2.24. Finding Duplicate SIDs in a Domain
Problem
You want to find any duplicate SIDs in a domain. Generally, you should never find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains.
Solution
Using a command-line interface
To find duplicate SIDs run the following command, replacing
<DomainControllerName> with a domain
controller or domain name:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "check dup sid" q qThe following message will be returned:
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
The dupsid.log file will be in
the directory where you started ntdsutil.
If you want to delete any objects that have duplicate SIDs, you can use the following command:
> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q qLike the check command, the clean command will generate a message like the following upon completion:
Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate
Discussion
All security principals in Active Directory have a SID, which is used to uniquely identify the object in the Windows security system. There are two parts of a SID, the domain identifier and the RID. Domain controllers are allocated a RID pool from the RID FSMO for the domain. When a new security principal (user, group, or computer) is created, the domain controller takes a RID from ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
