Web Informant #90, 5 November 1997
To SID with Love


There is no doubt in my mind that NT is becoming more and more popular as a desktop operating system. The bad news is that Microsoft has become its own worst enemy in trying to ensure NT's success.

The signs are pretty clear: just about every vendor that has come through here on a press tour in the last year has trumpeted their latest NT product. NT has also managed to make some big inroads into Unix and NetWare when it comes to running Internet and LAN applications. When I first began at my NT-based ISP Sohonet.com, they were fairly unique. Now ISPs that host NT servers are popping up everywhere, including traditional providers like Uunet and BBN. Even my own sister is now running NT on her desktop at work.

You know an operating system has gone mainstream when you start talking about its problems with your family.

Yet Microsoft continues to do some pretty dumb things when it comes to NT. It continues to send out mixed messages as to whether corporations should use 95 or NT on the desktop, and next year we'll see more of the same as upgrades to both operating systems slip later and later. There was that whole fiasco about licensing NT/Workstation for running server-type applications earlier this year. While it got resolved, it left a bad taste in my mouth. NT still has problems with older applications, as my sister can tell you (she still needs another Win16 machine on her desk to run those).

But what really has got my goat is this issue of the Security ID that can blow up and cause many corporations a massive NT headache.

The SID, as it is called, is a single registry entry. To see what we are talking about, bring up REGEDT32 and open up HKEY_LOCAL_MACHINE. Then navigate down the tree to Software, Microsoft, Windows NT, CurrentVersion, and finally ProfileList.

The SID isn't anything fancy: indeed, it is created when you install the NT operating system as a way to identify your particular machine. It is like our bodies' appendix: it has no current use and can just get in the way of normal operations. No current Microsoft software makes use of the SID. While it is supposed to be unique, the algorithm that creates it doesn't ensure uniqueness, and nothing happens when two or more NT workstations have the same SIDs on the same network segment. This is unlike NetWare Server IDs or many Macintosh-based software serial numbers, which will generate a series of broadcast error messages.

The problem with the SID started when people began using disk duplication or imaging products to clone NT machines. If you buy lots of NT computers, you'll have discovered that the thrill of running NT's installation procedure gets tiresome, not to mention the time required to install your initial set of applications. So along came several vendors offering these imaging products. Three of them are from Keylabs, PowerQuest, and Ghost Software. In the interest of full disclosure, I have done some consulting work for Keylabs.

(As a side note, finding these SID products isn't easy, and both PowerQuest's and KeyLabs are beta versions. For PowerQuest, go to www.powerquest.com/products/driveimage/siddl.html and enter the following key DM101ENPNFRCD-11TRIAL, which will expire after 11/25/97. For Keylabs, go to www.keylabs.com/software/sidgen. For Ghost's product, go to www.ghostsoft.com/gwalk.htm and enter sidblast as the password.)

Here is where things get interesting. You see, these products duplicate everything on the disk, including the SID. Microsoft doesn't like that, because they want customers to use the labor-intensive installation process and lay down NT the way they originally intended. They claim that anyone using an imaged disk won't receive any support if they run into problems.

I think they have a point if they are talking about imaged NT domain controllers -- you probably want to set these up from scratch. But for desktops, running these imaging products can save a lot of time and set up everyone the exact same way, something essential in these days when corporate IS support departments are stretched thin.

I am not the only one complaining about SIDs. You can read Art Wittmann's excellent opinion piece from Network Computing magazine.

Meanwhile, Microsoft is doing all they can to prevent people from deploying NT. In a letter to me, they stated:

"Microsoft is investigating a solution for the Windows NT 5.0 release to provide a means to support creation of a master installation image of Windows NT. Customers, OEMs, or VARs can make a disk image of this master, using whatever disk duplication tools they prefer, and complete the installation of a unique system based on this master with a minimum amount of end-user setup. We expect the end-user setup will be minimal and allow for customization of the User name and Company, computer name, and acceptance of the End-User License agreement. This mechanism will take care of a unique local domain SID and provides for the minimum necessary end-user customization required for a unique Windows NT installation."

This is utter hogwash, and doesn't address the needs of their customers who don't want to wait till v5.0 to solve this problem. The imaging companies have responded to Microsoft by creating some software that will change the SID on the duplicated machines, but do so after they dupe the disks. Microsoft doesn't like this either, because now they have to figure out if this SID is going to be the same as the one that would be created in the normal installation process.

When I asked Microsoft to just certify one of the SID- making products, they balked, claiming that they don't have the time and Keylabs, Power Quest et al. can go join their one of their developer programs. That isn't an answer.

This is a little issue, and certainly not as sexy as dealing with the latest lawsuits and counter-suits. But for those corporations that want to deploy lots of NT desktops, it is a big stumbling block. Microsoft should fix this by having a way to change the SID after the installation of the machine, or eliminate this appendix entirely.

Site keeping and self-promotions dep't

My latest article for Datamation magazine is an in- depth look at how to build a great extranet. I spent some time with the folks at Coopers and Lybrand's Tax News Network.

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 1997 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office