Home / server / Questions / 629719
Accepted
soMuch2Learn
Asked: 2014-09-19 18:06:26 +0800 CST

SID in AD - SID from psgetsid?

  • 772

Wondering if anyone can shed some light on some SID confusion.

Currently having an issue with some policy applying to a few machines that were all based off the same image. One of our admins, ran psgetsid \[PC] on a few of those machines and returned all the same SID. However, when I run get-adcomputer [PC], powershell returns a different SID attribute for the same machines.

Confused as to why these are different.

active-directory

1 Answers

  1. Best Answer

    I think you need to read The Machine SID Duplication Myth:

    http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx

    Machine SIDs and domain SIDs/RIDs are two different things, which is why you see two different things when you run a local tool on the machine, versus an Active Directory Powershell cmdlet. A couple of notes from the comments of that blog post that you should read:

    Mark Russinovich: You're granting access to the computer's Domain SID, not its machine SID. Like users, computer accounts in a Domain have passwords, but the passwords are managed by the Domain.

    Mark Russinovich: yes, with the exception that machine SIDs are used as the basis for Domain SIDs, machine SIDs could have been a constant.

    Also, Mark's buddy Aaron wrote a nice complement piece on the distinction between local machine SIDs and domain SIDs:

    http://blogs.msdn.com/b/aaron_margosis/archive/2009/11/05/machine-sids-and-domain-sids.aspx

    Aaron Margosis: You can see the machine SID on your computer by running Sysinternals PsGetSid with no parameters. You can see the second SID on a domain-joined system by passing PsGetSid the computer name followed by a $: psgetsid %COMPUTERNAME%$

    • 7