Joe, Thanks again and I also appreciate Rick's elaboration on this issue. The last segment 'y' is unique for each Computer, user, group on AD. I notice a three digit to four digit Ids. I also looked at Change SID program on Sysinternals and used it on some machines. Symantec provides GhostWalk program which is basically the same and I looked at an article in Symantec knowledgebase about the importance of changing SIDs. I noticed no problem for last two years where we have 3 to 6 computers that have same SIDs. Recently when we deployed six Dell computers with same Ghost Image, we noticed some network connection problems. Some times the drive mappings work, some times they don't including home directory mapping. I am able to see all computer SIDs using psGetSid with wild card character and see no problems for a group of 8 computers that have same SID. I know for sure that there must be some impact of network security and connections. We use Windows 2000 Kerberos Authentication on DC. Rao/..
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 21, 2005 6:05 PM To: [email protected] Subject: RE: [ActiveDir] How to identify SIDs in AD? Undoubtedly. Indubitably. :o) At the most basic, a normal user/group SID or domain computer SID in the domain is made up of first part and a last part. It looks like s-x-x-x-x-x-x-x-x-x-y The x's are various portions of the first part, the y is the last part. The s is there so you know it is a SID. The x's by definition can be variable in number but usually aren't because no one seemed to hop the bus to extend the use of SIDs outside of what MS did themselves so that concept sort of died out and now we just put up with it. Those x's make up different things like version and various subauthorities, MSDN documents this stuff to within an inch of its life so best to go there for those details if you are feeling like you want them. The last part is what is called a RID or relative identifier which uniquely identifies a security principal in a local scope. The local scope in question is the first part. That could be a domain SID or a machine SID. What you find in the objectSID attributes on users/groups/computers in AD are SIDs made up of the domain SID and a RID describing that object uniquely in that domain. When you look at a local user/group on a machine, you are looking at a SID made of a local machine SID and a RID describing that object uniquely on that machine. The machine SID and the domain computer object SID are in no way, shape, nor form related. Period. As Rick indicated there are objects with well known RIDs. These objects will always have the same RID value on each and every machine (and domain). So for instance if you go to any machine (or domain) and get the administrator ID SID and strip off the -500, that gives you the machine SID. This fact is where the RedButton tool came from that seemed to amaze everyone back in NT4 days because it could tell you what your admin ID was near instantly even if you named it something insane like "NotTheAdminID". There are also special SIDs called Well Known SIDs and apply to BUILTIN groups and Well Known Security Principals. These SIDs are EXACTLY the same on each and every machine. For instance, the SID for the local group Administrators is always S-1-5-32-544. The SID for Guests is always S-1-5-32-546. The SID for Everyone (or World if you prefer) is always S-1-1-0. The SID for Interactive is always S-1-5-4. These SIDs never have scope outside of the local SAM realm (I made that term up... Maybe...). On a Domain, this is all DCs. On a non-DC machine it is that machine. Think about this the next time you apply a permission to AD for the Administrators group.... In action, which administrators group does it apply to in a multidomain environment? Why whichever administrators group applies to the domain controller you are working on that secured object on of course. How many people can point out bad ACLs MS has out there right now based on this? Think forest/application partitions that span domain boundaries. Anyway, if you have multiple non-DC machines that all have the same machine SID. You have found either an amazing piece of random luck or a cloned machine. There is a nice piece of software from the very great site called sysinternals that will fix SIDs for you called newsid. This tends to be handy to have around though there are other things that will change SIDs as well that are considered "better" by some Microsoftian's. Now one thing that I have never sat down to try and fully understand and just left alone is the WHY about why we can't have duplicate SIDs on machines. I can't, off the top of my head, think of an issue with it in any of the times I have off the top of my head thought about it. When you talk between the two machines, SIDs are not passed for local IDs. When you talk from machine 1 to machine 2 with a local machine 1 ID, you are authenticated against machine 2 with an ID that resides on machine 2 that may happen to be in sync with an ID on machine 1. Hence the machine 1 SID could be the same or different or any groups the machine 1 ID is in could be anything yet it won't impact the machine 2 access because it isn't machine 1 speaking for the authentication/authorization on machine 2. Does anyone know the tech details behind the issue here? Better yet a website that lays it all out? The only thing I could think of would be something along the lines of any place a SID might be used for encrypting information for network traffic. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 21, 2005 4:16 PM To: [email protected] Subject: RE: [ActiveDir] How to identify SIDs in AD? joe will undoubtedly reply, but here's a couple of things to consider. You've looked at the AD SID for a computer object. Did you look at one for a user or a group? What you SHOULD find is that the SID is going to share some specific similarities. For instance: S-1-5-21-3779066958-2660189832-1200827 will be the same SID prefix for all security principal objects in your domain. Each domain will have its own unique SID. RIDs are appended to uniquely identify an object in the domain. So, your computer had a Relative Identifier (RID) of 3391 (Remember the FSMO role of RID Master?) The Administrator BY DEFAULT will be: S-1-5-21-3779066958-2660189832-1200827-500 Guest WILL BE: S-1-5-21-3779066958-2660189832-1200827-501 The Domain Admins group WILL BE: S-1-5-21-3779066958-2660189832-1200827-512 After the default groups ( the Builtin groups have SIDs that are pre-programmed for Special Purposes), users, etc. are all created, the RID Master will start handing out RIDs from 1000 on. So, knowing that each and every workstation joined to a domain must have a unique object SID - what would the next assumption then be if I have 7 workstations that have the same workstation SID (each of them are an independtly operating NT system with security principals of their own) trying to join a functional AD system? You're not at square one - you have all of the information in front of you - you just need to put the pieces together. ;-) Take a swing.... I'll drop more bread crumbs if needed. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, Rao Sent: Thursday, July 21, 2005 2:38 PM To: [email protected] Subject: RE: [ActiveDir] How to identify SIDs in AD? Joe, Undoubtedly your program is of great value for folks like me. Actually, I tried the program few days ago, but could not set correct parameters. This shed more light of what I wanted to know. AD assigns a Unique SID when a workstation or user joins domain. This has no impact of what workstation SID is. I used your program and captured Computer and User objects. Then I used psGetSID from psTools on a workstation. What I found was that the last segment was randomly assigned by AD. Workstation SID has only 7 segments and AD SID attribute has 8 segments. AD - Sid:S-1-5-21-3779066958-2660189832-1200827-3391 Workstation SID:S-1-5-21-2214242676-972441917-2900879380 This revelation puts me back to my Square 1 question. What makes the difference if several workstations have same SID generated by Ghost (Symantec) image in authenticating during login process? While framing my original question, I thought that AD will store Workstation SID somewhere in database and use that information to authenticate. Thanks, Rao/.. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, July 21, 2005 10:49 AM To: [email protected] Subject: RE: [ActiveDir] How to identify SIDs in AD? SIDS of Active Directory objects are stored in the objectSID attribute. If you have done some form of migrations or move of users or groups from one domain to another, the sIDHistory attribute will also be populated. The last sentence you have of something that matches workstation SID with the workstations objectSID in AD would have to be a script to do that. There is no attribute in AD that maintains the workstation SID, AD doesn't care about that SID, it only cares about the objectSID assigned to the computer object for the workstation which is different. To tackle that problem, you would have to write a script that enumerated all of the AD Computer objects and their objectSIDs, then have the script reach out to each of those computers individually and query for its SID (just ask for the administrator SID on each of the machines and chop off the RID at the end) and then produce your mapping. To easily display SIDs from AD, you could use my adfind utility, to dump all computer objects in a forest and their SIDs you would do something like adfind -gc -b "" -f objectcategory=computer objectSID If you pipe that output to a file, you could then use the adcsv (in the adfind zip file) script to take that output and put it into a CSV format for easier consumption by something else. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hanumara, Rao Sent: Thursday, July 21, 2005 9:58 AM To: [email protected] Subject: [ActiveDir] How to identify SIDs in AD? Hello, I am new to the list and also new to AD. We are running few problems with Ghost Images deployment. Is there any utility that can show SID on the Domain Controller. We have AD and DNS implemented on our DC. MS Administrative tools just shows me members of AD, DNS Forward and Reverse lists. What I want to see is SIDs of AD Computers/Users. Where they are stored and how to see them? I really want a report that matches Workstation SID with AD SID in computers. Thanks in Advance, Rao/.. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
