Joe,
Thanks again and I also appreciate Rick's elaboration on this issue.
The last segment 'y' is unique for each Computer, user, group on AD. I
notice a three digit to four digit Ids. I also looked at Change SID
program on Sysinternals and used it on some machines. Symantec provides
GhostWalk program which is basically the same and I looked at an article
in Symantec knowledgebase about the importance of changing SIDs. I
noticed no problem for last two years where we have 3 to 6 computers
that have same SIDs. Recently when we deployed six Dell computers with
same Ghost Image, we noticed some network connection problems. Some
times the drive mappings work, some times they don't including home
directory mapping.
I am able to see all computer SIDs using psGetSid with wild card
character and see no problems for a group of 8 computers that have same
SID. I know for sure that there must be some impact of network security
and connections. We use Windows 2000 Kerberos Authentication on DC.
Rao/
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf joe
Sent: Thursday, July 21, 2005 6:05 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
Undoubtedly.
Indubitably. :o)
At the most basic, a normal user/group SID or domain computer SID in the
domain is made up of first part and a last part. It looks like
s-x-x-x-x-x-x-x-x-x-y
The x's are various portions of the first part, the y is the last part.
The s is there so you know it is a SID.
The x's by definition can be variable in number but usually aren't
because no one seemed to hop the bus to extend the use of SIDs outside
of what MS did themselves so that concept sort of died out and now we
just put up with it. Those x's make up different things like version and
various subauthorities, MSDN documents this stuff to within an inch of
its life so best to go there for those details if you are feeling like
you want them.
The last part is what is called a RID or relative identifier which
uniquely identifies a security principal in a local scope. The local
scope in question is the first part. That could be a domain SID or a
machine SID.
What you find in the objectSID attributes on users/groups/computers in
AD are SIDs made up of the domain SID and a RID describing that object
uniquely in that domain. When you look at a local user/group on a
machine, you are looking at a SID made of a local machine SID and a RID
describing that object uniquely on that machine. The machine SID and the
domain computer object SID are in no way, shape, nor form related.
Period.
As Rick indicated there are objects with well known RIDs. These objects
will always have the same RID value on each and every machine (and
domain). So for instance if you go to any machine (or domain) and get
the administrator ID SID and strip off the -500, that gives you the
machine SID. This fact is where the RedButton tool came from that seemed
to amaze everyone back in NT4 days because it could tell you what your
admin ID was near instantly even if you named it something insane like
"NotTheAdminID".
There are also special SIDs called Well Known SIDs and apply to BUILTIN
groups and Well Known Security Principals. These SIDs are EXACTLY the
same on each and every machine. For instance, the SID for the local
group Administrators is always S-1-5-32-544. The SID for Guests is
always S-1-5-32-546. The SID for Everyone (or World if you prefer) is
always S-1-1-0. The SID for Interactive is always S-1-5-4. These SIDs
never have scope outside of the local SAM realm (I made that term up
Maybe). a Domain, this is all DCs. a non-DC machine it is that
machine. Think about this the next time you apply a permission to AD for
the Administrators group In action, which administrators group does
it apply to in a multidomain environment? Why whichever administrators
group applies to the domain controller you are working on that secured
object on of course. How many people can point out bad ACLs MS has out
there right now based on this?
Think forest/application partitions that span domain boundaries.
Anyway, if you have multiple non-DC machines that all have the same
machine SID. You have found either an amazing piece of random luck or a
cloned machine. There is a nice piece of software from the very great
site called sysinternals that will fix SIDs for you called newsid. This
tends to be handy to have around though there are other things that will
change SIDs as well that are considered "better" by some Microsoftian's.
Now one thing that I have never sat down to try and fully understand and
just left alone is the WHY about why we can't have duplicate SIDs on
machines. I can't, off the top of my head, think of an issue with it in
any of the times I have off the top of my head thought about it. When
you talk between the two machines, SIDs are not passed for local IDs.
When you talk from machine 1 to machine 2 with a local machine 1 ID, you
are authenticated against machine 2 with an ID that resides on machine 2
that may happen to be in sync with an ID on machine 1. Hence the machine
1 SID could be the same or different or any groups the machine 1 ID is
in could be anything yet it won't impact the machine 2 access because it
isn't machine 1 speaking for the authentication/authorization on machine
2. Does anyone know the tech details behind the issue here? Better yet a
website that lays it all out?
The only thing I could think of would be something along the lines of
any place a SID might be used for encrypting information for network
traffic.
joe
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Rick Kingslan
Sent: Thursday, July 21, 2005 4:16 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
joe will undoubtedly reply, but here's a couple of things to consider.
You've looked at the AD SID for a computer object. Did you look at one
for a user or a group? What you SHULD find is that the SID is going to
share some specific similarities. For instance:
will be the same SID prefix for
all security principal objects in your domain. Each domain will have
its own unique SID. RIDs are appended to uniquely identify an object in
the domain.
So, your computer had a Relative Identifier (RID) of 3391 (Remember the
FSM role of RID Master?)
The Administrator BY DEFAULT will be:
Guest WILL BE:
The Domain Admins group WILL BE:
After the default groups ( the Builtin groups have SIDs that are
pre-programmed for Special Purposes), users, etc. are all created, the
RID Master will start handing out RIDs from 1000 on.
So, knowing that each and every workstation joined to a domain must have
a unique object SID - what would the next assumption then be if I have 7
workstations that have the same workstation SID (each of them are an
independtly operating NT system with security principals of their own)
trying to join a functional AD system?
You're not at square one - you have all of the information in front of
you - you just need to put the pieces together. ;-)
Take a swing I'll drop more bread crumbs if needed.
Rick
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Hanumara, Rao
Sent: Thursday, July 21, 2005 2:38 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
Joe,
Undoubtedly your program is of great value for folks like me.
Actually, I tried the program few days ago, but could not set correct
parameters. This shed more light of what I wanted to know. AD assigns a
Unique SID when a workstation or user joins domain. This has no impact
of what workstation SID is. I used your program and captured Computer
and User objects. Then I used psGetSID from psTools on a workstation.
What I found was that the last segment was randomly assigned by AD.
Workstation SID has only 7 segments and AD SID attribute has 8 segments.
AD -
Workstation
This revelation puts me back to my Square 1 question. What makes the
difference if several workstations have same SID generated by Ghost
(Symantec) image in authenticating during login process?
While framing my original question, I thought that AD will store
Workstation SID somewhere in database and use that information to
authenticate.
Thanks,
Rao/
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf joe
Sent: Thursday, July 21, 2005 10:49 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] How to identify SIDs in AD?
SIDS of Active Directory objects are stored in the objectSID attribute.
If you have done some form of migrations or move of users or groups from
one domain to another, the sIDHistory attribute will also be populated.
The last sentence you have of something that matches workstation SID
with the workstations objectSID in AD would have to be a script to do
that. There is no attribute in AD that maintains the workstation SID, AD
doesn't care about that SID, it only cares about the objectSID assigned
to the computer object for the workstation which is different.
To tackle that problem, you would have to write a script that enumerated
all of the AD Computer objects and their objectSIDs, then have the
script reach out to each of those computers individually and query for
its SID (just ask for the administrator SID on each of the machines and
chop off the RID at the end) and then produce your mapping.
To easily display SIDs from AD, you could use my adfind utility, to dump
all computer objects in a forest and their SIDs you would do something
like
adfind -gc -b "" -f objectcategory=computer objectSID
If you pipe that output to a file, you could then use the adcsv (in the
adfind zip file) script to take that output and put it into a CSV format
for easier consumption by something else.
joe
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Hanumara, Rao
Sent: Thursday, July 21, 2005 9:58 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: [ActiveDir] How to identify SIDs in AD?
Hello,
I am new to the list and also new to AD. We are running few problems
with Ghost Images deployment. Is there any utility that can show SID on
the Domain Controller. We have AD and DNS implemented on our DC. MS
Administrative tools just shows me members of AD, DNS Forward and
Reverse lists. What I want to see is SIDs of AD Computers/Users. Where
they are stored and how to see them? I really want a report that
matches Workstation SID with AD SID in computers.
Thanks in Advance,
Rao/