+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
Windows Thread, Scripting new SID for PCs in Technical; Is this possible? Shockingly in my LA we have 5,000 client PC's all imaged off a few image, that no ...
  1. #1
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Scripting new SID for PCs

    Is this possible? Shockingly in my LA we have 5,000 client PC's all imaged off a few image, that no one ever bothered to sysprep or newsid.

    In March we switch to AD and obviously this is a problem. Our able but anti AD / AD project leader says he's scripting the creation of new SIDs on all 5,000 PC's, and it doesn't sweem right to me, having run newsid and seen how it takes at least 3 minutes to execute, obviously needing elevated privileges.

  2. #2
    Dom_'s Avatar
    Join Date
    Dec 2008
    Posts
    1,009
    Thank Post
    151
    Thanked 138 Times in 115 Posts
    Rep Power
    56

    PSexec?

    Never tried but it might be possible to do it via PSexec?

  3. #3
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46
    Possible yes but not quick/ transparent like i'd presume you'd need.

  4. #4


    Join Date
    Jul 2007
    Location
    Rural heck
    Posts
    2,662
    Thank Post
    120
    Thanked 434 Times in 353 Posts
    Rep Power
    126
    Quote Originally Posted by Dom_ View Post
    Never tried but it might be possible to do it via PSexec?
    I'd have though this would work, PSEXEC lets you specify which user account to use. However I'd expect if you change a computers SID you'll then have to rejoin whichever domain it's attached to.

  5. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    You'd be better off running Sysprep with an answer file, so they then automatically re-join the domain.

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    I think a massive amount of care is needed here!

    You can't just run newsid and leave it there; I'm pretty sure that will break the link to AD (the SID for the computer is stored in AD; not sure if that's the only link but it won't be good to have one SID on the machine and another in AD)

    You could have a machine startup script which ran newsid and then rejoined the domain using netdom.

    Another alternative might be to use sysprep; provided that there are no local accounts on the machines you won't lose anything (domain profiles will be fine, any files created by domain users will also be OK because the ACL will contain a domain SID and that won't change)

    What I think you could do is use a machine startup script to generate a sysprep.inf for each machine (it's going to fairly straightforward; the only thing that will be different is the machine name and that's going to be the same as the machine is now). I don't think you even need to run mini-setup - the hardware hasn't changed - you just need the "regenerate security identifier option"

    Logic would be something like:

    Have I already been sysprepped (check for flag file or registry entry) - yes, quit
    Copy sysprep folder from server and edit line with computer name to match "my name"
    Run sysprep and force reboot at end
    Machine will then restart, sysprep itself and join the domain
    Next time the machine starts up on the domain it will find it's already been done and not re-run the process

    I'd really, really want to test this carefully :-)

    Not sure when the domain was first set up but although MS have always said that you must have unique SIDs in a domain, I think it was only really Active Directory that made it essential (and possibly not even until Server 2003). Certainly, back in the NT days, it didn't seem to matter.

  7. #7
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46
    Thankyou for those replies.

    The machines aren't on a domain yet.

  8. #8

    Join Date
    Dec 2008
    Location
    Plymouth
    Posts
    63
    Thank Post
    6
    Thanked 10 Times in 7 Posts
    Rep Power
    14
    I agree with you, Steve - this one will take some careful planning and LOADS of testing.

    Given that it isn't currently an AD domain (Wow! No AD in 2009!!!) we can ignore existing SID's.

    Your suggested structure (copied below) makes a lot of sense, so I thought perhaps we could all collaborate on a solution to overcome this issue.

    Have I already been sysprepped (check for flag file or registry entry) - yes, quit
    Copy sysprep folder from server and edit line with computer name to match "my name"
    Run sysprep and force reboot at end
    Machine will then restart, sysprep itself and join the domain
    Next time the machine starts up on the domain it will find it's already been done and not re-run the process
    It'd have to be done in VBScript, thus giving access to all the WMI calls.

    Who's up for it?

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    If the machines aren't on the domain, then Sysprep is definitely what you need. Simply extract the files from the Windows CD from the \Support\Tools\Deploy.cab file to C:\Sysprep

    Within C:\Sysprep I use/created Sysprep.inf using Setupmgr.exe

    Code:
    ;SetupMgrTag
    [GuiUnattended]
        AdminPassword="password" (for example)
        EncryptedAdminPassword=NO
        OEMSkipRegional=1
        TimeZone=85
    
    [UserData]
        ProductID=XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
        FullName="Logistix Computer Solutions"
        OrgName="Logistix Computer Solutions"
    
    [TapiLocation]
        CountryCode=44
        Dialing=Tone
        AreaCode=0121
    
    [RegionalSettings]
        LanguageGroup=1
        Language=00000809
    
    [Identification]
        JoinDomain=DOMAIN_NAME
        DomainAdmin=administrator (for example)
        DomainAdminPassword=password (for example)
    
    [Networking]
        InstallDefaultComponents=Yes
    
    [Unattended]
        TargetPath=\WINDOWS
    
    [Branding]
        BrandIEUsingUnattended=Yes
    
    [Proxy]
        Proxy_Enable=0
        Use_Same_Proxy=0
    This 99% automates the Sysprep procedure and joins the domain. I just manually specify the computer name and that's it. The only thing left of course is to move the Computer Objects in Active Directory to the relevant OUs so machines pick up domain policies.

  10. #10
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46
    That's nice Michael. Tho' I wouldn't fancy manually entering 5000 computer names

  11. #11

    Join Date
    Dec 2008
    Location
    Plymouth
    Posts
    63
    Thank Post
    6
    Thanked 10 Times in 7 Posts
    Rep Power
    14
    Matk, I'm in the middel of a CMIS upgrade (Yay!! Lucky old me!)

    Once done, I'll post a VBScript that'd take the local PC name and write it into Michael's answer file.

    What would still be needed is a method to a) check if the machine's been Sysprepped and joined to the domain and b) something (like a start-up script) to kick it all off.

    Once you have all that, you can go and test and report back, and once finetuning's completed you should have an automated solution, and the beer's will be on you! :-D

  12. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    That's nice Michael. Tho' I wouldn't fancy manually entering 5000 computer names
    The only reason I manually specify a computer name is so I can put machines in numerical order (like in an ICT Suite). If it doesn't matter, you can specify a list of computer names and Sysprep automatically uses the next available name. Only problem with this, is Workstation14 could be positioned next to Workstation25 (for example).

  13. #13

    Join Date
    Dec 2008
    Location
    Plymouth
    Posts
    63
    Thank Post
    6
    Thanked 10 Times in 7 Posts
    Rep Power
    14
    Michael, you've done a lot already simply by posting the answer file.

    I'm working on the assumtion that they'd want to keep all 5 000 PC's named exactly as they are, so I'm building a simple script to find the localhost name, then write that into the answer file, prior to Sysprepping.

  14. #14

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    I'm working on the assumtion that they'd want to keep all 5 000 PC's named exactly as they are, so I'm building a simple script to find the localhost name, then write that into the answer file, prior to Sysprepping.
    Yes that would work, but I thought the 5000 machines were imaged from the same image, so theoretically they must all have the same name too? Just a thought... I can't see how the machines would have different names without using Sysprep?

  15. #15
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67
    Quote Originally Posted by Michael View Post
    Yes that would work, but I thought the 5000 machines were imaged from the same image, so theoretically they must all have the same name too? Just a thought... I can't see how the machines would have different names without using Sysprep?
    Depending on how they ghosted the machines, I know the latest version of ghost can get a name say Computer and add a number to the end of each it ghosts so Computer1, Computer2, but this is only when using the console and im not even sure how it works, or even how reliable it is. Try using Ghost Walker instead of NewSid?

    D

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. os x scripting
    By mac_shinobi in forum Mac
    Replies: 5
    Last Post: 22nd August 2008, 09:30 AM
  2. Scripting and msi's
    By stu in forum How do you do....it?
    Replies: 5
    Last Post: 26th June 2008, 06:47 PM
  3. SID Migration W2k3 -> W2k3
    By adamf in forum Windows
    Replies: 3
    Last Post: 19th June 2008, 03:51 PM
  4. New to scripting
    By FN-GM in forum Scripts
    Replies: 26
    Last Post: 10th August 2007, 10:31 PM
  5. Win32 SID path - linking sims to AD
    By jrubinstein in forum How do you do....it?
    Replies: 2
    Last Post: 22nd June 2007, 09:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •