Updating drivers for devcon
After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks).
If two machines have the same machine SID, then accounts or groups on those systems might have the same SID.
These utilities generate a new machine SID, try to find all the locations on a system, including all the file system and registry ACLs, that contain copies of the machine SID, and update them to the new SID.
The reason that Microsoft doesn’t support systems modified in this way is that, unlike Sysprep, these tools don’t necessarily know about all the places where Windows stashes away references to the machine SID.
At one point during the design of Windows NT, the machine SID might have been used for network identification, so in order to assure uniqueness, the SID that Setup generates has one fixed subauthority value (21) and three randomly-generated subauthority values (the numbers following “S-1-5-21” in the output).
Even before you create the first user account on a system, Windows defines several built-in users and groups, including the Administrator and Guest accounts.
A SID is a variable-length numeric value that consists of a structure revision number, a 48-bit identifier authority value, and a variable number of 32-bit subauthority or relative identifier (RID) values.
Note that number following the account name, 7fdee, matches the logon session ID shown by Logon Sessions: By default, processes inherit a copy of their parent process’s token.
At that point the decision to retire New SID became obvious.
I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception.
A similar check happens for remote logon sessions, which are the kind created by a “net use” of a remote computer’s share.
To successfully connect to a share you must authenticate to the remote system with an account known to that system.