Re: Concrete Examples of Duplicate SID problems--Do y'all have any?
- From: Hunter01 <hunter01@xxxxxxxxxxxx>
- Date: Mon, 08 May 2006 07:40:12 +0800
Shenan Stanley wrote:
Ian wrote:Did some fairly extensive benchtests on this, and AFAICS in the
situation where two computers have an identical
user-account/password pair it makes no odds whether SIDs of the
accounts are identical or not. Microsoft seem to indicate that
having differing SIDs should provide security between the two
computers.. but it doesn't, as is easily demonstrated.
Over the course of my career I've imaged numerous 2000/XP
computers, and never seen these purported problems 'in the wild.' I
use NewSID, but I'm unsure whether it makes any measurable
difference.
I don't regard sysprep as being a usable tool, mainly because it
loses the default userprofile setup. What is the point of
sysprepping, if the settings, so painstakingly done, are lost? You
might as well start from scratch in that case.
Usual policy these days for new computers is to image from a stock
copy for that model, then change the serial and re-activate.
As far as I can tell from the write-ups, the SID question does not
apply to domain accounts either, only to local accounts.
Haven't researched sysprep in a while, eh?
http://support.microsoft.com/kb/887816
I have, I use it daily, and I agree with everything he said. All that article points out is that Microsoft no longer think we have the intelligence to set up our own "default user" profiles and decided to use the local administrator profile to rebuild the "default user" profile in effect. Easily worked around by using the local admin profile to set up your default user profile.
That doesn't address the rest of the mangleations that you don't encounter if you don't use Sysprep. Firewall being turned back on for instance, the security database being randomly mangled as well. A few other things, all of which we've managed to work around with a post-image job using Altiris, but not everyone has Altiris or a comparable desktop management environment.
As far as the SID - again - 60 seconds of automated time vs potential issues (even if no one has actually seen them in years.. - although that could be because most change the SID and/or join domains now..) leads me to the decision to continue chaning the SIDs on newly images systems..
Agree with you entirely. Use sysprep if you want a one image fits all model and are willing to work around the mangleations, or if you have only a few hardware platforms use a dedicated image for each, use a proper SID changing tool, and steer well-clear of Sysprep. Best advice I can think to give in the real world environments we all work in.
.
- References:
- Re: Concrete Examples of Duplicate SID problems--Do y'all have any?
- From: Shenan Stanley
- Re: Concrete Examples of Duplicate SID problems--Do y'all have any?
- Prev by Date: Re: Concrete Examples of Duplicate SID problems--Do y'all have any?
- Next by Date: Re: Can't Boot from CDROM
- Previous by thread: Re: Concrete Examples of Duplicate SID problems--Do y'all have any?
- Next by thread: Re: Setup crashes before drive selection
- Index(es):
Relevant Pages
|
