How to change an SID on Windows Server 2008 R2

Wednesday, November 24th, 2010 by William Gannon (See all posts by William Gannon)

What is an SID?

An SID (Security Identifier) is a unique name assigned by a Windows domain controller that is used to identify a subject in a Windows network. 

An example SID would be S-1-5-21-698722459-2703455653-311392944.

1 is the revision level, 5 is the identifier authority value, and 21-698722459-2703455653-311392944 is the domain or local computer identifier.

Windows systems use ACL’s(access control lists) that grant or deny permissions to resources based on SID’s.

How do I identify my server’s SID?

There are several ways to identify a server’s SID.  One of the simplest is to use PsGetSid from the PsTools suite which can be downloaded here.  From the command line, go into the folder you extracted PsTools into and run PsGetSid.exe.  After accepting an end user license agreement that pops up, you should see something like the following screen.

Get your computer's SID with PsGetSid

Why would one want to change a computer’s SID?

With the proliferation of virtual machines and cloud computing, more and more people are creating production servers from clones and templates.  On a Windows server, cloning a server or deploying a virtual machine from a template means that the clone or new VM will have the same SID as its source.  Create another clone from the same source and now there are two servers with the same SID.  Having two or more servers or VM’s with the same SID trying to network with each other can create problems.  In a lab environment, I have experienced strange errors while trying to create a forest trust between two VM server’s on different domains with the same SID; in the end I could not get the trust established.  If you experience unexpected problems using virtual machines or cloned servers, it may be because two or more of them have the same SID.  People debate on how important it is to change cloned servers’ SID’s.  One controversial article by the creator of NewSID - the previously used method for changing SID’s on cloned servers - suggests that there should not be any problems networking computers with the same SID; you can find that article here.

How does one change a server’s SID?

In Windows Server 2008 R2, the preferred method uses sysprep.  You can find sysprep at /System Drive/Windows/system32/sysprep/sysprep.exe.

WARNING: Using sysprep on a production server can break the server!  Sysprep should be used as early as possible, before any configuration changes have been made to the server.  If you absolutely have to use sysprep, back up the system first!

1. Use PsGetSid to find out your server’s SID.  See How do I identify my server’s SID? above for details.  Make note of the SID.

2. Run sysprep.  You should see a screen similar to the following.  Make sure that Enter System Out-of-Box Experience (OOBE) is selected under System Cleanup Action.  Also check the box labeled Generalize; this option gives the computer a new SID.  For Shutdown Options select Reboot and select OK.  Sysprep will run for a bit and then the computer will reboot.  After the reboot, a few dialogue screens will pop up for a few basic configuration settings, like language, keyboard, product key, etc.  Set those as desired and continue.

sysprep

3.  Once Windows server boots up again, check the SID again using PsGetSid.  Verify that the SID has indeed changed.