Mark Russinovich explains “the machine SID duplication myth”

One of my colleagues just flagged a blog post I’d been meaning to read when I have a little more time from Microsoft (ex-SysInternals) Technical Fellow Mark Russinovich in which he discusses “the machine SID duplication myth“. It seems that all of the effort we put into de-duplicating SIDs on Windows NT-based systems (NT, 2000, XP, 2003, Vista, 2008, 7 and 2008 R2) over the years was not really required…

To be honest, I don’t think anyone ever said it was required – just that having multiple machines with the same security identifier sounded like a problem waiting to happen and that generating unique SIDs was best practice.

The full post is worth a read but, in summary, the new best practice is:

“Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation as an option. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so Microsoft’s support policy will still require cloned systems to be made unique with Sysprep.”

As you were then…

2 Comments

  • Thursday 19 November 2009 - 14:58 | Permalink


    I really don’t understand this. I have used multiple virtual machines that were based on the same vm. Did a machine rename, but they still had problems working together and joining a domain. Run NewSid on them and all problems go away. I tried this again last week and its still true.

  • Thursday 19 November 2009 - 22:31 | Permalink


    Hi Matt – I agree that duplicate SIDs sound dodgy; however Mark Russinovich knows a lot more about the way Windows works than I do! In your case, as the machines were all virtual, I’m wondering if there was something else that was being generated from the SID (e.g. the VM identifier, or a dynamic MAC address).

  • Leave a Reply

    %d bloggers like this: