Do Not Disk Duplicate Installed Versions of Windows NT

ID: Q162001

The information in this article applies to:

Microsoft Windows NT Workstation versions 3.1, 3.5, 3.51, 4.0
Microsoft Windows NT Server versions 3.1, 3.5, 3.51, 4.0
Microsoft Windows 95

SUMMARY

Microsoft provides several methods for the proper deployment of the Windows NT operating system. The use of a supported method is very important to ensuring the security of the systems running Windows NT is not compromised.

There is a reason you can't just copy the hard disk from one computer to another to deploy Windows NT. One of the important features of Windows NT is its security. Each computer is assigned a unique Security ID (SID) during Setup at the time the machine name is entered; this ensures that it can be identified on the network. Almost all of the network services have this security information encoded in their entries in the registry during Setup or subsequent installation. Simply copying the contents of one hard disk to another would give each computer the same SID, making security impossible to maintain.

MORE INFORMATION

When a computer is installed, it is given a SID. For a Windows NT Workstation, Windows NT Member server, or a Windows NT primary domain controller (PDC), that SID is computed to contain a statistically unique 96-bit number. For a Windows NT backup domain controller (BDC), that SID is identical to the SID of the PDC for the domain.

The primary SID is generated during the installation of Windows NT and is the prefix of the SIDs for all the user accounts and group accounts created on the computer. The SID is concatenated with the RID of the account to create the account's unique identifier.

So, if two workstations have the same primary SID, the first user account generated (and so forth) on each workstation is the same because the SID on both computers is the same.

Here is what happens when the SID is created. When you install Windows NT, Setup creates a unique SID for that computer and uses this SID as a prefix for all local machine accounts. This can be seen by using Regedt32.exe to view the local user's SID. If you create several local accounts you will see the SID for that account when logging on as that user.


   HKEY_USERS on Local Machine

   Example:

   S-1-5-21-191058668-193157475-1542849698-500       administrator
   S-1-5-21-191058668-193157475-1542849698-1000      User one
   S-1-5-21-191058668-193157475-1542849698-1001      User two
   S-1-5-21-191058668-193157475-1542849698-1002      User three

Notice that only the last four digits are incremented as new accounts are added. The implication of this for Workgroup security is that local users have rights on other computers according to the order the account in which was created. Additionally, the impact on file ownership for shared/removable media will be compromised and would make security unmanageable.

The "after GUI replication" method is unsupported because of the security, resource ownership and unmanageability implication.

Because the SID identifies the computer or domain as well as the user, it is critical that it be unique to maintain support for current and future applications.

Microsoft Policy Statement

Microsoft does not provide support for systems that have been installed by duplicating fully installed copies of either Windows NT Workstation and Server or Windows 95. Microsoft supports using disk duplication as a method of distribution for Windows NT 4.0 if the disk is duplicated at the point in the Windows NT 4.0 setup process after the second reboot and before the graphical mode portion of Windows NT 4.0 setup.

Clarification

Essentially, this duplication consists of 'XCOPY' of the entire tree structure after Windows NT has been installed, affecting security, hardware and other areas of the product. More technical details below. Windows NT 3.51 CPS and Windows NT 4.0 Deployment Tools, while unattended, are not simple copies and do configure the operating system correctly.

REFERENCES

The Microsoft Knowledge Base provides a variety of articles that outline specifications and how to information for the proper deployment of Windows NT.

The Windows NT 4.0 Workstation Resource Kit provides documentation on the deployment procedures for Windows NT 4.0.

Consult the Computer Profile Setup documentation in the Windows NT 3.5 and Windows NT 3.51 Resource Kits on deployment utilities.

Additional information about Windows NT deployment is available from the following Microsoft Web site:

http://www.microsoft.com/ntworkstation/technical/DeploymentDocs/default.asp

Additional query words: prodnt clone cloning ghost ghosted win95


Keywords          : kbnetwork kbsetup ntsetup ntreskit NTSrvWkst 
Version           : WINDOWS:95; winnt:3.1,3.5,3.51,4.0
Platform          : WINDOWS winnt 
Issue type        :

Last Reviewed: July 23, 1999