>>>It IS a problem in a Windows 2000 domain as the local machine SID is used in >>>nearly all aspects of security and before migrating to 2000 you should >>>resolve any duplicate SID issues which may have been caused by cloning >>>installations. Huh..I'm having a small headache and I'm not smoking anything weird here, but... what is this? Shoudn't this be: Duplicate SIDs for objects in the domain are bad and a problem in NT4 and AD. It is not possible to copy an object and dupe the SID. Screwing around with the RID FSMO (AD) could result in dupped SIDs. If dupped SIDs are detected the detecting DC has a mechanism to clean those Although a bad practice, cloned machines which have the same local SID can be in an NT4 domain and AD. The local computer SID will only be used if a user (domain base or not) is a member of a local group on that computer as the group SID on that computer consists of the computer SID and a RID IMHO opinion the writer is mixing the object SID in the domain with the local computer SID... Jorge
________________________________ Van: [EMAIL PROTECTED] namens AdamT Verzonden: do 2006-01-19 02:22 Aan: [email protected] Onderwerp: Re: [ActiveDir] AD computer accounts being removed On 1/19/06, Aaron Visser <[EMAIL PROTECTED]> wrote: > > Taken from > http://www.sysinternals.com/Utilities/NewSid.html under the > SID Duplication Problem > > > snip Taken from: http://www.windowsitpro.com/Article/ArticleID/14919/14919.html At the start of the GUI phase of installation each NT/2000 installation generates a unique Security IDentifier (SID). If you then clone a workstation each installation would have the same machine SID. This is not a problem in a Windows NT 4.0 domain as users have a SID generated by the domain controller and do not user the local workstation SID for security. It IS a problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects of security and before migrating to 2000 you should resolve any duplicate SID issues which may have been caused by cloning installations. -- AdamT "Maidenhead is *not* in Kent" List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
