Is it possible to change the SID of a local user account manually?
Solution 1
It's technically possible to do so, by editing the SAM database (under HKEY_LOCAL_MACHINE\Security in the Registry), but it requires understanding of the binary formats used there. There exist tools that do this, such as NewSid – although it usually did the opposite of what you're looking for, but nevertheless it was able to change the machine SID and user SIDs, computer-wide. The NewSid webpage has some information on how this is done.
However, it won't achieve much. The SID is only used locally. It does not matter what SID you have; it will not give you access to any additional network resources. (This is similar to the arguments given by SysInternals when they discontinued the NewSid utility – it would create a fresh machine SID if you had cloned machines with identical SIDs, but it was explained that having identical machine SIDs, and therefore identical user SIDs, has zero effect on network security.)
For network authentication, Active Directory uses Kerberos and sometimes the (now-deprecated) NTLM, both of which authenticate users using their password or similar credentials.
Solution 2
You can't the Security IDendtifier is built based off of enviroment variables at the time of creation. They are unique, and are not over writable.
The SID for an account or group created in one domain of an enterprise never matches the SID for an account or group created in another domain of the same enterprise.
I would suspect that IF you ever managed to do it, the domain would see it as somesort of oddity and deny access or do other odd things.
Related videos on Youtube
01 : 17
03 : 31
02 : 16
01 : 52
05 : 36
BenAlabaster
Tinkerer, problem solver, artist, photographer and professional code monkey. Full time software engineer, husband, father and student desperately seeking more hours in the day so I can keep up with life. I can be found in the following places: Email: BenAlabaster at live dot com Blog: http://www.endswithsaurus.com/ Twitter: @BenAlabaster
Updated on September 18, 2022Comments
-
BenAlabaster over 1 year
Let's say for argument's sake I wish to change the SID of a Windows local user account to one that appears on some hypothetical Active Directory domain. Is that possible? If so, how?
P.S. I don't actually need to know how... all I care about is that it is demonstrably possible and that theoretically some malicious user on the network could do this... and how much skill they would need to do so.
-
BenAlabaster about 11 yearsThat's just what I was hoping to hear. My manager just needs to hear it from someone other than me as he thinks this can be changed no problem... which I say is BS :D
-
Muh Fugen over 7 yearsThey are technically overwriteable. This happens whenever you run Microsoft sysprep
-
Muh Fugen over 7 yearsIn fringe use cases changing a local account's SID could potentially be useful, such as when using a failover cluster with shared storage and local accounts. If there are local account specific ACLs on the shared storage, and it was impracticable to add the ACLs for the local account of the 2nd node of the cluster, for instance if the failover cluster's service/application created new files with a non inherited ACL.
-
Muh Fugen over 7 yearsAnd you can see duplicate SIDs in environments when someone has imaged a computer (or cloned a VM) which didnt have sysprep's generalize function ran on it beforehand.
-
user1686 over 7 years@MuhFugen: If you have a failover cluster, wouldn't you usually also have AD?
-
Muh Fugen over 7 yearsYes? I was referring to local accounts.
