NewSID and the “Clone” myth
Creating a new server as a copy from an existing one saves time.
However, it leads to a computer SID used by two different machines.
This can be prevented with NewSID – but you really don’t need to.
…from practice
Recently I faced the task of preparing a platform for a test-installation. The first server was installed quickly. The second I wanted to clone out of the first, because, you know, time is money. As an experienced consultant in the Microsoft-surrounding it is known that simply copying of an installed machine is a no-go and can cause problems. The dreaded machine-SID’s apparently are the cause because they are immortalized in the security descriptors of all objects which can be protected (files, folders, registry, share…). Because I somehow couldn’t find the long-known tool NewSID by Sysinternals (Microsoft now) in my tools-folder on my laptop, I wanted to download a new version from the internet.
Index
NewSID development stopped – but still no problem
But I had to read that it has not been developed further. The reason is explained in the following article by its creator Mark Russinovich: http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
According to Mr. Russinovich it is just not necessary in most cases to change the computer SID. Thinking about it more thoroughly, I have to admit that it is logical. Remembering what the computer SID is used for it turns out that it is just used on the computer itself and never leaves it in the direction of the network.
When is the SID used?
Some may ask themselves if this is also true when a computer is member of an Active Directory domain and thus a computer object exists which could have rights on other resources as well. You have to know that each system which becomes a member of a domain gets its own SID which consists of a part of the domain and an explicit ID (RID). Only this SID plays a role for the allocation of authorizations. It is listed in the computer-object in the AD and has nothing to do with the computer SID.
Group-memberships aren’t a problem either because computer-local groups and users can never be a member of a domain-group.
Even in workgroup-scenarios issues do not occur as access to a different computer is only granted with an username/password.
What problems can a double used SID cause?
Usually there shouldn’t be problems with cloned computers but you should be aware of the following limitations:
- A computer-image not treated with “Sysprep” is not supported by Microsoft
- Programs identifying the computer via the SID understandably have a problem
- Access to NTFS-formatted removable media. Of course, all standard-groups of cloned computers have access but possibly individual users and groups as well. Thus, it is advisable to better encrypt storage media in security-critical environments.
- Domain-controller:
Domain-controllers should never be copied as the computer-SID of the first DC is the base for the domain-SID. All other DC’s adopt this SID-part. It is easy to imagine what happens when the domain and its members have the same SIDs.
PS: You can still download NewSID from various download sites. Only Microsoft stopped providing the download on their website.
Leave a Reply
<p>Your email is safe with us.<br/>Information about our <a href="https://activedirectoryfaq.com/contact-us/">data protection policies</a></p>