What are the problems with workstations having the same SID?

A. At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations.

Duplicate local SID's are also a very big security risk in Workgroups, lets look further.

In a workgroup the user accounts are based on the local workstation SID plus a relative identifier (RID), if all the workstations had the same SID then the first account generated (and so forth) on each workstation is the same because of the duplicate local SID. This makes it impossible to secure files and folders on a user basis since different users will have the same SID and all security is based on the user SID.

An example illustrates this best:

Two workstations, wstation1 and wstation2 deployed using cloning software each have duplicated SID's.

User John on wstation1 has a local machine account on wstation1 of S-1-5-34-148593445-285934854-2859284934-1010.

User Kevin on wstation2 has a local machine account on wstation1 of S-1-5-34-148593445-285934854-2859284934-1010.

User John saves private work on an NTFS drive and creates a share called private that only he can access. If Kevin browses the network and attempts connection he will have full access as his SID is identical to John's. There is no way to differentiate between them. Expand this to 100 machines installed via duplication all with the same local SID then you can see you have no security. Any files stored on removable media with security would also be vulnerable.

Microsoft has a tool, SYSPREP, which can be used on a workstation system BEFORE cloning which resolves the SID problem by generating a new SID when the new cloned installations are started. SYSPREP is provided as standard in Windows 2000 and a version for 4.0 can be requested from Microsoft.

SYSPREP does have a few "problems" on Windows member servers as if a server with several local accounts is cloned the SID of any extra accounts are not updated, only the two primary accounts, Administrator and Guest are fixed. This means other accounts would be left with the old SID and thus considered orphaned.

Other SID fixing utilities are: