[Pc_Support] How to change the Windows XP SID via scripts, APIs, etc?

Wed Oct 18 15:12:13 EDT 2006

Greg Read wrote:
> NewSid
> http://www.sysinternals.com/Utilities/NewSid.html

Did you mean the utility?  Or the information?

First off, the _information_ on that page is _good_.  It lists where
the SID for the computer is at in the registry, as well as the "user
hives" and select other objects that have unique SIDs.  But I don't
think people realize how _extensive_ the SIDs go.  I don't think Sys
Internals goes far enough.

Secondly, I _briefly_ used the newsid utility in 1997-1998 IIRC (might
have been 1998-1999).  It _trashed_ several systems of mine.  It seems
to leave portions of the registry and NTFS untouched, and I think
that's the problem.  Once Microsoft finally made its SysPrep available
in around 1999 (they announced it a full year before it was -- making
me look like an ass when I thought it was actually available when they
announced it, long story), it was much, much _safer_ to prep systems.

Lastly, the newsid utility does _not_ look like it can take a specific
SID as input -- which I believe the original poster is interested in.
In fact, more I come to think of it, I think it's
_virtually_impossible_ to set a _specific_ SID -- because there are
just so many for _each_ computer.  I.e., there are countless objects.
I used the PowerQuest DriveImage utility with its utility and, later
on, the Altiris utilities for deployment.  I was never much of a
Symantec Ghost fan -- I'd rather have PowerQuest's products (now part
of Symantec) or pay for Altiris' solutions.

In other words, I don't think you can set specific SIDs for a
computer.  There are just too many for too many objects.  You should
only generate new ones.

-- Bryan

P.S.  BTW, *NEVER*EVER* change SIDs on a Domain Controller.  The Sys
Internals article talks about running it on BDCs**.  It's always best
to install a system _clean_ instead of using a SID changer on anything
that will be a DC.  Too many variables.

**NOTE:  The master/slave(s) PDC/BDC (pre-ADS) and peer DCs (ADS) are
virtually the _same_ when it comes to the network-wide SAM aka
"controller" functionality.  The BDCs just have a read-only copy,
whereas newer DCs are peer-replicating.  They _both_ still have a copy
of the network-wide SAM, and I would _not_ recommend using a SID
changer on one, period.  Install clean, _never_ clone.

If you want a "backup image" of your DCs, install the DCs under a VM
(and use snapshots/move off-line) instead of dorking with cloning.
That's what enterprise do (or should do), instead of trying to deal
with the design limitations (and flaws) of the SAM, it's SIDs and its
corruptable nature with NTFS filesystems.