Changing WinXP SIDs

[park_bench]

We all know that you must change your XP client's SID when it has been imaged.

But... hypothetically speaking... what would happen if you cloned, let's say, a suite of computers and didn't change any of the SIDs - just Workstation name and IP address?

Just hypothetically, mind!

[cookie_monster]

If you then joined them to the domain you should be ok but if they were in a workgroup then you would have problems as all of the local admin accounts would have the same SID in fact any account created on any of the machines would have the same SID.

[contink]

If you then joined them to the domain you should be ok but if they were in a workgroup then you would have problems as all of the local admin accounts would have the same SID in fact any account created on any of the machines would have the same SID.

IIRC (hypothetically :P) One example is that Sophos will not recognise more than one workstation and as a result won't deploy remotely.

[Kyle]

What about duplicate GUID's?

I have over 20 computers that all have the same GUID. The event viewver on the Remote Installation server is moaning about it all the while.

[AustenLowe]

LOL Don't be lazy use newsid or sysprep

[cookie_monster]

Oh yeh and WSUS doesn't recognese more that one PC either.

As stated above always use sysprep or newsid.

[ICT_GUY]

My brother in law does this a lot, and no matter how much I tell him to use sysprep he just keeps on deploying those images.

I'm just waiting for it to bite him in the bum.

[Oops_my_bad]

We just use ghost here - but we image whilst it's disjoined. So in theory when you jpin the domain after imaging the SID should always be different?

[dhicks]

We just use ghost here - but we image whilst it's disjoined. So in theory when you jpin the domain after imaging the SID should always be different?

Joining a domain doesn't give your computer a new SID, if that's what you mean. You should use newsid to set a new SID for the computer before joining the domain.

--
David Hicks

[Oops_my_bad]

Oh well. That's potentially a 1000+ clients with the same SID then

But that said, our AV, WSUS, ADUC works properly

[mortstar]

My brother...does this a lot, and no matter how much I tell him to use sysprep he just keeps on deploying those images.

I'm just waiting for it to bite him in the bum.

....This sounds familiar park_bench...

As mentioned above, matching SIDs mean that WSUS doesn't recognise each computer. They do get the updates intended - just no information on which updated correctly etc. etc.

Not sure which antivirus you use but it may cause problems with that. Here it's McAfee with ePO for central management. Each machine is given an "Agent ID" independently by the Agent installer - so this key has to be deleted before the image is taken.

Just get NewSID from Sysinternals to assign a new SID apres-image if sysprep is a no-no, like it is on a bunch of 5 year old PCs here with OEM versions of XP on them - that buggers up imaging.

[Michael]

The symptoms of WSUS (when multiple machines share the same SID) is that they appear then disappear in turn within the console! But they do receive updates still.

I could imagine it would create problems with some AV software, but I think the reason Active Directory works ok, is because the computer object account itself is also given a unique SID.

[park_bench]

Thanks everyone.

I asked this question for a friend y'know, so, I'll let him know what you've said!