Of course, by "fun" I mean I want to choke myself with a SATA cable.
See, much of my day job involves interacting with Windows systems, and there is never any shortage of reasons for me to pull my hair out.
The latest issue involves the Security ID, or SID. See, Windows, unlike Linux, identifies users and machines with a really long string of numbers and letter called the SID. Even though you might have a friendly username (like, say, your name...) when you go to use the computer in the background Windows knows you by a really long string of numbers. Your human-readable name is an alias of sorts.
Remember, I said users and machines have a unique ID associated with them.
The problem is that we have situations where we have to clone machines to go out to different offices. We take a machine out of a batch of identical systems; we install Windows, configure special software options and printers and various drivers, then we create an image of that machine that we then can copy down to all the other machines in hopes of saving time not having to remember every Windows and Office update and special software package.
Part of that procedure involves running NewSID, a free utility that will change the name of the computer and the SID so the machine gets a unique ID associated with it.
In the Wikipedia article it said:
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
Now...our users are on a domain! Maybe we don't have to worry about it!
I made note of it and had cloned several machines before remembering to actually test it. The latest NewSID will tell you the current SID for the machine; I looked at two systems on the domain and they both matched. Joining the Active Directory domain doesn't alter the machine's identifier as I thought.
Apparently the Access Control List that controls file ownership and such is associated with the user's SID, and in theory there shouldn't be an issue with this. But on reflection I didn't want to risk it.
Nuts.
So it was my own fault for not testing more thoroughly but it is one more reason to hate Windows...Linux doesn't use machine-specific ID's on the network outside of their name. Windows lets you change names but hides the fact that the name is just a superficial shell over a long string of gibberish (okay, it actually means something as the article tells you, but still...) and it's that string of gibberish that is actually significant; plus you need a special tool to alter it.
Another annoyance with Windows...it doesn't include the tool to alter these sort of fundamental parts of the operating system that can cause problems. You can get NewSID for free but it was actually a third party tool written by Mark Russinovich, hired by Microsoft after he released a lot of useful tools for Windows.
The lessons to be learned?
- Don't assume. Test. Even if it takes more time which results in becoming less popular with your boss because you're taking that extra time...because it's going to save you the time it takes to fix your time-saving shortcut.
- With Windows, even though you'd think changing names and ID's and such would make the machine unique on the network, it might not. There are underlying functions that Microsoft actually had the brains to abstract away from the users since they didn't need to know about it...only they didn't put any obvious ways to check on or monitor those abstracted functions until it's too late and you have a new mess to try fixing.
- Don't assume that just because there's some fundamental part of Windows that needs administration you'll have the tools included to fix those fundamental parts. Find a tool and save it somewhere that you can access that tool later on.
- Windows is a major pain in the rear.
Posts
No comments:
Post a Comment