Mark Russinovich explains “the machine SID duplication myth”

This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of my colleagues just flagged a blog post I’d been meaning to read when I have a little more time from Microsoft (ex-SysInternals) Technical Fellow Mark Russinovich in which he discusses “the machine SID duplication myth“. It seems that all of the effort we put into de-duplicating SIDs on Windows NT-based systems (NT, 2000, XP, 2003, Vista, 2008, 7 and 2008 R2) over the years was not really required…

To be honest, I don’t think anyone ever said it was required – just that having multiple machines with the same security identifier sounded like a problem waiting to happen and that generating unique SIDs was best practice.

The full post is worth a read but, in summary, the new best practice is:

“Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation as an option. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep.”

As you were then…

2 thoughts on “Mark Russinovich explains “the machine SID duplication myth”

  1. I really don’t understand this. I have used multiple virtual machines that were based on the same vm. Did a machine rename, but they still had problems working together and joining a domain. Run NewSid on them and all problems go away. I tried this again last week and its still true.

  2. Hi Matt – I agree that duplicate SIDs sound dodgy; however Mark Russinovich knows a lot more about the way Windows works than I do! In your case, as the machines were all virtual, I’m wondering if there was something else that was being generated from the SID (e.g. the VM identifier, or a dynamic MAC address).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.