145Updating Security Identifiers (SIDs) and computer names
Loss of access to external data objects
SID changing limitations
SID changing is an approximate technology, as you can only change SIDs in
known locations.
Problems arise because of the following factors:
■ A growing number of third-party and Microsoft applications are taking their
own private or derived copies of the computer name and SID and storing
them in proprietary formats in registry and file locations.
■ Microsoft technologies such as Windows 2000/XP NTFS File Encryption,
Windows NT, and Windows 2000/XP Protected Storage make use of SIDs as
unique tokens. They use local workstation user SIDs as part of the
encryption key that controls access to encrypted information. Microsoft does
not address changing local workstation user SIDs.
For these reasons, you are strongly advised to test computer environments and
the applications on them before mass rollouts or upgrades.
Loss of access to external data objects
Changing the SID of a workstation or a clone of a workstation that has been in
use for some time may be more problematic than changing the SID of a newly
installed workstation or a clone of a newly installed workstation. When a
workstation user, as opposed to a domain user, creates data objects on computers
that are accessed by a peer-to-peer connection, security information is created for
those data objects that is based on the user's SID (which is based on the
workstation SID).
When Ghost Walker updates the SID, it not only changes the computer SID, but
also all of the workstation user and group SIDs. This is done because user and
group SIDs are assumed to be based on the workstation's computer SID (which is
now updated). This may mean that the security information on external
computers no longer matches the new SIDs of the workstation users, which may
result in a loss of access to those data objects.
Identical user names and passwords across
workstations
If there are two workstations in a domain that have two users with the same user
name and password, the domain gives each of them access to the other’s
resources even if their SIDs are different. This is a fairly common situation
following cloning.