Paul J Collins
pjdc at eircom.net
Tue Apr 25 20:17:40 GMT 2000
>>>>> "Inge-Haavard" == Inge-Haavard Hunstad <inge at cc.uit.no> writes:
Inge-Haavard> Hi all, I have some questions regarding the rid. I
Inge-Haavard> need to know how important the rid is in a Samba
Inge-Haavard> controlled domain. Can I assign a new rid to a user
Inge-Haavard> without getting any trouble. As I see it it is only
Inge-Haavard> the profile that contains the rid and will be
Inge-Haavard> corrupted if the rid of a user changes. Is this
Inge-Haavard> right? If so will I eliminate this problem if I use
Inge-Haavard> mandatory profiles and deletes the local copy when
Inge-Haavard> the user log out? Another problem would be the
Inge-Haavard> machine accounts if I change the rid of a machine
Inge-Haavard> account will I have to rejoin the domain?
The RID is the part of the SID that identifies the user's entry in the
domain's SAM. If you change a user's RID, then the permissions on any
NTFS volumes that refer to that user will no longer apply; you will
likely see "Account Unknown" in such permissions lists. It is called
a Relative Identifier because it only has meaning when coupled with
the SID of a domain.
In other words, it's very like a Unix user or group ID, and changing
it has similar effects that changing a Unix user's user ID would have,
but with more knock-on effects, I would think.
I believe that an NT Workstation remembers the SID of its machine
account, so you would probably have to rejoin the domain. I can't
figure out how to view the LSA secret objects with regedt32, so I
can't be sure.
If you detail *why* you need to change the RIDs, better solutions may
Paul Collins <sneakums at eircom.net> - - - - - [ A&P,a&f ]
GPG: 0A49 49A9 2932 0EE5 89B2 9EE0 3B65 7154 8131 1BCD
PGP: 88BA 2393 8E3C CECF E43A 44B4 0766 DD71 04E5 962C
"Linux: it's just this operating system, you know?"
More information about the samba-ntdom