Recipe 2.24 Finding Duplicate SIDs in a Domain

2.24.1 Problem

You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains.

2.24.2 Solution

2.24.2.1 Using a command-line interface

To find duplicate SIDs run the following command, replacing <DomainControllerName> with a domain controller or domain name:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q q

The following message will be returned:

Duplicate SID check completed successfully. Check dupsid.log for any duplicates

The dupsid.log file will be in the directory where you started ntdsutil.

If you want to delete any objects that have duplicate SIDs, you can use the following command:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q

Like the check command, the clean command will generate a message like the following upon completion:

Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate

2.24.3 Discussion

All security principals in Active Directory have a SID, which is used to uniquely identify the object in the Windows security system. There are two parts of a SID, the domain identifier and the RID. Domain controllers are allocated a RID pool from the RID FSMO for the domain. When a new security principal (user, group, or computer) is created, the domain controller takes a RID from its pool to generate a SID for the account.

In some rare circumstances, such as when the RID master role is seized, overlapping RID pools can be allocated, which can ultimately lead to duplicate SIDs. Having duplicate SIDs is a potentially hazardous problem because a user, group, or computer could gain access to sensitive data they were never intended to have access to.

2.24.4 See Also

MS KB 315062 (HOW TO: Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List