Aug 16, 2005

Local computer SID, domain SID, and their implications

  • For any computer who is not a DC, it has a local computer SID
  • DC doesn't have a local computer SID (or you can view it in another way: DC has a computer SID that is same as domain SID)
  • Builtin users/groups have well-known SIDs that are identical in all environment
  • All other local user SID = local computer SID + local RID
  • All other domain user/computer account SID = domain SID + domain RID
  • When you grant permissions to a local account, authorization is checked based on user name/password, it will never check the SID.

    What it means is, if you assign permissions to user1 on computer1 against a shared folder. On computer2, you happen to have a user with same name and password, then the user1 on computer2 will have access to the share folder on computer1, which may not be desirable.
  • When you grant permissions to a domain account, authorization is checked based on domain account SID. What it means, even you have a user from a different domain, or from local SAM, with same user name and password, you are still not be able to access a resource that you are not supposed to have permissions as your SID is different from what is listed.

    Another implication is, as a domain user, once you are granted some kind of permissions, you won't lose it even you change you name/password.
         There are a few SID-related tools, they are either from Support Tools, or Resource Kit.
          - getsid \\server1 account \\server2 account
             Getsid was designed to compare SIDs between two accounts, so it requires two paramenters: one source account and a target account. It's annoying when you simply want to know an account's SID - you have to list same account twice. You can put domain name in the place of server1 and server2

          When query for a computer's SID, keep in mind that computer account has a $ sign at the end.

          Example: get the SID for your computer:
          getsid \\DomainName computerName$ \\DomainName computerName$

          - sid2name SID [optional server name]

          - There used to be a well-known utility called newSID made by SysInternals (bought by MS later). This was the main tool back in the age when we used clone software(such as Ghost) to deploy images. As you can image, clone image has same SID (for the computer account) therefore causes problems if clones and original are put on the same network in same domain. NewSID will change clone's SID for you. This is no longer supported and MS retired this tool. Nevertheless, if you can find a copy of the tool, it's still very helpful at times.