played safe where I work, but
has anyone really seen that big bad bugbear Microsoft tells us to fear
with duplicate machine SID's in a domain environment?



Actually you'd be a fool to use Sysprep merely to change a SID when
there are much better tools around which aren't remotely as intrusive,
don't take a fraction of the time and don't mangle things. Sysprep's
main realistic purpose is to make an image as hardware independent as
possible, and if I could find a third party tool that did the same job
without the Microsoft enforced mangle-ation of customisations I'd bin
Sysprep in a second, I really hope Altiris get around to it, as they've
covered pretty much every other base and now acquired WISE for package
development, so that's all that is missing for a complete desktop
management solution. But this is starting to feel like going over old
and obvious ground over and over, so I wont bother going into any more
detail.

Tech_in_the_woods wrote:

Except they're all wrong, at least we've never experienced any of them
in our domain environment (hence they are not results of not changing
the SID in a domain environment, unless possibly mixed with other
pre-existing situations which we obviously do not have) when we've had
PC's deployed with duplicate SIDs. And again... Why knock down walls
when all you need is a paint job?

Sysinternals have a much better tool for changing the SID if you're not
looking for "one image fits all" and aren't willing to spend money.

Perhaps you should hear your image creators out... The only reason we
bother to change the SID is we don't want to take any risks and it ain't
a big drama anyway. And even then we only now use Sysprep to gain that
"one image fits all", prior to that we happily operated under a Ghost
license using Ghostwalk for a longggg time. What propelled us into
change was an amalgamation that near doubled our size, which led us into
the land of Altiris, and the sudden onslaught of new hardware types led
us into Sysprep.

Prior to that situation we would've summarily executed anyone that used
Sysprep to change the SID on a dedicated platform image, due to the
incredibly large waste of time post-image, and the severe mangalation of
customisations.

Hunter01 wrote:
Using GhostWalker or NewSID or some other tool after imaging a machine
always worked great for me - and didn't have the weird feeling that SysPrep
gave some people.

iT can CAUSE all the problems listed above as well as other weirdness - not
changing the SID.. And when you consider it is (at most) 60 seconds to add
that to an after-script <- I say why not change the SID and avoid the
possibilities.. It certainly does not harm and gets rid of one more suspect
when trying to track down issues in the future.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Shenan Stanley wrote:

Nor the driver excision (which is exactly what you want if you are using
a multiple platform image) or the mutilation of customisations (which is
not something that anyone wants, but for some bizarre reason Microsoft
do it anyway). Sysprep simply isn't a valid tool for SID changing, it's
a valid tool for hardware independence.



I have yet to actually meet anyone that has experienced any of this
though, and know of other sites that don't change their SID's at all.
Regardless of having never met anyone that's had any problems I sort of
consider that insanity to be honest, a proper SID tool will only take a
couple of minutes to run, but if something ever raises its' ugly head as
a problem, and you haven't being doing it, it's way too late 2000 PC's
later. Although thinking on that, Altiris could fix the SID's on those
2000 PC's in no time I suppose if that site had Altiris...



I agree entirely, I'm more curious than anything else if anyone has ever
really encountered any problems first hand. In fact to be honest the
pedant in me would probly force me to do it even if Microsoft didn't
claim problems with not doing it. It gives me a bad feeling having
something that is supposed to be a unique ID for the PC the same on all
PC's, even if the domain does take care of that with its' own
identifier, something about the whole concept of leaving the SID's the
same makes me shudder.

Did some fairly extensive benchtests on this, and AFAICS in the situation
where two computers have an identical user-account/password pair it makes no
odds whether SIDs of the accounts are identical or not. Microsoft seem to
indicate that having differing SIDs should provide security between the two
computers.. but it doesn't, as is easily demonstrated.

Over the course of my career I've imaged numerous 2000/XP computers, and
never seen these purported problems 'in the wild.' I use NewSID, but I'm
unsure whether it makes any measurable difference.

I don't regard sysprep as being a usable tool, mainly because it loses the
default userprofile setup. What is the point of sysprepping, if the settings,
so painstakingly done, are lost? You might as well start from scratch in that
case.

Usual policy these days for new computers is to image from a stock copy for
that model, then change the serial and re-activate.

As far as I can tell from the write-ups, the SID question does not apply to
domain accounts either, only to local accounts.

-------------------------------

An alternative approach to XP network logon - http://mylogon.net

Ian wrote:
Haven't researched sysprep in a while, eh?
http://support.microsoft.com/kb/887816

As far as the SID - again - 60 seconds of automated time vs potential issues
(even if no one has actually seen them in years.. - although that could be
because most change the SID and/or join domains now..) leads me to the
decision to continue chaning the SIDs on newly images systems..

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Shenan Stanley wrote:

I have, I use it daily, and I agree with everything he said. All that
article points out is that Microsoft no longer think we have the
intelligence to set up our own "default user" profiles and decided to
use the local administrator profile to rebuild the "default user"
profile in effect. Easily worked around by using the local admin profile
to set up your default user profile.

That doesn't address the rest of the mangleations that you don't
encounter if you don't use Sysprep. Firewall being turned back on for
instance, the security database being randomly mangled as well. A few
other things, all of which we've managed to work around with a
post-image job using Altiris, but not everyone has Altiris or a
comparable desktop management environment.



Agree with you entirely. Use sysprep if you want a one image fits all
model and are willing to work around the mangleations, or if you have
only a few hardware platforms use a dedicated image for each, use a
proper SID changing tool, and steer well-clear of Sysprep. Best advice I
can think to give in the real world environments we all work in.

We have run into some issues with WSUS and duplicate SIDs. Not quite sure
why, but running a script to change the SID at startup seemed to work.
--
You want me to do what?!?!


"Hunter01" wrote: