4

Wondering if anyone can shed some light on some SID confusion.

Currently having an issue with some policy applying to a few machines that were all based off the same image. One of our admins, ran psgetsid \[PC] on a few of those machines and returned all the same SID. However, when I run get-adcomputer [PC], powershell returns a different SID attribute for the same machines.

Confused as to why these are different.

soMuch2Learn
  • 333
  • 1
  • 6
  • 16

1 Answers1

7

I think you need to read The Machine SID Duplication Myth:

http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

Machine SIDs and domain SIDs/RIDs are two different things, which is why you see two different things when you run a local tool on the machine, versus an Active Directory Powershell cmdlet. A couple of notes from the comments of that blog post that you should read:

Mark Russinovich: You're granting access to the computer's Domain SID, not its machine SID. Like users, computer accounts in a Domain have passwords, but the passwords are managed by the Domain.

Mark Russinovich: yes, with the exception that machine SIDs are used as the basis for Domain SIDs, machine SIDs could have been a constant.

Also, Mark's buddy Aaron wrote a nice complement piece on the distinction between local machine SIDs and domain SIDs:

http://blogs.msdn.com/b/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx

Aaron Margosis: You can see the machine SID on your computer by running Sysinternals PsGetSid with no parameters. You can see the second SID on a domain-joined system by passing PsGetSid the computer name followed by a $: psgetsid %COMPUTERNAME%$

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197