Actually yes, sort of. Machine (object) SID is generated by the machine and applies to the items on that machine. Domain SID is generated per domain. Join a machine to a domain and it gets a "security principal object" (examples being machines, users and groups) SID which is a combination of Domain SID + a number a DC assigns it (from a pool of numbers handed by a RID master).
This might help: Object-SID: http://msdn.microsoft.com/en-us/library/ms679024(VS.85).aspx RID Master / Domain SID: http://www.ucertify.com/article/what-is-the-rid-master-role.html David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -----Original Message----- From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, March 11, 2009 4:45 PM To: NT System Admin Issues Subject: RE: sysprep question No. Domain SID is somehow concatenated with the machine SID, but the machine SID is the same if you clone one machine to others. Cheers Ken -----Original Message----- From: Jeremy Anderson [mailto:[email protected]] Sent: Thursday, 12 March 2009 9:39 AM To: NT System Admin Issues Subject: RE: sysprep question Isn't a New SID created every time you join a machine to a domain? So, If I have Machine A, I remove it from the Domain and into a workgroup, clone it to Machine B and Machine C, then join Machine B and Machine C to the domain both machines will have unique SID's I have NEVER had a problem doing it this way, I just usually never join machine A to the domain in the first place. Just make sure that Machine A is not on the network when you turn on Machine B before you rename it.... I am sure there are valid reason not to do it this way, and valid reasons to use Sysprep; however, saying it will cause problems or cause DC's to puke is simply inaccurate. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, March 11, 2009 1:08 PM To: NT System Admin Issues Subject: Re: sysprep question On Wed, Mar 11, 2009 at 11:30 AM, Reimer, Mark <[email protected]> wrote: > I've read that I do need to sysprep, and I've read that I don't need to > sysprep because the machines are on a domain That's wrong, and maybe even backwards. The major thing SYSPREP does is generate a new SID (Security Identifier) for the machine. The SID is what Windows uses to uniquely identify the machine -- it matters more than the hostname, the AD GUID, and the SPN. If you have two machines on the domain with the name SID, the domain controller will puke all over the place, as it sees two PCs with the same SID. If you're *not* running a domain, and the computers don't need to talk to each other or the same server, then you might be able to get away without SYSPREP. The computers will all have the same SID, but since they never encounter each other, they don't notice. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
