Recipe 2.24 Finding Duplicate SIDs in a Domain
2.24.1 Problem
You want to find any
duplicate SIDs in a domain. Generally,
you should never find duplicate SIDs in a domain, but it is possible
in some situations, such as when the relative identifier (RID) FSMO
role owner has to be seized or you are migrating users from Windows
NT domains.
2.24.2 Solution
2.24.2.1 Using a command-line interface
To find duplicate SIDs run the following command, replacing
<DomainControllerName> with a domain
controller or domain name:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q q
The following message will be returned:
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
The dupsid.log file will be in
the directory where you started ntdsutil.
If you want to delete any objects that have duplicate SIDs, you can
use the following command:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q
Like the check command, the clean command will generate a message
like the following upon completion:
Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate
2.24.3 Discussion
All security principals in Active Directory have a SID, which is used
to uniquely identify the object in the Windows security system. There
are two parts of a SID, the domain identifier and the RID. Domain
controllers are allocated a RID pool from the RID FSMO for the
domain. When a new security principal (user, group, or computer) is
created, the domain controller takes a RID from its pool to generate
a SID for the account.
In some rare circumstances, such as when the RID master role is
seized, overlapping RID pools can be allocated, which can ultimately
lead to duplicate SIDs. Having duplicate SIDs is a potentially
hazardous problem because a user, group, or computer could gain
access to sensitive data they were never intended to have access to.
2.24.4 See Also
MS KB 315062 (HOW TO: Find and Clean Up Duplicate
Security Identifiers with Ntdsutil in Windows 2000)
|