On Thu, Nov 5, 2009 at 10:03 AM, David Lum <david....@nwea.org> wrote: > We had problems with GPO’s working unless NewSID was used.
Was the machine a domain member when you cloned it? > Here's my understanding: Here's mine... ;-) > Each machine has its own SID Correct. This is generated at install time, or if you run a SID scrambler like NEWSID. The "built-in" security principals, like "Administrator", are derived from the machine SID. (Specifically, by appending a well-known RID to the machine SID.) > Each domain has a domain SID Correct. Additionally, all Domain Controllers use that SID as their machine SID. > Join machine to domain and the "machines domain SID" is MachineSID + > DomainSID Incorrect. There is no special "machine SID" associated with a domain. There *is* a machine trust account for each machine in the domain. Those accounts are assigned SIDs, just like users are. It is not derived from the machine SID. A machine trust account SID is indistinguishable from a regular user account's SID. Here are some examples (sanitized) from our domain at %WORK%, where suppose our domain is "CORP" and my PC is "WS189". \\WS189 = S-1-5-21-3000008-600007-80005 \\CORP = S-1-5-21-10000008-10000001-600003 \\CORP\BSCOTT = S-1-5-21-10000008-10000001-600003-1279 \\CORP\WS189$ = S-1-5-21-10000008-10000001-600003-1507 Note that domain controllers also have machine trust accounts in the domain: \\DC1 = S-1-5-21-10000008-10000001-600003 \\DC2 = S-1-5-21-10000008-10000001-600003 \\CORP\DC1$ = S-1-5-21-10000008-10000001-600003-1006 \\CORP\DC2$ = S-1-5-21-10000008-10000001-600003-1466 - Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
