My Manager has gone mad

All our workstations are reimaged using the same image (ghost) over and over again, the result is all computers has the same SID ID Security Identifier, there is a program called "NEWSID" that allows you to be able to create a new SID for the computer by removing it off the domain and renaming it.

Is there any other way to generate new SID for hundreds of computers without actually doing this intensive labor, going through the client computers one by one is a pain in the ass I'm pretty sure there is a different way.

PLEASE HELP ME!!!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

jbaello

I'm thinking of combining Directory Service command line to actually rename the computer. But as far as generating a new SID without going through workstation one by one, it seems a pain in the ass.

sprkymrk

There is actually a lot that happens when you change a SID. One way to change the SID without any special tools is to join a workgroup, rename the computer, then rejoin the domain, so I'm not sure what this "tool" NEWSID actually does for you.

Two tools that I know of are ghostwalker and sysprep, one by Symantec and comes with Ghost, and the other by Microsoft. Sysprep is the prefferred way, but you should do it BEFORE you image the computer, not after. I've not tested what happens when you run either of those tools on a computer that has been in use for any length of time and already set up for a user.

jbaello

About 800 PC and 500 Laptop has already been setup, so using sysprep and ghostwalker is a little bit too late.

If Ghostwalker generating new SID is part of the imaging process then I would say it's a little bit too late, I have not used Ghostwalker yet.

I proposed and implemented WDS (Windows Deployment Services) with a combination of Sysprep, to avoid further issue with future setup/image.

Sad to say the Manager wants to run "Newsid" (You can get this off microsoft.com) on all the machine one by one on the existing 800 and 600 (rough approximate), since there is really no option to implement this on Computer Associate DSM or Microsoft GPM.

Layout:

800 Desktop 500 Laptop - Running Newsid will take 6 minutes each, not to say if the user are busy

Is there any other way? I could almost say that I'm positive that there is a way to accomplish this via Directory Services or Active Directory, I'm just not sure where to begin, please help.

jbaello

Joining them to a workgroup one by one will take serious time, unless it can be automated. NEWSID basically do the same exact thing you just mentioned here

it just kinda make it easier. I'm thinking of a script any script "GURU"

sprkymrk wrote:

There is actually a lot that happens when you change a SID. One way to change the SID without any special tools is to join a workgroup, rename the computer, then rejoin the domain, so I'm not sure what this "tool" NEWSID actually does for you.

Two tools that I know of are ghostwalker and sysprep, one by Symantec and comes with Ghost, and the other by Microsoft. Sysprep is the prefferred way, but you should do it BEFORE you image the computer, not after. I've not tested what happens when you run either of those tools on a computer that has been in use for any length of time and already set up for a user.

jbaello

http://forum.sysinternals.com/forum_posts.asp?TID=6973&PN=1

I just found this hmmm...

Any feedback comments please feel free

I will much appreciate it.

royal

Since NewSID requires admin credentials, you can't use a login script as login script runs excutables under the user's account. Runas won't let you use a password. There is one solution that I can think of. This would be to use a modified version of RunAs and run NewSID in a login script. This exe that works similarly to Runas is called TQrunas and can be found here.

Next time, do pilot testing before a huge rollout.

ilcram19

oh thats looks like a big problem, did anybody test the image before deplying, in think ill be faster if u drop new image on computer using sysprep and then make a unattended file that will name the computer and join it to domain, i had alot of issues wut the sid programs before its really not the same i woulnt recommend an sid generator, i would recomend take out the pc from domain the rejoin

ilcram19

by the way make sure u get a bootable harddrive with the images and ghost, cuz like u said user may be busy working on the computer so u gonna have to go one by one if u cant do it in a group

jbaello

The problem existed before I got in the company haha :P

I am not familiar with VBscript any good resources? I've done Visual Basic and C++ during my College Years.

sprkymrk

You don't need anything fancy like VB or C++, a simple batch file will work. Download newsid to your workstation. Then download another awesome sysinternals (now microsoft) utility called psexec (part of the pstools suite). For simplicity copy them both to a folder on your c: drive, like \tools or something. Then generate a list of computers in your domain using aduc or whatever method you prefer. Save it to the same directory and call it computers.txt or something. Make sure it has one computer name per line, like this:

workstation1
workstation2
workstation3
etc.

Now, either open a cmd prompt with runas or just log into your computer with domain admin rights (or whatever domain account has local admin rights on all your computers). Then change directory to c:\Tools and run the following command:

for /f %C in (Computers.txt) do psexec -c \\%C newsid /a

A couple of things to note:

1. If you can't run it by computer name because several computers already have the same name, then instead of a text file of computer names, use IP Addresses. If you want, you can even forego the text file and run the "for" command like this:

for /L %C in (10,1,254) do psexec -c \\192.168.1.%C newsid /a

This will copy and execute newsid to all workstations with ip addresses between 192.168.1.10-192.168.1.254. The numbers in the parenthesis are (start, step, end).

2. The computer will automatically reboot, so make sure you do it after hours.

3. If you run it as a batch file instead of interactively at the cmd prompt, use double "%" (as in %%) in front of your variable.

4. If you need to generate a new computer name at the same time you will need to add to this idea, maybe do it in two seperate steps.

royal

Nice solution Mark. I think both of our solutions would work, but I like yours better. I didn't know about Psexec. I can definitely see how handy it is though. Thanks!

sprkymrk

I think it could also be run as a computer startup script if he copied it the Windows directory on all the computers, but then you have to worry about it only running once, otherwise it will run, reboot for the newsid, and run again (in a loop) every time it comes up. So you would have to actually run a script that cecks for a file (if exist), creates a file if it doesn't exist and then runs newsid, or exit if the file exists. That way after the reboot it will see the file it created and skip running newsid again.

Your way works fine too royal. It's all a matter of what one is comfortable with. As I am only a few months away from my 40th birthday I confess I am finding myself more comfortable with "my" ways, whether they work the best or not.

Obviously a habit I am trying to recognize and avoid.

blargoe

If you're using WSUS, that will probably quit working too for the computers your manager imaged. There's a registry entry somewhere in hklm\software\microsoft\windows\windows update called accountdomainsid or something similar, that will probably be the same on all of the machines he imaged. This value is how WSUS keeps track of each of the update agents. Or it used to be in version 2. I guess it is still the same in version 3.

techgeek07

I had the same problem after I built a ghost server. It's been a while, but I want to say that running NewSID on start up, fixed the problem. Also, I believe there's a way to do it when they join the domain.

techgeek07

I apologize, it was sysprep that I used on start up.

sprkymrk

blargoe wrote:

If you're using WSUS, that will probably quit working too for the computers your manager imaged. There's a registry entry somewhere in hklm\software\microsoft\windows\windows update called accountdomainsid or something similar, that will probably be the same on all of the machines he imaged. This value is how WSUS keeps track of each of the update agents. Or it used to be in version 2. I guess it is still the same in version 3.

Run this batch file to fix:

net stop wuauserv
net stop winmgmt

SET WU_KEY=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
reg delete %WU_KEY% /v SusClientID
reg delete %WU_KEY% /v AccountDomainSid
SET WU_KEY=

net start wuauserv
net start winmgmt
gpupdate
wuauclt /resetauthorization /detectnow

jbaello

Wow thanks a lot you guys you guys are soo helpful

A+++

Ahriakin

Was the image created before or after the workstation was added to the domain, I don't see how it would work at all if it was after but just making absolutely sure. AFAIR in a domain environment this doesn't have the impact you'd think, the clients are assigned new SIDs specific to the domain when they join it.

jbaello

Ahriakin wrote:

Was the image created before or after the workstation was added to the domain, I don't see how it would work at all if it was after but just making absolutely sure. AFAIR in a domain environment this doesn't have the impact you'd think, the clients are assigned new SIDs specific to the domain when they join it.

Hmmm, per Sys Admin they are saying that the Domain Controller is generating multiple error stating "Duplicate in SID" what is the process to view a computers SID in AD? maybe I can start matching it and see.

sprkymrk

jbaello wrote:

what is the process to view a computers SID in AD? maybe I can start matching it and see.

dsget computer ComputerDN ... -sid