Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » sid's and sid history
sid's and sid history [message #156406] Tue, 16 June 2009 12:18 Go to next message
Kevin Gallagher  is currently offline Kevin Gallagher
Messages: 18
Registered: July 2009
Junior Member
I have recently had a problem with our Sharepoint Service after our content
database was disconnected and then re-connected. We encountered problems
logging on untill we re-imported the user profile. Our sharepoint developers
tried to blame the situation on all the user object sid's in AD being
changed, which I don't believe. I am a newbie and so I would like to ask
under what circumstances does user object sid's change. I read the Technet
article SID vs GUID. This article tells me that SID's will only change if the
object moves domain. Can an expert tell conclusively how or when SID's change
please. I can't belive that AD would change all user object sid's enmasse.
Re: sid's and sid history [message #156409 is a reply to message #156406] Tue, 16 June 2009 12:29 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
AD doesn't change SID's, even in the event of a migration which it then
points to a new account migrated from another domain but they are never
changed once they are created.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Kevin Gallagher" <KevinGallagher@discussions.microsoft.com> wrote in
message news:1BC3F4B9-1623-43BD-BDCE-1B80A4F32BF7@microsoft.com...
>I have recently had a problem with our Sharepoint Service after our content
> database was disconnected and then re-connected. We encountered problems
> logging on untill we re-imported the user profile. Our sharepoint
> developers
> tried to blame the situation on all the user object sid's in AD being
> changed, which I don't believe. I am a newbie and so I would like to ask
> under what circumstances does user object sid's change. I read the Technet
> article SID vs GUID. This article tells me that SID's will only change if
> the
> object moves domain. Can an expert tell conclusively how or when SID's
> change
> please. I can't belive that AD would change all user object sid's enmasse.
Re: sid's and sid history [message #156425 is a reply to message #156406] Tue, 16 June 2009 16:43 Go to previous messageGo to next message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
when an object is created in AD it gets a unique GUID for the AD forest. If
that object is a security principal (user, group, computer) it will also get
a SID which is scoped to a certain AD domain.

If you move a security principal between AD domains in the same AD forest
the GUID will NOT change, but the SID will change (remember, the GUID is
scoped for the AD forest and the SID is scoped for the AD domain)
If you move a security principal between OUs in an AD domain the GUID will
NOT change and the SID will NOT change
If you delete a security principal and recreate it with the same name, it
will get a new GUID and a new SID
AD itself will never change the GUID or the SID of an object.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Kevin Gallagher" <KevinGallagher@discussions.microsoft.com> wrote in
message news:1BC3F4B9-1623-43BD-BDCE-1B80A4F32BF7@microsoft.com...
> I have recently had a problem with our Sharepoint Service after our
> content
> database was disconnected and then re-connected. We encountered problems
> logging on untill we re-imported the user profile. Our sharepoint
> developers
> tried to blame the situation on all the user object sid's in AD being
> changed, which I don't believe. I am a newbie and so I would like to ask
> under what circumstances does user object sid's change. I read the Technet
> article SID vs GUID. This article tells me that SID's will only change if
> the
> object moves domain. Can an expert tell conclusively how or when SID's
> change
> please. I can't belive that AD would change all user object sid's enmasse.
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4160 (20090616) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4160 (20090616) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Re: sid's and sid history [message #156437 is a reply to message #156425] Wed, 17 June 2009 03:13 Go to previous messageGo to next message
Kevin Gallagher  is currently offline Kevin Gallagher
Messages: 18
Registered: July 2009
Junior Member
Thanks to Jorge and Paul for clearing this up. The technet article SID vs
GUID was insghtfull but it is always usefull to get clarification. My
knowledge about SID's was enough to explain that there wasn't a SID issue but
you know what DEV guys are like they alwas hate to be told by OPS that they
are wrong.

Once again thanks to everyone who replied. This community really is one of
the best I have used.

"Jorge de Almeida Pinto [MVP - DS]" wrote:

> when an object is created in AD it gets a unique GUID for the AD forest. If
> that object is a security principal (user, group, computer) it will also get
> a SID which is scoped to a certain AD domain.
>
> If you move a security principal between AD domains in the same AD forest
> the GUID will NOT change, but the SID will change (remember, the GUID is
> scoped for the AD forest and the SID is scoped for the AD domain)
> If you move a security principal between OUs in an AD domain the GUID will
> NOT change and the SID will NOT change
> If you delete a security principal and recreate it with the same name, it
> will get a new GUID and a new SID
> AD itself will never change the GUID or the SID of an object.
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------ ------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ------------------------------
>
> "Kevin Gallagher" <KevinGallagher@discussions.microsoft.com> wrote in
> message news:1BC3F4B9-1623-43BD-BDCE-1B80A4F32BF7@microsoft.com...
> > I have recently had a problem with our Sharepoint Service after our
> > content
> > database was disconnected and then re-connected. We encountered problems
> > logging on untill we re-imported the user profile. Our sharepoint
> > developers
> > tried to blame the situation on all the user object sid's in AD being
> > changed, which I don't believe. I am a newbie and so I would like to ask
> > under what circumstances does user object sid's change. I read the Technet
> > article SID vs GUID. This article tells me that SID's will only change if
> > the
> > object moves domain. Can an expert tell conclusively how or when SID's
> > change
> > please. I can't belive that AD would change all user object sid's enmasse.
> >
> > __________ Information from ESET Smart Security, version of virus
> > signature database 4160 (20090616) __________
> >
> > The message was checked by ESET Smart Security.
> >
> > http://www.eset.com
> >
> >
> >
>
> __________ Information from ESET Smart Security, version of virus signature database 4160 (20090616) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
>
Re: sid's and sid history [message #156449 is a reply to message #156425] Wed, 17 June 2009 08:18 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Nice details Jorge.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:OuxWYMs7JHA.2388@TK2MSFTNGP06.phx.gbl...
> when an object is created in AD it gets a unique GUID for the AD forest.
> If that object is a security principal (user, group, computer) it will
> also get a SID which is scoped to a certain AD domain.
>
> If you move a security principal between AD domains in the same AD forest
> the GUID will NOT change, but the SID will change (remember, the GUID is
> scoped for the AD forest and the SID is scoped for the AD domain)
> If you move a security principal between OUs in an AD domain the GUID will
> NOT change and the SID will NOT change
> If you delete a security principal and recreate it with the same name, it
> will get a new GUID and a new SID
> AD itself will never change the GUID or the SID of an object.
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------ ------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ------------------------------
>
> "Kevin Gallagher" <KevinGallagher@discussions.microsoft.com> wrote in
> message news:1BC3F4B9-1623-43BD-BDCE-1B80A4F32BF7@microsoft.com...
>> I have recently had a problem with our Sharepoint Service after our
>> content
>> database was disconnected and then re-connected. We encountered problems
>> logging on untill we re-imported the user profile. Our sharepoint
>> developers
>> tried to blame the situation on all the user object sid's in AD being
>> changed, which I don't believe. I am a newbie and so I would like to ask
>> under what circumstances does user object sid's change. I read the
>> Technet
>> article SID vs GUID. This article tells me that SID's will only change if
>> the
>> object moves domain. Can an expert tell conclusively how or when SID's
>> change
>> please. I can't belive that AD would change all user object sid's
>> enmasse.
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4160 (20090616) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4160 (20090616) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
Previous Topic:Format of userParameters for Terminal Services
Next Topic:ldap query with guid
Goto Forum:
  


Current Time: Fri Oct 20 10:15:33 EDT 2017

Total time taken to generate the page: 0.07485 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software