4353
Comment: make status table simple
|
← Revision 4 as of 2009-03-16 03:33:45 ⇥
4421
converted to 1.6 markup
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
## page was renamed from DebianEdu/CipUX/Feature/Deploy/SidProblem | |
Line 15: | Line 16: |
[[TableOfContents]] | <<TableOfContents>> |
Status of the infrastructure project: |
||
Name: |
cipux-deploy-sid |
|
Concept: |
||
Participants: |
||
Programmers: |
- |
|
Status: |
planning |
|
Start: |
2007-09-01 |
|
End: |
- |
|
Planned-release: |
3.4.6 |
|
Alpha-release: |
- |
|
Beta-release: |
- |
|
Stable-release: |
- |
Contents
Specific Win Problems (WinNT, Win2K, WinXP SID Problem)
WinNT, Win2K, WinXP needs own SID for each client to announce to a PDC. If WinXP would be cloned each client has the same SID.
- Tools to change the SID:
- Active-Directory?
- Samba?
- Ghostwalker (Symantec's Ghost)
- Power-Quest's Image Drive
Altiris' ?RapiDeploy
- NewSID v4.10 (By Mark Russinovich and Bryce Cogswell)
NewSid
MS do not support it. MS support Sysprep. ?NewSid is closed source like bpbatch. Works on WinNT, Win2k, WinXP, Win.Net Server
How it Works
- read existing SID (stored in Registry's SECURITY hive under SECURITY\SAM\Domains\Account) Key has value named F and V (binary, embedded SID at the end).
- ensure that SID is standard format (3 32-bit sub-authorities preceded by three 32-bit authority fields
- generate a random 96-bit value SID (replaces 96-bits of the 3 sub-authority values = SID)
- SID replacement (1): SECURITY and SAM Registry hives are scanned for old SID in key value and key name.
- replace all SID in values
- if SID is in name, copy key and all sub-keys with a changed name to a new key
SID replacement (2): (updating security descriptors) (descriptor: 1. entry who own the resource 2. which is the primary owner-group 3. optional list of permitted actions by user/group = Discretionary Access Control List - DACL 4. optional list: which actions performed by users/ groups will generate entries in system Event Log (System Access Control List - SACL) => normal user/group SID (not Administrator, Guest, ...) = computer SID + RID
- change Registry keys (security associated with them)
- change all NTFS system files (security associated with them)
- SID replacement (3): All Registry (loaded, unloaded, local)
Search HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\?CurrentVersion\?ProfileList key => dir of user
- every user has a Registry hive (loaded as HKEY_CURRENT_USER when logged in, but remains on disk in the user's profile directory when not logged in)
load that using ?RegLoadKey under HKEY_LOCAL_MACHINE
- scan hole Registry for security descriptor
- when done:
- unloads the user hives (probably writes back)
- scans the HKEY_USERS (contains the hive of the currently logged-in user)
- scans the .Default
update ?ProfileList subkeys (refer to the new account SID)
- (necessary for Windows NT to associate profiles with user accounts after the account SIDs changed)
Source: (http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx)
Windows Vista
- can only be cloned (even during install from DVD)
- vista images are stored in Windows Imaging Format (WIM). A WIM may contain several sub-images. identical sub-images will not be stored twice
Source: (http://www.computerwoche.de/produkte_technik/software/581896/)
(SID: Samba Tool)
- additional sources to SID:
- Show pdbedit: "pdbedit-U SID|rid"