Microsoft provides various safe and secure methods for the correct deployment of the Windows operating systems. It is imperative that one employs a supported method to make sure that the security of the systems on which Windows is running on, is not in danger.

A computer that has a Windows operating system running on it will possess a unique Security Id (SID for short) to distinguish themselves. Always use a supported method when attempting to disk duplicate so that the uniqueness of the SIDs are not compromised. This article familiarizes the user with the concept of SID and describes the Microsoft recommended methods of disk duplication.

THE CONCEPT, THE PERMITTED METHODS AND HOW TO USE THEM

During the set up of Windows, a machine SID is created to contain a statistically unique 96-bit number. The machine SID is the prefix to the user account and group account SIDs that are made on the computer. The SID of the machine is concatenated into a string with the Relative ID (RID) of the account to form that particular account’s unique identifier.

The following example displays the SIDs for four local user accounts.

HKEY_USERS on Local Machine
S-1-5-21-191058668-193157475-1542849698-500 administrator
S-1-5-21-191058668-193157475-1542849698-1000 User one
S-1-5-21-191058668-193157475-1542849698-1001 User two
S-1-5-21-191058668-193157475-1542849698-1002 User three

As can be seen, only the last 4 digits are incremented for every new account that is added.

Cloning or duplication of an installation without taking the steps recommended by the manufacturer, in this case Microsoft, could lead to duplicate SIDs, and in the instance of removable disks or drives, lead to accounts having access to files even though they were purposely denied access by using NTFS permissions. Due to the fact that it is the SID which identifies the computer or domain as well as the user, it is important that it should be exclusive so as to provide support for current and future programs.

Users should note that Microsoft does not provide support for customers on whose computers the operating system has been installed by duplicating fully installed copies of Windows. Microsoft supports computers that were installed by using pre-approved disk-duplicating software and the System Preparation Tool, Sysprep.exe. Microsoft provides continued support to computers having the following operating systems, installed by means of the Sysprep program

  • Windows 2000 Professional
  • Windows 2000 Server
  • Windows 2000 Advanced Server
  • Windows XP Professional
  • Windows XP Home Edition
  • Windows Server 2003, Standard Edition
  • Windows Server 2003, Enterprise Edition
  • All versions of Windows Vista
  • All versions of Windows Server 2008
  • All Versions of Windows 7

Furthermore, Microsoft does not provide support for those computers on which Windows operating system has been installed by SID duplicating tools other than the System Preparation tool.

Also, if an image was created without the use of Sysprep, Microsoft does not support running Sysprep after the image is deployed as a method to bring back the computer into conformity.