NewSid Retired? Duplicate SIDs on Windows Computers... Do They Matter?

Have you ever heard the story of a little girl who wandered into the kitchen while her mom was cooking? Observing her mother preparing a ham, she asks, "Why do you cut the end of the ham off, Mommy?"

"Because my mother did, sweetheart."

"Why did she do it?"

The mother looks puzzled. "I don't know. Let's find out."

A phone call later, they hear grandma say, "Because my mother did." So, another phone call is made - one more generation back - where the great-grandmother explains: "Cut off the end of the ham? I'll tell you why. Because the pan was too small!"

Deeply ingrained into the minds and souls of Microsoft Windows Support professional's everywhere (myself included) is the long standing notion that duplicate SIDs - or Machine Security Identifiers - on Windows computers matter! Everyone knows that when there are duplicates, there are problems --- right? I've been changing SIDs for years on cloned hard drives. It has to be right!

Duplicate SIDs matter! (Or do they?)

Mark Russinovich is no slouch when it comes to knowing the inside of Window's systems. His SysInternals company was bought by Microsoft, but still he turns out some amazing utilities such as his very popular PSTOOLS. (I've even written two articles on his PSInfo program, Real World Windows Administrationand PSInfo Part Two). So, when this IT pro comes to his blog and makes a worldwide announcement that "Windows Machine SID Duplication is a Myth", well, that got my attention real fast. And I wasn't alone. Visiting Mark's blog reveals a lot of people bringing up very complex scenarios where they believe that duplicate SIDs cause trouble in the networked environments. And a lot of them aren't too happy that Mark has decided to retire this omnipresent tool.

Why, I was even a bit hesitant to tell my boss about this. After all, I've been preaching the dangers of SID duplication for over a decade. Have I really been wrong all this time?

Before you just stop using NewSid...

Before you just immediately stop running your NewSID changer utilities, make sure you understand all the ramifications. Domain Controllers can have issues if their SIDs are identical. As well as the possibility of other third party software that may have initially escaped notice. Mark explains in his blog that, "Windows never exposes a machine SID outside its computer, proving that it's okay to have systems with the same machine SID." Boy, it feels strange hearing that.

In my own experience, I've felt certain that there were times when changing the SID on a computer (be it Windows XP or Windows 2000) fixed the issue I was having. Sometimes the problem was related to SMS (Systems Management Server) not working or difficulty in getting a computer to become an SMS client. Other times, strange things would happen with Trend Micro's OfficeScan antivirus software. Yet another time it was with Windows Update Services (WSUS). And it seemed that running NewSid always ended up fixing the issue. Maybe. Maybe not.

Just relax... go slow

My recommendation: just relax for now. Changing Windows SIDs using a tool like NewSid has obviously not killed anyone. If you decide that Mark's right after looking over his blog, and following along with all of his technical explanations, make sure you do some experimenting on your own. It's possible that the new line of operating systems like Windows 7 will not even flinch when it comes to duplicate SIDs, but if you're having to deal with legacy software and legacy operating systems (like NT 4) make sure that abandoning this long adopted SID changing process won't affect your systems in any way.

And while we're all trying to figure this out, let's splurge and get some ham sandwiches.

One thing's for sure, I think we're going to need a bigger pan.