Skip to main content

Does a Computer Object SID do anything?

By

This one through me for a loop in class.  While talking about what SYSPREP does to a client, one of the members of the class pointed me to a very interesting article.  I have always been taught that the SID of the computer account is what Windows looks at for assigning security access.  Well, take a minute to read this blog post from Mark Russinovich at Microsoft.

 

OK, let’s put this to the test.  I took a VM from class and created an image of it.  I then deployed this non syspreped image to another VM and started it up in the same environment as the original.  The original was logged off and I had no trouble logging in.  After taking snapshots of the new VM and the DC, I went ahead and renamed the VM to LON-CL3.  In AD Users and Computers, the account associated with the original was renamed.

 

OK, I reapplied the snap shots and brought both identical VMs online.  I was able to log in on both.  On the original, I’m renamed the client and allowed it to reboot. 

image

 

In the image below, you can see a client named LON-CL5.  This is my renamed original.  I was also able to successfully log in using the cloned that is still named LON-CL1.  At this point, security is obviously looking at the SID.

 

Group Policy Updates

I was able to update group policy on the client that was renamed, but the clone with the original name could not update its policy.

image

This points to something other than the SID being used.

 

Resetting the computer account still allowed both clones to log in.

 

I’m out on this one as to what the computer account SID is used for.  Keep an eye on Mark’s blog.  It has so far generate 18 pages of comments.

Labels:

Comments

Post a Comment

Popular posts from this blog

How to list all the AD LDS instances on a server

By
AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
Post a Comment
Read more

How to run GPResult on a remote client with PowerShell

By
In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.
Post a Comment
Read more

Error icon when creating a GPO Preference drive map

By
You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the mapped drive. If the
1 comment
Read more