>Ben
>
>The only thing to be careful with this approach (which is the similar to
>say using GHOST or any of the other image level NT install procedures) is
>the Machine's SID.
>
>Quoting from an NT site (WWW.SYSINTERNALS.COM) who have a free tool for
>changing the SID after installation
>
> The problem with cloning is that it is only supported by Microsoft in a
> very limited sense. Microsoft has stated that cloning systems is only
> supported if it is done before the GUI portion of Windows NT Setup has
> been reached. When the NT install reaches this point the computer is
> assigned a name and a unique computer SID. If a system is cloned after
> this step the cloned machines will all have identical computer SIDs.
> Note that just changing the computer name or adding the computer to a
> different domain does not change the computer SID. Changing the name or
> domain only changes the domain SID if the computer was previously
> associated with a domain.
>
> To understand the problem that cloning can cause, it is first necessary
> to understand how individual local accounts on a computer are assigned
> SIDs. The SIDs of local accounts consist of the computer's SID and an
> appended RID (Relative Identifier). The RID starts at a fixed value, and
> is increased by one for each account created. This means that the second
> account on one computer, for example, will be given the same RID as the
> second account on a clone. The result is that both accounts have the
> same SID.
>
> Duplicate SIDs aren't an issue in a Domain-based NT environment since
> domain accounts have SID's based on the Domain SID. But, according to
> Microsoft Knowledge Base article Q162001, "Do Not Disk Duplicate
> Installed Versions of Windows NT", in a Workgroup environment security
> is based on local account SIDs. Thus, if two computers have users with
> the same SID, the Workgroup will not be able to distinguish between the
> users. All resources, including files and Registry keys, that one user
> has access to, the other will as well.
>
> Another instance where duplicate SIDs can cause problems is where there
> is removable media formated with NTFS, and local account security
> attributes are applied to files and directories. If such a media is
> moved to a different computer that has the same SID, then local accounts
> that otherwise would not be able to access the files might be able to if
> their account IDs happened to match those in the security attributes.
> This is not be possible if computers have different SIDs.
>
> An article Mark has written, entitled "NT Rollout Options", will appear
> in the June issue of Windows NT Magazine. It discusses the duplicate SID
> issue in more detail, and presents Microsoft's official stance on
> cloning (please do not ask for preview copies).
>
>Peter
>
|