Ghostwalk or NewSID after joining domain?

[cajuntank]

Ok, here's the deal, I have inherited a K-12 network that uses Ghost for imaging. Well what the techs and previous manager failed to do was run ghostwalk or newsid to change the pc's sid before joining the windows domain. The techs started to complaining of problems (go figure) with all of a sudden losing communication from the pc to the server; disjoining and rejoining seems to fix for a while. So the question of the day is, I have about 400 pc's that have been added to the domain already, can I run either ghostwalk or newsid on those currently, or for this to really work, do I need to disjoin first?

I have other school sites that luckily have not been joined yet were imaged and ghostwalk/newsid never run (still on Novell at those sites).

Can I perform this task automatically through some login script?

Any help would be appreicated.

 

[josephdavis]

I don't think you will be able to reset the SIDs on the machines while they are joined to the domain without having to rejoin them afterwards. What you could do is reset the machine accounts, don't delete them. Then, after reseting the SIDs and joining the machines back to the domain, they will at least be in the same OU within Active Directory. That will save you some time.

For the machines not on the domain; you mentioned they are still on Novell at those sites, you should be able to push a script or use a login script to reset the SIDs. I am not sure if you will have problems or not with the Novell network and pushing the script. My Novell skills are extremely rusty; the last time I used Novell was when "cloning" was still a pipe dream. If you can access the machines via IP and UNC, you should be able to run psexec to execute your script on the remote machines.

In either case, I would write the script to copy all necessary files to the local system then execute the local files.

I hope that helps.

-Joe

http://joe.galactik.com

 

[jcasetnl]

Hmm... I had a similar concern before joining our machines to the domain. Check this out: might not be a problem with a domain, only a workgroup.

"What's the real problem anyway?

The issue of duplicate SIDs are not a problem at all in a Domain-based NT network because domain accounts have SID's based on the Domain SID. For most networks where security is an issue, a domain based configuration is standard. However in a Workgroup environment security is based on local account SIDs. This means that if two computers have users with the same SID, the Workgroup will not be able to distinguish between the users. All resources that one user has access to, the other will also have access to. So if security is a concern and you are in a workgroup environment- duplicate SIDs will cause you concern.

Duplicate SIDs can also cause problems for removable media formatted with NTFS when local account security attributes are applied to files and/or directories. If this removable media is moved to a different computer that has the same SID, the local accounts that otherwise would not be able to access the files might be able to (if the account IDs happened to match those in the security attributes)."

http://www.appdeploy.com/articles/sids.shtml

I know, personally, that we have a lot of duplicate SIDs out there. My predecessor didn't use ghostwalker or sysprep. I use sysprep now, but my guess is there are at least 40 machines out there with duplicate machine SIDS. We haven't had any issues like you described.

 

[mcsereed]

We have the sysprep run and pull the image from the NIC card. That way no one forgets to run any type of sid changing application.
Changing the SID while they are joined to the domain will cause an issue. you would need to remove them from the domain and then run sysprep.

 

[skialta]

Jcasetnl is correct - NewSID will change the workstation SID not the "domain" SID. Yes, you can run NewSID while a system is joined to the domain...I've done it tons of times with no issues.