Unique Computer SIDs

Program to document the value of the local SAM account database SID prefix on all computers in the domain, except Domain Controllers. Domain Controllers do not have a local SAM account database, but member servers and workstations do. This is not the same as the value of the objectSID attribute of the computer object in Active Directory.

This program can be used to find duplicate computer SID prefix values. Duplicates can result when computers are cloned from the same image without running a utility (such as sysprep.exe) to modify the SID.

The program first uses ADO to retrieve the names of all Domain Controllers in the domain. The names are saved in a dictionary object so they can be skipped later. Then the program uses ADO to retrieve the sAMAccountName of all computers in the domain. The NetBIOS name of each computer is the value of the sAMAccountName attribute with the trailing "$" character removed. If the computer is not a Domain Controller, the program pings the computer to see if it is available. If the computer is available the program binds to the local Administrator user on the computer and retrieves the value of the objectSID attribute of this user. This attribute is a byte array. The program converts the byte array to a hex string and then to a decimal format. Every user in the local SAM account database has an objectSID in the following decimal format:

S-1-5-21-<sub authority>-<sub authority>-<sub authority>-<rid>

The "S-1" part refers to this being a version 1 Security Identifier. The "5" identifies the top-level identifier authority as SECURITY_NT_AUTHORITY. All Windows SIDs begin with "S-1-5". The first sub-authority is "21", which is SECURITY_NT_NON_UNIQUE. This means that the value of the SID is made unique by the addition of the RID value (the last part of the decimal format). The next three sub authorities are 32-bit random numbers to uniquely identify the computer. The final part of the SID is the Relative Identifier (RID) of the object. The local Administrator user on all computers has the same well-known RID, "500".

The program strips off the trailing "-500" from the decimal format SID of the local Administrator user. The result is referred to as the SID prefix of the local computer. It is recommended that this SID prefix value be unique in the domain. A typical local computer SID prefix value could be:

S-1-5-21-527237640-484763769-1060284398

This is different from the value of the objectSID attribute of the corresponding computer object in Active Directory.

Each local user account is assigned an objectSID consisting of the local computer SID prefix value with a RID value appended. The local SAM account database ensures that RID values are unique in the computer. Different computers, however, will assign the same RID values. If the local computer SID prefix is unique in the domain, then the objectSID value is guaranteed to also be unique in the domain.

If the local computer SID prefix values are not unique, then local user accounts on two different computers can have the same objectSID. For example, the local Administrator user, which always has the same well-known RID value of 500, will have the same objectSID value on two different computers if the local computer SID prefix is the same. Permissions granted to one of these users will apply to the other by mistake.

This confusion can only be avoided if the local computer SID prefix values are unique. This program outputs all unique local computer SID prefix values with the computers that have the values. If more than one computer name is listed with any SID prefix value, you have a duplicate that should be addressed. For example, the output from this program could be similar (in part) to:

S-1-5-21-527237640-484763769-1060284398: MINNESOTA
S-1-5-21-1715567921-1580436567-1708537868: OREGON,UTAH
S-1-5-21-291656456-4165924420-1670584751: IDAHO

This indicates that computers Oregon and Utah have the same local computer SID prefix value. This can happen if both computers were imaged from the same image file without using a utility (such as sysprep.exe) to ensure they each had a unique SID. This situation should be corrected.

This program must connect to every workstation and member server in the domain. This can take a long time if the network is large, especially if there are slow links. The program outputs a message if any computers cannot be contacted.

ComputerSIDs.txt <<-- Click here to view or download the program