Source: Pacific Computer Network Preface SID is also a security identifier (SECURITY IDENTIFIERS), is the unique number identifies the user, group, and computer account. When the account is created for the first time, a unique SID will be issued to each account on the network. The internal process in Windows 2000 will refer to the SID of the account instead of the user or group name of the account. If you create an account, then delete the account, then create another account using the same username, the new account will not have authorization to give the previous account, because the account has a different SID number. The security identifier is also referred to as a secure ID or SID. After the SID's role, the login process will give the user an access token. The token is equivalent to the user accessing the system resource ticket. When the user tries to access the system resources, the access token is supplied to Windows NT, and then Windows NT Check the user attempt to access the access control list on the object. If the user is allowed to access the object, Windows NT will assign appropriate access to the user. The access token is provided by the user who has the login process when verifying, so changing the user's permissions need to log out and re-login and re-acquire the token. The composition of the SID number If there are two users like SID, the two accounts will be authenticated as the same account. If the account is not limited, the same SID is generated, and the SID is unique in the usual situation. He is determined by computer name, current time, current user state thread, is determined to ensure its uniqueness. A complete SID includes: • Safety description for users and groups • 48-Bit ID Authority • Revision • Variable Validation Valiable Sub-Authority Values: S-1-5-21-31047-580389505- 500 Let's first analyze this important SID. The first S represent the SID; the second item is the version number of the SID. For 2000, this is 1; Identifier Authority, the account for the 2000, the agency is NT, the value is 5. Then represent a series of submission organizations, the previous item is the logo domain, the last marking account and group in the domain. SID get start - run -Redt32-hkey_local_machine / sam / sam / domains / builtin / aliases / members, find the code of the local domain, start, is the list of all SIDs of the local account. Many of them are fixed, such as the first 000001F4 (16), converted into a decimal 500, indicating that the system built-in administrator account administrator, 000001F5 converted into 10 yuan is 501, that is, the guest account. , Detailed references later. This default is that System can be fully controlled, which is why you want to get this CMD shell for a system, of course, if the permissions are enough, you can add the account you want to add to.
Or use the Support Tools Reg tool: reg query "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / ProfileList Another way to obtain correspondence between the SID and user names:. 1 Regedt32: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / ProfileList2. This time you can see the value of the SID at the window on the left. You can see the username of different SIDs in the window, such as% systemDrive% / documents and settings / administrator.momo. This is the local machine's administrator SID% systemDrive% / documents and settings / administrator.domain This is the corresponding domain administrator account. In addition, Microsoft's resourcekit also provides tools Getsid, Sysinternals, and Psgetsid, actually feel the principle It is the value of reading the registry, which is to save some things. The SID repeat problem creates a unique SID when the NT / 2000 system is installed, but when you use a Ghost's software clone machine, It will produce different machines to use a SID problem. A very serious security issue. Similarly, if it is a repetitive SID to produce a lot of security problems for peer networks. The base of the account in the peer network is SID plus a associated identifier (RID), if all workstations have the same SID, the first account generated on each workstation is the same, so that the user itself has the security of the folder and the security of the file. Hidden. This time, someone has established sharing in his own NTFS partition, and sets yourself to access, but in fact another machine's SID number and this kind of user can also access this shared. Sid repeat problem Solve the following tests with high risk, caution, I have paid a painful price! Microsoft provides a tool in Resourcekit, called Sysprep, this can be used in cloning a workstation to generate a new SID Number. The picture below is his parameter. This tool cannot run this command on the DC. Otherwise, this tool is not completely generated by all the accounts, but is for two main accounts Administrator and Guest. ,its His account still uses the original SID. Let's do a test, first get the current account SID: S-1-5-21-2000478354-68878984-839522115 and then run Sysprep, appear window: Determine the need to restart, then the installer needs to reset the computer name, administrator password Wait, but when you log in, you still need to enter the password of the original account. After entering 2000, query SID again, get: S-1-5-21-759461550-145307086-51550-145307086-51550-145307086-515799519, found that SID number has been changed, query registry, found that the registry has all modified, of course, all modified.
In addition, Sysinternals also provided similar tools NTSID. This is later found to be a product for NT4. The interface is as follows: He won't prompt any DC can't be used, and then start, resulting in a DC crash, After the restart prompts "Security Account Manager is initialized, providing the value of the identification code issuing body is invalid value, error status 0xc0000084, press OK, restart to directory service restore mode ...", even if you switch to directory service reduction mode I can't get it again! Think about it is big enough, so it is an additional DC, but the machine used it, leads to the heavy system for half a day, reinstalling the software N days, so remind everyone, it must be cautious when doing the above test. It is best to test on an insignificant machine, otherwise I am not responsible for the problem. In addition, the console in Ghost's new version of the company has joined the function of modifying the SID. If you haven't tried it, you have interested friends you can experiment, but it should be the same as principle. Before the article was published, I found a tool "Riprep" provided by Microsoft. This tool mainly used to install the application at the same time as the remote installation. The administrator has installed a standard corporate desktop operating system and configures the application and some desktop settings, which can make an Image file from this standard corporate desktop system using RIPREP. This image file includes both customized applications, but also deletes each desktop system must be exclusively deleted. Administrators can put it on the remote installation server to select when installed for client remote startup. However, it is important to note that this tool can only be used on a single hard disk, single partition and it is used on the machine's machine.
