In my last article, I listed all important features of Microsoft's free Sysprep tool. Today, I will explain why I think that unique SIDs are still necessary, even though, Mark Russinovich debunked the machine SID duplication myth.
Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
I have no doubts that Mark's analysis that Windows networks don’t require unique SIDs is correct. Actually, this corresponds to my own experience. I have been cloning machines long before Microsoft introduced the Sysprep tool. At that time, Microsoft warned about using cloning tools. The main argument was that SID duplication can cause problems. This didn't really convince me because my tests showed that these problems don't exist. When I first tried a cloning tool, I was baffled as to how this technology was superior compared to unattended installations. Thus, I decided to ignore Microsoft's warning and embrace OS cloning. I don't remember SID duplication ever causing a problem.
Even today I often don't use Sysprep in test environments. I am usually testing with virtualization software and I create new test machines using cloning technology almost every day. Running Sysprep every time is just too cumbersome. It is interesting to note that I also never run into problems with the latest Windows versions because of duplicate SIDs.
However, I still strongly recommend ensuring that all computers in a productive environment have a unique SID, for the following reason:
Future proof ^
Even if it is true that Microsoft doesn't use SIDs to identify Windows machines, you can't be sure that this will also be the case in the future. According to Microsoft's official guidelines, it is still necessary to run Sysprep before you deploy an OS image. Therefore, Microsoft assumes that unique SIDs is standard. Imagine Microsoft delivering an update that requires unique SIDs while all the machines in your network uses have all the same SID.
Microsoft support ^
Even today, you probably will get no support from Microsoft if you didn't Sysprep your machines. Telling the support staff that superstar Mark Russinovich claimed that SID duplication is no problem won't really help you then.
Third party software vendors ^
The same applies to third-party software vendors. You know these hotlines. If they only guess that something in your network isn’t according to the official guidelines, then you are already in a defensive position. If you skim over the comments to Mark's articles, you will see that some readers claim that they know of third-party software that makes use of SIDs and will not work properly with duplicated SIDs. The Windows ecosystem is very big and nobody really knows what odd things some ISVs do with Windows. Even if you don’t have now software in your network that requires unique SIDs this could change in the future.
The fact that Microsoft doesn't use the SIDs doesn't say anything about the requirement of unique SIDs. (Update: It is uncertain if Microsoft makes use of SIDs. See comments below.) It is essential that you try to keep the configuration of your PC as close to the standard as you can. The reason why I ignored Microsoft's warning about SID duplication in the past was only because its gain was bigger than its risk.
However, now that Microsoft offers a free tool that lets you easily avoid complications, it is no longer justifiable to be working with duplicated SIDs. And as I outlined in my previous post, Sysprep is not only needed because of the SID issue.
Update: Unique SIDs are required for domain controllers. See comments.