Rids

[Paul J Collins]

>>>>> "Inge-Haavard" == Inge-Haavard Hunstad <inge at cc.uit.no> writes:

    Inge-Haavard> Hi all, I have some questions regarding the rid. I
    Inge-Haavard> need to know how important the rid is in a Samba
    Inge-Haavard> controlled domain. Can I assign a new rid to a user
    Inge-Haavard> without getting any trouble. As I see it it is only
    Inge-Haavard> the profile that contains the rid and will be
    Inge-Haavard> corrupted if the rid of a user changes. Is this
    Inge-Haavard> right? If so will I eliminate this problem if I use
    Inge-Haavard> mandatory profiles and deletes the local copy when
    Inge-Haavard> the user log out?  Another problem would be the
    Inge-Haavard> machine accounts if I change the rid of a machine
    Inge-Haavard> account will I have to rejoin the domain?

The RID is the part of the SID that identifies the user's entry in the
domain's SAM.  If you change a user's RID, then the permissions on any
NTFS volumes that refer to that user will no longer apply; you will
likely see "Account Unknown" in such permissions lists.  It is called
a Relative Identifier because it only has meaning when coupled with
the SID of a domain.

In other words, it's very like a Unix user or group ID, and changing
it has similar effects that changing a Unix user's user ID would have,
but with more knock-on effects, I would think.

I believe that an NT Workstation remembers the SID of its machine
account, so you would probably have to rejoin the domain.  I can't
figure out how to view the LSA secret objects with regedt32, so I
can't be sure.

If you detail *why* you need to change the RIDs, better solutions may
be possible.

Paul.

-- 
Paul Collins <sneakums at eircom.net> - - - - - [ A&P,a&f ]
 GPG: 0A49 49A9 2932 0EE5 89B2  9EE0 3B65 7154 8131 1BCD
 PGP: 88BA 2393 8E3C CECF E43A  44B4 0766 DD71 04E5 962C
"Linux: it's just this operating system, you know?"