Updating Security Identifiers (SIDs) and computer names
Loss of access to external data objects
145
SID changing limitations
SID changing is an approximate technology, as you can only change SIDs in known locations.
Problems arise because of the following factors:
■A growing number of
■Microsoft technologies such as Windows 2000/XP NTFS File Encryption, Windows NT, and Windows 2000/XP Protected Storage make use of SIDs as unique tokens. They use local workstation user SIDs as part of the encryption key that controls access to encrypted information. Microsoft does not address changing local workstation user SIDs.
For these reasons, you are strongly advised to test computer environments and the applications on them before mass rollouts or upgrades.
Loss of access to external data objects
Changing the SID of a workstation or a clone of a workstation that has been in use for some time may be more problematic than changing the SID of a newly installed workstation or a clone of a newly installed workstation. When a workstation user, as opposed to a domain user, creates data objects on computers that are accessed by a
When Ghost Walker updates the SID, it not only changes the computer SID, but also all of the workstation user and group SIDs. This is done because user and group SIDs are assumed to be based on the workstation's computer SID (which is now updated). This may mean that the security information on external computers no longer matches the new SIDs of the workstation users, which may result in a loss of access to those data objects.
Identical user names and passwords across workstations
If there are two workstations in a domain that have two users with the same user name and password, the domain gives each of them access to the other’s resources even if their SIDs are different. This is a fairly common situation following cloning.
