Detailed description of Sid and newsid

Sid and newsid

The SID, also known as Security Identifiers, is a unique number that identifies users, groups, and computer accounts. When this account is created for the first time, a unique sid will be published for each account on the network. The internal process in Windows 2000 references the account sid instead of the account user or group name. If you create an account, delete the account, and then use the same user name to create another account, the new account will not have the permissions or permissions authorized to the previous account, the reason is that the account has different Sid numbers. A security identifier is also called a Security ID or Sid. Role of Sid After the user passes the verification, the login process will give the user an access token, which is equivalent to the user's access to system resources. When the user attempts to access system resources, the access token is provided to Windows NT, then, Windows NT checks the access control list on the object you are attempting to access. If the user is allowed to access the object, Windows NT will assign the appropriate access permissions to the user. The access token is provided by the login process when the user passes the verification. Therefore, to change the user's permissions, You need to log out and log on again to obtain the access token again. SID number If there are two users with the same Sid, the two accounts will be identified as the same account. In principle, if the account is not added, the same Sid will be generated, in general, Sid is unique. It is determined by the computer name, current time, and the total CPU time consumed by the current user State thread to ensure its uniqueness. A complete Sid includes: • Security description for users and groups • 48-bit ID authority • Revised Version • Variable verification value variable sub-authority values Example: S-1-5-21-310440588-250036847-580389505-500 Let's analyze this important Sid first. The first item s indicates that the string is Sid; the second item is the SID version number. For MySQL 2000, this is 1; then the identifier authority. For accounts within 2000, the Authority is nt and the value is 5. Then represents a series of sub-authority. The first few items indicate the domain, and the last one indicates the account and group in the domain. Sid acquisition Start-run-regedt32-HKEY_LOCAL_MACHINE/SAM/domains/builtin/aliases/members, find local After the code is expanded, all the SID lists of the local account are obtained. Many of these values are fixed. For example, if the first 500 F4 (hexadecimal) is converted to in decimal format, it indicates that it is the Built-in Administrator account created by the system, the conversion from 000001f5 to 10th is 501, that is, the Guest account. For details, refer to the list below. This item can be fully controlled by system by default, which is why we need the shell of a system cmd, of course, if you have sufficient permissions, you can add the account you want to add. Or use the reg tool of support tools: Reg query "HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/profilelist There is also a way to obtain the correspondence between Sid and User Name: 1. regedt32: HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/profilelist 2. At this time, you can see the SID value in the left-side window. You can see the users associated with different Sid in the right-side window. Name, such as % systemdrive %/Documents and Settings/administrator. momo corresponds to the Administrator SID % systemdrive %/drivers and settings/Administrator of the local machine. domain: This is the administrator account of the corresponding domain. In addition, Microsoft's resourcekit also provides the getsid tool. The sysinternals toolkit also contains the psgetsid. In fact, the principle is read. Retrieving the registry value saves some trouble. Generation of SID repetition A unique SID is generated when you install the NT/2000 system. However, when you clone a machine using a software similar to ghost, a Sid is generated for different machines. A serious security problem occurs. Similarly, duplicate Sid causes many security issues for the peer network. In the peer network, the account is based on the SID plus a related identifier (RID). If all workstations have the same Sid, the first account generated on each workstation is the same, this poses a risk to the security of your folders and files. At this time, a person creates a share in his NTFS partition and sets his/her own access, but in fact, the SID number of the other machine is the same as that of the user, and the user can also access this sharing at this time. Resolution of SID repetition problem The following tests are highly risky and use them with caution. I have already paid a terrible price! Microsoft provides a tool in resourcekit called sysprep, which can be used to generate a new Sid before cloning a workstation. . Is his Parameter This tool cannot run this command on DC, otherwise it will prompt However, this tool does not completely generate new Sid for all accounts. Instead, it targets two major accounts, administrator and guest. Other accounts still use the original Sid. The following is a test to obtain the SID of the Current Account: S-1-5-21-2000478354-688789844-839522115 Run sysprep and a prompt window appears: Confirm that you need to restart later, and then the installation program needs to reset the computer name and administrator password, but you still need to enter the password of the original account when logging on. After entering 2000, query the SID again and get: S-1-5-21-759461550-145307086-515799519, found that Sid has been changed, query the registry, found that the Registry has been modified, of course, all modified. In addition, sysinternals also provides a similar tool ntsid, which was later discovered to be a product for NT4. The interface is as follows: He will not prompt about the unavailability of the DC, and then start to accept it. As a result, one of my DC crashes. After the restart, the system prompts "Security Account Manager initialization failed, the value provided to the identification code authority is invalid. The error status is 0xc0000084. Please press OK and restart to the Directory Service Restoration mode... ", Even if you switch to the Directory Service Restoration mode, you can no longer enter it! I think I am brave enough to think about it. Fortunately, it is an additional DC, but the machines I use have caused me to reload the system for half a day and reinstall the software for N days. So I would like to remind you again, be careful when doing the above tests. It is best to test on an irrelevant machine. Otherwise, I will not be responsible for any problems. In addition, you have added the SID modification function to the console of the new version of Ghost Enterprise Edition. You have not tried it yet. If you are interested, you can try it yourself, but it should be the same in principle. Before the article was published, I found a tool "riprep" provided by Microsoft. This tool is mainly used for Remote Installation and requires simultaneous installation of applications. After installing a standard corporate desktop operating system and configuring applications and some desktop settings, the administrator can use riprep to create an image file from the standard corporate desktop system. This image file not only includes custom application software, but also deletes the exclusive security id and computer account of each desktop system. The administrator can place it on the Remote Installation server for the client to choose when it is remotely started. However, you must note that this tool can only be used on a single hard disk, single partition, and professional machine. The following is a list of the RID values at the end of the Sid, which are in hexadecimal notation in parentheses: Built-in users Domainname/Administrator S-1-5-21-917267712-1342860078-1792151419-500 (= 0x1f4) Domainname/guest S-1-5-21-917267712-1342860078-1792151419-501 (= 0x1f5) Built-in global groups Domainname/Domain Admins S-1-5-21-917267712-1342860078-1792151419-512 (= 0x200) Domainname/Domain Users S-1-5-21-917267712-1342860078-1792151419-513 (= 0x201) Domainname/domain guests S-1-5-21-917267712-1342860078-1792151419-514 (= 0x202) Built-in local groups Builtin/administrators S-1-5-32-544 (= 0x220) Builtin/users S-1-5-32-545 (= 0x221) Builtin/guests S-1-5-32-546 (= 0x222) Builtin/account operators S-1-5-32-548 (= 0x224) Builtin/Server Operators S-1-5-32-549 (= 0x225) Builtin/print operators S-1-5-32-550 (= 0x226) Builtin/Backup Operators S-1-5-32-551 (= 0x227) Builtin/replicator S-1-5-32-552 (= 0x228) Special groups /Creator Owner S-1-3-0 /Everyone S-1-1-0 Nt authority/network S-1-5-2 Nt authority/interactive S-1-5-4 Nt authority/system S-1-5-18 Nt authority/Authenticated Users S-1-5-11 *. (over) Newsid, as its name implies, can be used to regenerate a new SID number for the computer. Why do we need to redefine the new Sid? If you use a ghost image to install the system in batches, their Sid numbers must be the same. If the computer Sid on the internal network is the same, it may cause many conflicts, and the access to the domain will also be very problematic, and even cause the client to be unable to join the domain. What is Sid? The second floor has a detailed introduction. Does the Windows installation CD provide sysprep? What should we use newsid? 1. Anyone who has used sysprep should know that if sysprep is used to re-encapsulate the system, we will be asked to re-enter the product serial number and re-Add the user after the restart, in many cases, enterprises do not want employees to obtain product IDs, which may cause unnecessary troubles for non-IT employees to complete system tasks. 2. Based on our urgent needs, newsid is a perfect solution. It provides three methods for us to regenerate Sid: A. randomly generate B. Copy C. manually input from other computers. The above three methods can meet the needs of most users. We can also choose whether to rename the computer again, or manually specify whether to restart the computer after the SID redefinition is complete. 3. After the computer is restarted, we will not be asked to re-enter the product serial number or re-add users, which reduces unnecessary troubles. Conclusion: newsid is a cool tool. You must receive it in your toolbox for future use.