Re: Local SID v. Domain SID.

I knew you'd shine a light!!!
Thanks Dean! I thought I knew this but I see it from a new perspective now!
Crystal Clear!

Regards,

Austin

"Dean Wells (MVP)" <dwells@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:uhM0IFqFIHA.4228@xxxxxxxxxxxxxxxxxxxxxxx
In order for a SID to be viable for local authorization purposes, it must be presented as part of a token that originated from a trusted entity (... a trusted issuing authority). Notice that on occasion, we see the relationship between a computer, and the domain in which it is a member, referred to as a 'trust' or 'trusted' (most notably when it's broken) -- a use of terminology that really doesn't fit the more colloquial definition. The terminology is valid because the computer trusts the domain; the domain is therefore an issuing authority whose tokens and, more importantly, the SIDs contained within them, are considered trustworthy and, subsequently, viable for local authorization purposes. This is not true for the relationship between any 2 workstations regardless of whether they have the same SID, are members of the same domain, trusted domains (direct, transitive, etc.) or if they exist in the same or even different workgroups (workgroups offer no concept of trust). If they're in the same domain etc. (trusts included) then they both trust the same issuing authority (directly or transitively) but their respective local SAM databases are exclusively for local purposes only.

NOTE - the use of common credentials on 2 workstations is often misunderstood as some form of trust. It isn't trust, it's just a silent authentication process following a silent challenge -- i.e, default credentials.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message news:uF2xZxpFIHA.5360@xxxxxxxxxxxxxxxxxxxxxxx
Elucidate Dean!
Please?

Regards,

Austin

"Dean Wells (MVP)" <dwells@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:OPCCRspFIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:uZTmJ5nFIHA.2268@xxxxxxxxxxxxxxxxxxxxxxx
the SIDs (domain and local) are independent of each other

however, the computers with the same local SID have the same security realm, meaning being admin on PC1 also means being admin on PC2

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------


Re: the latter part of your 2nd paragraph (and assuming I understand you correctly), I'm afraid it doesn't work that way.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l







.

Relevant Pages