Google Groups: View Thread "Detailed Domain = Controller Authentication"

From: Subject: Google Groups: View Thread "Detailed Domain Controller Authentication" Date: Mon, 23 Feb 2004 15:08:49 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0027_01C3FA1E.F0D8F8A0"; type="multipart/alternative" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://groups.google.com/images/threadview_logo.gif R0lGODlhjwA7ANUAAMfIx////xhd17m6uiqSKQQwnWSV4asNAuLj4swgC9ysBtqvn5JbSGVzj4mr 4OvXl4xkCAcneTFZrfT09H4IArHG59ZmUklsSQ1XDJSSkvHEG9qYc4zIi7mOCZt8a8jX7jhPgNPS 0e3LT9dAJokvI/n6+fHYyNra2j55226Gta2srJ2hqAM/wb2Xh+7o4+jw9tri7/P+//rv5tPo0v7+ /v368enr6vv+//D2+Vy8W+/v7/z8/Pb5/Pb29//++/j4+CH5BAAAAAAALAAAAACPADsAAAb/wIBw SCwaj8ikcslsOp/QqHRKrVqv2Kx2y+16v+CweEwum8/oIc3Gts3etLR8bizNAJx8jkAY7OJmOy8w HxWGHzAvP3RkNDN5kHwZOBOLYzswDigCAiydnCgoBg4VLz6MYCU/OAA5exgqJzYTgF8lHwadEikp KyoOKSgSngKhBh+oXiU6CByvGCsACLRgmQIFEiohJwgnJyEhAAMpw5ydKSfJW8vNzxnSPbVbO7gs BRnfAPr7/CoNLAALREjxY4c6LDR+2Bjw6kI0BCWU1QOhbcAAfeC8gRNnMYXACCAAzJJ3cEpCZwQw OAxhwyAXH/UKrLB4cRsCHTZw2ugWwiII/5AqAJzQQbKklB4MU64k2sVahAYDVAzYNqvEjj9XS0yw cWIACBAZZg51aZRKCZQqtTHdokNTAYpSQ0wrUTQADa1dowY9Qa0slR5oL8Raq6VCrqcqgiKIt2QH s31DIyqhscPHjht1m/jYfBkM4IaDM9+w3LlJWxQCM+yd4KTETm466CIpYWKDhdsWNiwwwbrJDhkP RAgX8eCBixpPeAyCwfyDc+eGYATQETh0kR21ces2IWNIBrAgJoQPcAOXAJAzQ+gguyShDh0T2BPx scBCghG4R9zHv+CGkhoyiKCBAsNpYKAGxFmCBEyahCKKAQZsck0BKcBAA3UNDTBULTeYYP8ffhaM ICJ/AfggXggNfCdECQ4YwAJi0vTmBGV/IKHDBgmQ0MIJzPX0oX4WvIBEDw8MuIBzJ3wAwAYHIugC Ei84IIAEoxggQTGb7JLCAC5M0AOGSmnYVwkL6NfCNj7el0AC/ZXQQE9gnfJChC82oE1LW7iA4wgA wHACRvp4sGYCB1hgQxE0AKdBB0JttE8LChhIIAJGwOBiCgi44MKfKHgCED426eBCYGIKsUOZJAzg 50YDhDjCAQcA4IMME9RQww89BIALak9pSNgVN76qDUbghNOqmgd40FcAPxTZwVTEsgqpgR1sYIN/ QtggpQTfhKOPCsPYE8E7cuFEKl/khWD/wQE77uOtCvodQAED6xlh2DXjxqjFDfUdwIA4AMiFwMDh qDAorAvEEMesIijggUUBczPwnwNEqoACHSzAg0E9GEZhOBmFs4KnbwllQw82VIdubTlKFfHEH6xL wcwA4CCPDxVsUic8WtQ2AgUPT3VTDyV8+Y2gax5Agg0RuSBcBx7ENXTRj6lgcQcdfLCIpddkcJEs O/XUKb4q5LRDyhme0AO/6zIgtQ48xGDDAgnMTMLDLihYoib4NiCNZFecah8FXsNTyw4TIDCAfoRS oAIOPASnAQSqwUMWDYkPIGkHEKgA373jTsX0Dj/ocMIKnQiUQpdnn9uDDBu8ysDXPAQw/0F9OTLg QVg8D4EzJy+GhIDeVegps9cbXme6fY17YIPTDUPwsHokXXjCApJKj4ANdD4llIzLALCJQA1siHaY J/CgruyxvKCnfrpbtIIvQuU6RAk5dwLSAIsh5OGrhJMG8YSgkBbEa14ncNqAKMc/GRGhBDAo0gI9 EAJLdcp7wyNCD04wvqewxDWuqw/7WhCiBFhAQwgQR2JEB7gSVQB4AlFB/67ANgB64G9HoAEOyqQf CpAAAMGJ3g0RIJ8hTAAAAlIABCAwFQmVDCJE2IELcpEaAZ5PJRraYYiU5gEPWKAFfcoHZLa3rADs AAESskcDbpIZIsDAEHCsgAPmaCEeyv+LgkxDgvpEJK9USY5zQyyiEHhwgux1LgS5sIdMXGA/IdxA Bi6KQL6Gd8ULiMmOFFhBBXlCLNjEhySOSaQ9QlIvJNDAgqCA0Pga8AIelKlx/4LiEW5wgi360CLZ CyQSzphECLgtBCMLyBodGAAb8KoBD1HIuV6AyQxso1s2qYogzaiDAZCMQnlLAg/kOEeLqLIABVCP DujWwx/mMYcIsOXsNDcgzvGvkYiyAQAWJb2gACBc4FyBDORRgeBVjmmV9BXd1jSviHEjJz2oURIw x0GAKBIANWhjiWTQDQCkgBOSRCEAGCcvGcKzCOn8GQWgwk56yrCMatCBs+6mjROo4EX/4GSBAyZw CpigBplioUVAQ/ACE4iIUAeQYU4qMU0j/MAFwQyIBBBwihwqpFsDSCRQpFHLpAENBsQkggsGR4LC JRFjHkieEW6gAwEt0WtyAeZPJMkCA1TgA1KiUGIUE4+ADgUGzIMVA7CqUCc4JgQpcChAUnCoHGqF K9/oXgQ0ub0WHOyHKB1CCADIgPRUrJ3PesE0nca5ymqIKwBYQQO+IoEHdcpvLptGHOyqgxc4Nmns isEUeqA4CRRAsITd5Q8m8B4EaOJFi2WJDj7wKlgl65zXoZsPK+eNDVwMay2AwQDtUqQlzk8kvP1T YsKyglB0DWJjsYtdJzAB4h4gaQlo/4Fso3C204EgpgBBwQeaiiga2FcGUgLunTJHAuMeIGFH8Oly xbITAGANYxnDwRECxLkMoHU9jqGYVFDXqQJARRqxEcIazkVeBKgAVoNKb1YDQFH6EoEGtA3te+Er AAdIJwk1iKQkB+OaELSgvyAGMBF8qrSwKCa7KsCakB+gYN8xmHLXnaFjKgoAFaTxYxnWsA72ECYi XigEGfDveUewGxl4OTtPMuUE/iRaSbLYrTDgwWjIgwO4Ahco1EvxCkgwMwoUijsyYJm/5iqmoqVw BR6AgJBFYAJbKQpqvhBLKc1YuuedQJSDpRQRQsAHDFj6AjkYwAxSnAE6+3dNPz3ACP9OcAPZHCHC Tf6OJCMAztuCwkHA+0oDUhQaVKvAAyTw9HkH5TYVstAuYw5tBhiwxANfTAEbuEhURDfdHrwxsPZw KApezCwOEOAC2M52DjbNlQEMm84zk5fdoouTCZjaCNZrsgoyMNqvtBobEtDSTNStGjHFoXQ9UcEK MtDFLrZAGzDoiUVkoSDXaHd+GWhBCzZgT3DQhCWMEYIP3hih1AkEvizg1ooQEIJ1O1gsjNxKT/bd AAaYXHdgzMhNzm2EJedb3/uen1Rqwo1vWGSFcrGfe1KoF5qLUR8El8fZeM7ngG2DH7Jo5MTzywJe RGXfK3aoBGxAGdM9nX7l6gHKugL/c5nP/GsjaczWVTjXFfIDUBiBDXvY8SeOuEvlUb5O4rx1EUAV a+WA+IFh7OHMblCM5LcNyAp6sFuOAwzoQyNdgfXC56+t3AmNNjzAlG30Z0osJwVp+Zf8/g1vHFQH EXcqTjRi+YGBXqE4oyK0zq6XBtwWnCDgy5d20o2BIdQliAubtww6i74ygTKzn5jnB7a9oZr7D228 C2/b8B5zS1QNWtEJG+BjFXnAFQUDcbvl87HugEQAAKffgdbHXwKWA1/600/o8xe6g6KR9/3mLr/v f08j5K8f3fW3rxF40KIX+WIqn7d8FPMPMTRDM1J/V+EXaWBBLAAC9HMTBWFflCFy2iMTQ2KlgBh4 Yh/QQcgTWQGAMi8EZ7+SgRn4ATD0JshlBDXQT71CPST4gjSAAJ1gDxIwADJQVD6AGg7oK/f3gnTg GNAGEBJQASYWRQ7wFv+HLj6YgYiDIq0GEG7VSpuhHDmDDWYnS0uIgZnjeqwWeFjiXRmnSQDDFz2Y hXKgED3Bbmv1bvCmScYiFItmhn6BOTy3bw72cS7jDUinA9MlhyWBOBzHeF93dgEDgWXoh3KAYmHD ERBTd9H0SYgIg7knfKV3E84XiWZ4Fz3AW+8BH0RTVJgIgyfGCEEAADs= ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://groups.google.com/images/cleardot.gif R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://groups.google.com/images/blanktri.gif R0lGODdhCAAIAPAAAPj8+AAAACwAAAAACAAIAAACB4SPqcvtXQAAOw== ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_002E_01C3FA1E.F0D8F8A0" ------=_NextPart_001_002E_01C3FA1E.F0D8F8A0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Location: http://groups.google.com/groups?hl=en&lr=lang_en|lang_hr|lang_sl|lang_sr&ie=UTF-8&oe=UTF-8&threadm=af6d01c19f8e%248ecfa5b0%2436ef2ecf%40tkmsftngxa12&rnum=2&prev=/groups%3Fq%3DHKEY_LOCAL_MACHINE%255CSAM%255CSAM%255CDomains%255CBuiltin%255CAliases%26hl%3Den%26lr%3Dlang_en%257Clang_hr%257Clang_sl%257Clang_sr%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Daf6d01c19f8e%25248ecfa5b0%252436ef2ecf%2540tkmsftngxa12%26rnum%3D2 =EF=BB=BF Google Groups: View Thread "Detailed Domain = Controller Authentication" ------=_NextPart_001_002E_01C3FA1E.F0D8F8A0 Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://groups.google.com/groups?hl=en&lr=lang_en|lang_hr|lang_sl|lang_sr&ie=UTF-8&oe=UTF-8&frame=left&th=b37a508d48c6b2a6&prev=/groups%3Fq%3DHKEY_LOCAL_MACHINE%255CSAM%255CSAM%255CDomains%255CBuiltin%255CAliases%26hl%3Den%26lr%3Dlang_en%257Clang_hr%257Clang_sl%257Clang_sr%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Daf6d01c19f8e%25248ecfa5b0%252436ef2ecf%2540tkmsftngxa12%26rnum%3D2&seekm=af6d01c19f8e%248ecfa5b0%2436ef2ecf%40tkmsftngxa12 =EF=BB=BF

3D""=20

<= /TBODY>

Subject:=20
Detailed Domain Controller Authentication

Newsgroup:
microsoft.public.windowsnt.domain

3D""=20

<< Back | No frame | Sort by date

3D""=20

3D""=20

1 Vince = Thyng 16 Jan 2002
3D""=20

3D""=20

\-2 Michael Giorgio - MS = MVP 16 Jan 2002 =
\-3 Vince = Thyng 16 Jan 2002
3D""=20

3D""=20

\-4 Michael Giorgio - MS = MVP 16 Jan 2002 =
3D""=20

3D""=20

\-5 Vince = Thyng 17 Jan 2002
3D""=20

3D""=20

&nb= sp;\-6 Michael Giorgio - MS = MVP 17 Jan 2002=20

------=_NextPart_001_002E_01C3FA1E.F0D8F8A0-- ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0 Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://groups.google.com/groups?hl=en&lr=lang_en|lang_hr|lang_sl|lang_sr&ie=UTF-8&oe=UTF-8&frame=right&th=b37a508d48c6b2a6&seekm=af6d01c19f8e%248ecfa5b0%2436ef2ecf%40tkmsftngxa12 =EF=BB=BF Google Groups: View Thread

3D""=20

All messages = from=20 thread

Message 1 in=20 thread
From: Vince Thyng (vthyng@filenet.com)
Subject:=20 Detailed Domain Controller Authentication

View this article=20 only
Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-16=20 12:48:26 PST

I have =
cloned 3 installations of W2K from 1 machine.  My=20
goal is to be able to restore between different images. =20
The problem is that after I restore a different image, the=20
Domain Controller won't let me log in claiming my computer=20
account doesn't exist.  2 of the 3 images are based on the=20
same original W2K install and when I restore between them=20
I am able to log in to the Domain Controller with no=20
problem, which tells me this is very possible.  I am quite=20
sure that the problem has nothing to do with the SID=20
because I have synchronized the local machine SID (which I=20
don't think I needed to do anyways because I am logging in=20
as the Domain Administrator which has the same SID on any=20
machine).  What else is the Domain Controller storing=20
about my computer name in it's server table???  I have=20
thought that it could be the MAC address of the NIC, but=20
it's the same NIC, so that is not it.  Or can someone=20
point me to a detailed description of everything the=20
Domain Controller is checking when I try to log in?

Cheers!

Vince Thyng
FileNET Engineering Services
425.893.7286 Office

Message 2 in=20 thread

From: Michael Giorgio - MS MVP (michael.giorgio@NoSpa= m.mayerson.com)
Subject:=20 Re: Detailed Domain Controller Authentication

View this article=20 only

Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-16=20 13:53:00 PST

It's most =
likely the SID or security identifier.  Ever heard
of Nortons Ghost Walker?  It automatically changes the SID
of the imaged machine to alleviate the same problem your
having.

"Vince Thyng" <vthyng@filenet.com> wrote in message
http://groups.google.com/groups?selm=3Da3d001c19ece%240e09c=
f20%243aef2ecf%40TKMSFTNGXA09...
> I have cloned 3 installations of W2K from 1 =
machine.  My
> goal is to be able to restore between different images.
> The problem is that after I restore a different image, the
> Domain Controller won't let me log in claiming my computer
> account doesn't exist.  2 of the 3 images are based on the
> same original W2K install and when I restore between them
> I am able to log in to the Domain Controller with no
> problem, which tells me this is very possible.  I am quite
> sure that the problem has nothing to do with the SID
> because I have synchronized the local machine SID (which I
> don't think I needed to do anyways because I am logging in
> as the Domain Administrator which has the same SID on any
> machine).  What else is the Domain Controller storing
> about my computer name in it's server table???  I have
> thought that it could be the MAC address of the NIC, but
> it's the same NIC, so that is not it.  Or can someone
> point me to a detailed description of everything the
> Domain Controller is checking when I try to log in?
>
> Cheers!
>
> Vince Thyng
> FileNET Engineering Services
> 425.893.7286 Office
>

Message 3 in=20 thread

From: Vince Thyng (vthyng@filenet.com)
Subject: = Re:=20 Detailed Domain Controller Authentication

View this article=20 only

Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-16=20 16:52:14 PST

I wish it =
was that easy.  Here is what I did... I tried to=20
use Symantec Ghost Walker, from Ghost 6.5 to synchronize=20
the SID between all 3 images, but it needs the SID to be=20
the same length already in the Registry (which it=20
wasn't).  So I used NewSid from sysinternals to=20
synchronize the SID since it was able to change the length=20
of the SID to whatever.  Still had same problem though=20
even though I know that the Machine's SID is the same=20
now.  What occurred to me afterwards is that the SID I am=20
actually using is based on the Domain Controller's SID and=20
since it is the Administrator account I am logging in with=20
from the Domain, I know that is is the same already. =20
Maybe there is a different kind of SID I need to be=20
looking for???


Thanks!

Vince

>-----Original Message-----
>It's most likely the SID or security identifier.  Ever  heard
>of Nortons Ghost Walker?  It automatically changes the SID
>of the imaged machine to alleviate the same problem your
>having.
>
>"Vince Thyng" <vthyng@filenet.com> wrote in message
>http://groups.google.com/groups?selm=3Da3d001c19ece%240e09c=
f20%243aef2ecf%40TKMSFTNGXA09...
>> I have cloned 3 installations of W2K from =
1 machine.  My
>> goal is to be able to restore between different images.
>> The problem is that after I restore a different image,  the
>> Domain Controller won't let me log in claiming my  computer
>> account doesn't exist.  2 of the 3 images are based on  the
>> same original W2K install and when I restore between  them
>> I am able to log in to the Domain Controller with no
>> problem, which tells me this is very possible.  I am  quite
>> sure that the problem has nothing to do with the SID
>> because I have synchronized the local machine SID  (which I
>> don't think I needed to do anyways because I am logging  in
>> as the Domain Administrator which has the same SID on  any
>> machine).  What else is the Domain Controller storing
>> about my computer name in it's server table???  I have
>> thought that it could be the MAC address of the NIC, but
>> it's the same NIC, so that is not it.  Or can someone
>> point me to a detailed description of everything the
>> Domain Controller is checking when I try to log in?
>>
>> Cheers!
>>
>> Vince Thyng
>> FileNET Engineering Services
>> 425.893.7286 Office
>>
>
>
>.
>

Message 4 in=20 thread

From: Michael Giorgio - MS MVP (michael.giorgio@NoSpa= m.mayerson.com)
Subject:=20 Re: Detailed Domain Controller Authentication

View this article=20 only

Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-16=20 19:50:41 PST

A =
workstation/member server does not share the same SID
for the Administrator account in the way that DCs do.  The
SID of the Administrator account on a DC is a domain specific
account which, according to MS cannot be changed without
reinstallation.  The main reason a DC cannot be moved from one
domain to another is because of the unique SID of the administrator
account.

"Vince Thyng" <vthyng@filenet.com> wrote in message
http://groups.google.com/groups?selm=3Da40e01c19ef0%24959d7=
af0%249ee62ecf%40tkmsftngxa05...
> I wish it was that easy.  Here is what I =
did... I tried to
> use Symantec Ghost Walker, from Ghost 6.5 to synchronize
> the SID between all 3 images, but it needs the SID to be
> the same length already in the Registry (which it
> wasn't).  So I used NewSid from sysinternals to
> synchronize the SID since it was able to change the length
> of the SID to whatever.  Still had same problem though
> even though I know that the Machine's SID is the same
> now.  What occurred to me afterwards is that the SID I am
> actually using is based on the Domain Controller's SID and
> since it is the Administrator account I am logging in with
> from the Domain, I know that is is the same already.
> Maybe there is a different kind of SID I need to be
> looking for???
>
>
> Thanks!
>
> Vince
>
> >-----Original Message-----
> >It's most likely the SID or security identifier.  Ever heard
> >of Nortons Ghost Walker?  It automatically changes the SID
> >of the imaged machine to alleviate the same problem your
> >having.
> >
> >"Vince Thyng" <vthyng@filenet.com> wrote in message
> >http://groups.google.com/groups?selm=3Da3d001c19ece%240e09c=
f20%243aef2ecf%40TKMSFTNGXA09...
> >> I have cloned 3 installations of W2K =
from 1 machine.  My
> >> goal is to be able to restore between different images.
> >> The problem is that after I restore a different image, the
> >> Domain Controller won't let me log in claiming my computer
> >> account doesn't exist.  2 of the 3 images are based on the
> >> same original W2K install and when I restore between them

Read the rest of this message... (29 more lines)

Message 5 in=20 thread
From: Vince Thyng (vthyng@filenet.com)
Subject: = Re:=20 Detailed Domain Controller Authentication

View this article=20 only
Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-17=20 11:53:27 PST

When I log =
in to the domain as Administrator from my=20
workstation, am I using the user SID that is exactly the=20
same as the user SID: S-1-5-21-<domainmachineSID>-500?  I=20
have seen this in my workstation's registry so I believe=20
this is a fact.

This is a W2K Workstation logging in to an NT4 DC.
Please verify if my facts are correct:
Since I have logged int to the domain as administrator=20
from my workstation and locally as administrator, I will=20
have in my workstation's registry:=20
S-1-5-21-<domaincontrollerSID>-500
as well as
S-1-5-21-<workstationSID>-500
as user profiles.

I also have
S-1-5-21-<domaincontrollerSID>
S-1-5-21-<workstationSID>
listed under:
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\

By the time the machine has booted up and I try to login:=20
the workstation has already contacted the DC to register=20
itself? ... And further more the DC at this time has=20
checked to make sure that the workstation's SID matches=20
what was used originally to register the computer name?

I would also appreciate knowing about any books or=20
documents that can describe this better.  I have read a=20
number of articles online about cloning and SID issues,=20
but so far nothing has addressed being able to switch=20
between cloned images and logging in to a DC afterwards=20
(probably not too common I suppose).  It seems like if I=20
knew the details of what a DC asks for from a workstation=20
I would have the answer, such as which reg key does it=20
really use.

It seems pretty clear that by the time my workstation has=20
booted up I have already been denied the ability to login=20
to the domain because the error message pops up=20
immediately so that I why I figure the initialization=20
process has already contacted the DC.

It is my conclusion that the SID is not the issue because=20
I have used newsid.exe from sysinternals to synchronize=20
the sid and after using that, getsid.exe from W2K resource=20
kit confirms that the sid's match.

Read the rest of this message... (104 more lines)

Message 6 in=20 thread
From: Michael Giorgio - MS MVP (michael.giorgio@NoSpa= m.mayerson.com)
Subject:=20 Re: Detailed Domain Controller Authentication

View this article=20 only
Newsgroups: microsoft.public.windowsnt.domain
Date: = 2002-01-17=20 13:05:04 PST

The domain =
name SID is a different value than the
user SID.  Yes the RID value (500) is the same but the
value preceding is the RID which is domain specific, when
the computer is a member of the domain.  Have a look
at the following MS KB article and see if it sheds any light:

SID Values For Default Windows NT Installations (Q163846)
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;Q=
163846

"Vince Thyng" <vthyng@filenet.com> wrote in message
http://groups.google.com/groups?selm=3Daf6d01c19f8e%248ecfa=
5b0%2436ef2ecf%40tkmsftngxa12...
> When I log in to the domain as Administrator =
from my
> workstation, am I using the user SID that is exactly the
> same as the user SID: S-1-5-21-<domainmachineSID>-500?  I
> have seen this in my workstation's registry so I believe
> this is a fact.
>
> This is a W2K Workstation logging in to an NT4 DC.
> Please verify if my facts are correct:
> Since I have logged int to the domain as administrator
> from my workstation and locally as administrator, I will
> have in my workstation's registry:
> S-1-5-21-<domaincontrollerSID>-500
> as well as
> S-1-5-21-<workstationSID>-500
> as user profiles.
>
> I also have
> S-1-5-21-<domaincontrollerSID>
> S-1-5-21-<workstationSID>
> listed under:
> HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\
>
> By the time the machine has booted up and I try to login:
> the workstation has already contacted the DC to register
> itself? ... And further more the DC at this time has
> checked to make sure that the workstation's SID matches
> what was used originally to register the computer name?
>
> I would also appreciate knowing about any books or
> documents that can describe this better.  I have read a
> number of articles online about cloning and SID issues,
> but so far nothing has addressed being able to switch
> between cloned images and logging in to a DC afterwards
> (probably not too common I suppose).  It seems like if I
> knew the details of what a DC asks for from a workstation
> I would have the answer, such as which reg key does it
> really use.
>
> It seems pretty clear that by the time my workstation has
> booted up I have already been denied the ability to login
> to the domain because the error message pops up
> immediately so that I why I figure the initialization
> process has already contacted the DC.
>
> It is my conclusion that the SID is not the issue because
> I have used newsid.exe from sysinternals to synchronize
> the sid and after using that, getsid.exe from W2K resource
> kit confirms that the sid's match.
>
> Thank you very much for your time!
>
> Vince Thyng
> FileNET
>
>
>

=C2=A92004 Google ------=_NextPart_000_0027_01C3FA1E.F0D8F8A0--

3D""=20