Windows Identical SIDs: Not as bad as we thought?

Date November 8, 2009

Apparently, having identical security identifiers for cloned machines isn’t as bad as we thought? Very odd.

The end result is that sysinternals has retired newSID. There have been a lot of people laboring under the idea that identical SIDs are a very bad thing.

Here’s the final word from technet:

The New Best Practice

It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired. Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation as an option. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep.



Category Posted in General

One Response to “Windows Identical SIDs: Not as bad as we thought?”

  1. John M said:

    November 9th, 2009 at 10:24 am

    MS SID is antiquated, and really should be retired.

    We use Altiris now for image duplication and deployment, which does not use MS SID (it generates its own SID).

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Easy AdSense by Unreal

Switch to our mobile site