Forgot your password?
Windows Microsoft Software IT

The Machine SID Duplication Myth 201

Posted by kdawson
from the no-harm-in-seeing-double dept.
toppings writes "Microsoft Technical fellow Mark Russinovich explains why he is now retiring NewSID, which has been used by IT departments for years when deploying Windows to new systems from customized clone images. Russinovich writes: 'The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn't fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication — having multiple computers with the same machine SID — doesn't pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.' He concludes: 'It's a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there's no reason to miss it now that it's retired. Microsoft's official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.'"
This discussion has been archived. No new comments can be posted.

The Machine SID Duplication Myth

Comments Filter:
  • fp (Score:4, Funny)

    by Anonymous Coward on Tuesday November 03, 2009 @10:22PM (#29972568)
    Maybe slashdot should get rid of the dupe sids, too.
  • by dbIII (701233) on Tuesday November 03, 2009 @10:34PM (#29972684)
    A ggreat deal of Microsoft security is unfortunately just like the underwear of Brittany Spears.
    If it's even there at all it's needlessly complex and frilly, looks good without actually covering much and is far too easy to get around or remove completely.
    The excessive complexity for no good reason of the SID and the way UIDs are implemented on that array of platforms are a good example of this.
  • Re:ID (Score:1, Funny)

    by riff420 (810435) on Tuesday November 03, 2009 @10:37PM (#29972708)
    Obviously SOMETHING needs to go in that text input box. Duh!
  • by flydpnkrtn (114575) on Tuesday November 03, 2009 @10:45PM (#29972750)
    Based on this post, I move that we change the default Slashdot analogy model from cars to one based around celebrity wardrobe malfunctions. This was simply awesome sir
  • by flydpnkrtn (114575) on Tuesday November 03, 2009 @10:47PM (#29972762)
    I got that impression from the post as well.. "Umm I haven't tested it with NT 6.0 er Vista, and I don't really feel like testing it with NT 6.1 er 'Windows 7,' so we're just gonna retire the thing..."
  • by shemp42 (1406965) on Tuesday November 03, 2009 @11:06PM (#29972898)
    I have said this for years, glad its finally being widely accepted. My coworkers when ghosting machines would be fanatical about changing the SId's. I have a bad memory and would often forget to change them with no problems. I finally just started skipping the step of changing SID's and never had any adverse issues. When I told me coworkers about this they would rattle off a liteny of problems that I "could" encounter. After 10 years its nice to know I was right all along. So now a drum roll please...... IN YOUR FACE....MY COWORKERS!
  • by NoYob (1630681) on Tuesday November 03, 2009 @11:08PM (#29972908)

    And then we found the moveuser.exe utility on the server resource kit and asked them what the $250,000 was for. Not that anyone who pays two hundred and fifty thousand dollars for a few lines of vbscript is smart (the phbs wanted something bonafide), but I'm just sayin'...

    A company was having a problem with one of their machines, so they called in this specialist. The specialist came in, examined the machine, pulled out a hammer and tapped the machine. The specialist then produced a bill for $1,000. When asked why he was charging $1000 for just tapping he machine with a hammer, the specialist replied, "You're paying for me to know where to tap the machine with the hammer."

    The bill was paid.

  • Re:ID (Score:2, Funny)

    by pete-classic (75983) <> on Tuesday November 03, 2009 @11:32PM (#29973070) Homepage Journal

    Very nice.

    Bill Cosby did a bit, "Why is there Air?" He's well known for being a Doctor of Education, but as an undergrad he was a Physical Education major. His mock reaction to this fact, "Ha, ha. Phys. Ed. You're dumb."

    He relates the story of attending a Philosophy class where the titular question is posed. He comically states his surprise at the question. Something like, "Any Phys. Ed. major can tell you that. To fill up footballs, and volley balls, and soccer balls!"

    You stand in fine comedic company!


  • by jkrise (535370) on Wednesday November 04, 2009 @12:01AM (#29973286) Journal

    Thanks for a good laugh, Sir! But at least in Britney's underwear, it covers something useful.

  • by humphrm (18130) on Wednesday November 04, 2009 @12:08AM (#29973336) Homepage

    Or, its covering of something is useful.

  • by mosel-saar-ruwer (732341) on Wednesday November 04, 2009 @12:11AM (#29973350)
    A ggreat deal of Microsoft security is unfortunately just like the underwear of Brittany Spears.

    GOOGLE IMAGES: britney spears commando []
  • by Anonymous Coward on Wednesday November 04, 2009 @12:13AM (#29973356)

    #include <stdio.h>

    int main()
        printf( "%d\n", 42 );
        return 0;

  • Re:ID (Score:3, Funny)

    by JustOK (667959) on Wednesday November 04, 2009 @12:17AM (#29973380) Journal

    I had to take Golf Ball Inflation six times before I passed.

  • by norpy (1277318) on Wednesday November 04, 2009 @01:25AM (#29974008)

    I believe the anecdote is this:

    There was an engineer who had an exceptional gift for fixing all things mechanical. After serving his company loyally for over 30 years, he happily retired. Several years later the company contacted him regarding a seemingly impossible problem they were having with one of their multimillion-dollar machines. They had tried everything and everyone else to get the machine to work but to no avail. In desperation, they called on the retired engineer who had solved so many of their problems in the past. The engineer reluctantly took the challenge. He spent a day studying the huge machine. Finally, at the end of the day, he marked a small "x" in chalk on a particular component of the machine and said, "This is where your problem is." The part was replaced and the machine worked perfectly again.

    When the company received a bill for $50,000 from the engineer for his service, they demanded an itemized accounting. The engineer responded briefly: One chalk mark $1. Knowing where to put it $49,999. The bill was paid in full, and the engineer retired again in peace.

  • by Anonymous Coward on Wednesday November 04, 2009 @02:32PM (#29982398)

    A ggreat deal of Microsoft security is unfortunately just like the underwear of Brittany Spears.

    No...Microsoft relies on security through obscurity.

  • by KGBear (71109) on Wednesday November 04, 2009 @03:31PM (#29983702) Homepage
    I know, brother. I agree. Do you know what my Windows support people reply to that? "Who cares? When it breaks, just clone it again."

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson