RE: How to change the SID on a Windows XP, Windows 2000, or Windows NT computer...

Hello,

Thank you for your information sharing here. However, to make our newsgroup
more clear, I would like to suggest you do not cross-post the same
information in multiple newsgroups in the future. Your understanding and
cooperation is appreciated.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "-|Tree=Bonz|-" <nospam@xxxxxxxxxxx>
| Subject: How to change the SID on a Windows XP, Windows 2000, or Windows
NT computer...
| User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table)
| Message-ID: <pan.2005.09.13.00.49.01.267785@-|Tree=Bonz|->
| Newsgroups:
microsoft.public.exchange2000.active.directory.integration,microsoft.public.
active.directory.interfaces,microsoft.public.win2000,microsoft.public.win200
0.active_directory,microsoft.public.win2000.networking,microsoft.public.win2
000.registry,microsoft.public.win2000.setup_deployment,microsoft.public.win2
000.setup,microsoft.public.windowsxp.setup_deployment,alt.religion.dake-bono
ism
| MIME-Version: 1.0
| Content-Type: text/plain; charset=windows-1252
| Content-Transfer-Encoding: 8bit
| Lines: 119
| Date: Tue, 13 Sep 2005 00:49:06 GMT
| NNTP-Posting-Host: 69.134.206.223
| X-Complaints-To: abuse@xxxxxx
| X-Trace: twister.southeast.rr.com 1126572546 69.134.206.223 (Mon, 12 Sep
2005 20:49:06 EDT)
| NNTP-Posting-Date: Mon, 12 Sep 2005 20:49:06 EDT
| Organization: Road Runner - NC
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!hwmnpeer01.lga!hwmedia!news-server.columbus.rr.com!cycl
one2.kc.rr.com!news2.kc.rr.com!news-post.tampabay.rr.com!twister.southeast.r
r.com.POSTED!53ab2750!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.active.directory.interfaces:3105
microsoft.public.win2000.active_directory:33437
microsoft.public.win2000.networking:26937
microsoft.public.win2000.registry:4953
microsoft.public.win2000.setup_deployment:3302
microsoft.public.win2000.setup:8919
microsoft.public.windowsxp.setup_deployment:35412
microsoft.public.exchange2000.active.directory.integration:4140
| X-Tomcat-NG: microsoft.public.win2000.setup_deployment
|
| How to change the SID on a Windows XP, Windows 2000, or Windows NT
computer
|
| Situation:
| You are copying a Windows XP, Windows 2000, or Windows NT computer to
another computer, and you want to know how to change the Security
Identifier (SID) afterward.
|
| Solution:
| Need to change the SID
| When you clone a Windows NT/2000/XP installation to many computers, the
destination computers have the same SID and computer name as the source
Windows installation. Because Windows NT/2000/XP networks use each
computer's SID and computer name to uniquely identify the computer on the
network, you must change the SID and computer name on each destination
(client) computer after cloning.
|
| Overview of ways to change the SID after cloning
|
| * Ghost Walker
| Ghost Walker is a Ghost utility included in the corporate Ghost
versions and Norton Ghost 2003. Ghost Walker is a DOS program that allows
you to change the SID and computer name at each client computer after
cloning, that is, before restarting the computer into Windows.
| * Ghost Console
| The option SID Change is available on the Task you create in Ghost
Console. When you use this option, Ghost remotely runs Ghost Walker at each
client computer. That is, Ghost does not require that you visit each client
computer to change the SID.
| * Microsoft's System Preparation Tool (SysPrep)
| Microsoft provides the SysPrep utility for preparing a source
computer before creating an image of that computer. SysPrep allows you to
change the SID, computer name, and other configuration information. When
used on a Windows 2000/XP installation, SysPrep also prompts the client
computers to rebuild their Plug and Play driver database.
| * Third party utilities
|
|
|
| Problems with changing SIDs
| When the SID changer cannot locate and change all of the files that it
needs to change, some applications or Windows features may not work on the
destination computer.
|
| Example of need to remove features before creating an image file
| For instance, Windows 2000 NTFS File Encryption and Windows NT and
Windows 2000 Protected Storage use a SID as a unique token. When you change
the SID, Windows can no longer access encrypted files or Protected Storage
media. To prevent the problem, these features must be removed before
creating the image file.
|
| Test the image file before rolling it out
| For these reasons we advise that you prepare for mass rollouts or
upgrades by first testing the image file on the various computer
environments that you will rollout the image to, including testing the
applications after cloning to a new computer.
|
| Which SID changer to use
| Each method for changing the SID has its own advantages and
disadvantages. Use the SID changer recommended for the operating system
being cloned.:
|
| Note: Because Microsoft support varies depending upon the operating
system, method of cloning, and method of changing the SID, refer to the
Microsoft document Do Not Disk Duplicate Installed Versions of Windows
(Article ID 162001) for more detailed information.
|
| * Windows 2000 or Windows XP installation: Use Microsoft's System
Preparation (SysPrep) tool.
|
| Although Ghost Walker successfully changes the SID on Windows
2000/XP computers, Microsoft's System Preparation (SysPrep) tool changes
the SID and prompts Windows 2000/XP to rebuild its Plug-and-Play driver
database.
|
| Alternatively, instead of using SysPrep for all configuration
changes, you can use SysPrep to rebuild the driver database and use Ghost
to change the SID and computer name. Here are the general steps:
| 1. Disable the SysPrep feature that changes the SID.
| 2. Run SysPrep at the source Windows 2000 computer immediately
before cloning.
| 3. Use Ghost to create an image file of the source computer.
| 4. Check the SID Change option on the Task that you create in
Ghost Console.
| 5. Run the Task to rollout the image.
| * Windows NT installation: Use Ghost Walker or the SID Change option
in Ghost Console.
|
| Because Ghost Walker is more thorough than SysPrep at changing all
instances of the SID, and Windows NT does not have a Plug and Play driver
database for the Windows NT SysPrep utility to rebuild, Ghost Walker is a
better choice for changing the SID and computer name on Windows NT
installations.
| * Other Windows installations, such as Windows 95/98/Me: Use Ghost
Walker or the SID Change option in Ghost Console. Use the SID Change option
when running a Task in Ghost Enterprise Console and use Ghost Walker when
cloning with Ghost Multicast Server.
|
| If you use a third party SID changer, make sure that the SID
changer changes all instances of the old SID where the SID is used to
control access to files, registry settings, and so on. If the SID changer
does not update old instances of the SID, some application programs may not
work. In addition, Windows will no longer recognize the security settings,
resulting in either no access to selected system resources or global access
to system resources, increasing security risks on the system.
|
|
| Ghost Walker
| Run Ghstwalk.exe at the target computer after you write the disk or
partition image to the computer. Ghost Walker changes the SID for all user
profiles on the computer to a statistically-unique, randomly-generated
value. Because both Ghost.exe and Ghost Walker run in DOS, changing the SID
with Ghost Walker does not require an additional restart.
|
| Number of characters in the new name
| The new name must contain the same number of characters as the computer
name of the source computer. Ghost Walker can change the computer name on
all supported Windows operating systems.
|
| Available in these Ghost versions
|
| * Symantec Ghost 7.0
| * Symantec Ghost 7.5
| * Symantec Ghost 8.x
| * Norton Ghost 2003
|
|
| SID Change option on Ghost Console
| This option is available in all Ghost versions that include the feature
Ghost Console.
|
| Use this option
|
| * For cloning Windows NT installations when you want Ghost to
remotely change the SID on the client computers. To change the SID
automatically, check the "SID Change" option on the Clone tab in the Task.
To change other configuration items, check the Configuration option on the
General tab in the Task, and then choose an option in the Configuration tab.
| * If you decide to use the SID Change option for cloning a Windows
2000/XP installation, use either the SysPrep option that changes the SID or
the Ghost Console SID Change option, but not both options.
|
|
| SysPrep
| Although Ghost successfully changes the SID on Windows 2000/XP computers,
Microsoft's System Preparation (SysPrep) tool changes the SID and prompts
Windows 2000/XP to rebuild its Plug-and-Play driver database.
| Advantages to using SysPrep
|
| * Rebuilding the driver database is a significant advantage because
the rebuild decreases the amount of user intervention required at the
client computers when the source computer and client computers do not have
exactly the same hardware.
| * It invokes the Windows 2000/XP Setup Wizard, which is normally only
seen during installation. The Wizard enables you to enter details regarding
new users, licensing information, and other identification information.
| * It allows you to install different drivers for the hard disk
controller on the first startup after cloning. When the client computer
requires different hard drive controller drivers than the source computer,
the new drivers are loaded before the Plug and Play detection begins.
| * It can be configured to have Windows 2000/XP to rebuild its
Plug-and-Play driver database on the first startup after cloning. The
rebuild process removes drivers for devices that are not on the client
computer and adds Windows drivers for devices that are on the client
computer but were not on the source computer.
| * It supports most of the unattended installation parameters,
including computer name, domain, and network settings. These parameters are
command-line arguments for the Windows installation command.
| * It can be configured to run automatically, without having to visit
the client computers.
|
|
| No Symantec technical support for SysPrep
| Symantec does not provide technical support for SysPrep. SysPrep is
written, maintained, and supported by Microsoft.
|
| To use SysPrep
| See the document How to use SysPrep with Ghost. Note that SysPrep
requires an additional restart after cloning.
|
|
| Technical Information:
| SIDs, workgroups, and domains
| For more information on why you must change the SID for workgroups and
domains, see the section "Security identifier (SID) for workstations
participating in a domain" in the document Introduction to cloning a
Windows NT, Windows 2000, or Windows XP computer.
| SIDs and security
| Many programs, including Windows itself, base security features on the
SID and the computer name.
| The parts the SID changer needs to change
| When the SID changer cannot locate and change all instances of the SID
and computer name, or locate and change proprietary calculated values that
are based on the SID and computer name, some applications or Windows
features may not work on the destination computer after changing the SID.
|
|
|
| References:
| GhostWalker
| Introduction to Ghost Walker
| How to run Ghost Walker from a command line.
|
| Cloning Windows servers
| Cloning a Windows NT or Windows 2000/2003 Server
|
| Separator
| Translations of this Document:
| Given the time needed to translate documents into other languages, the
| translated versions of this document may vary in content if the English
| document was updated with new information during the translation process.
| The English document always contains the most up-to-date information.
|

.

Relevant Pages