mit dem Programm "newsid.exe" ohne Schalter
könntest Du noch etwas erreichen.
Lösche bitte den Rechnernamen auf dem Arktur
und erstelle ihn neu. Alle Verbindungen zum Server müssen auch gelöscht
werden. User, die nicht zu der Domäne passen (von der alten Domäne)
sollen auch von Gruppen, wie Administratoren oder Benutzer, verschwinden.
PS. Hier die Beschreibung:
"newsid /a [newname]
Would have NewSID run without prompting, change
the computer name to "newname" and have it reboot
the computer if everything goes okay.
NewSID's SID-synchronizing feature that allows you
to specify that, instead of randomly generating
one, the new SID should be obtained from a
different computer. This functionality makes it
possible to move a Backup Domain Controller (BDC)
to a new Domain, since a BDC's relationship to a
Domain is identified by it having the same
computer SID as the other Domain Controllers
(DCs). Simply choose the "Synchronize SID" button
and enter the target computer's name. You must
have permissions to change the security settings
of the target computer's Registry keys, which
typically means that you must be logged in as a
domain administrator to use this feature.
Note that when you run NewSID that the size of the
Registry will grow, so make sure that the maximum
Registry size will accomodate growth. We have
found that this growth has no perceptible impact
on system performace. The reason the Registry
grows is that it becomes fragmented as temporary
security settings are applied by NewSID. When the
settings are removed the Registry is not compacted.
Note that while we have thoroughly tested NewSID,
you must use it at your own risk. As with any
software that changes file and Registry settings,
it is highly recommended that you completely
back-up your computer before running NewSID.
Moving a BDC
Here are the steps you should follow when you
want to move a BDC from one domain to another:
Boot up the BDC you want to move and log in. Use
NewSID to synchronize the SID of the BDC with
the PDC of the domain to which you wish to move
Reboot the system for which you changed the SID
(the BDC). Since the domain the BDC is now
associated with already has an active PDC, it
will boot as a BDC in its new domain.
The BDC will show up as a workstation in Server
Manager, so use the "Add to Domain" button to
add the BDC to its new domain. Be sure to
specify the BDC radio button when adding.
How it Works
NewSID starts by reading the existing computer
SID. A computer's SID is stored in the Registry's
SECURITY hive under SECURITY\SAM\Domains\Account.
This key has a value named F and a value named V.
The V value is a binary value that has the
computer SID embedded within it at the end of its
data. NewSID ensures that this SID is in a
standard format (3 32-bit subauthorities preceded
by three 32-bit authority fields).
Next, NewSID generates a new random SID for the
computer. NewSID's generation takes great pains to
create a truly random 96-bit value, which replaces
the 96-bits of the 3 subauthority values that make
up a computer SID.
Three phases to the computer SID replacement
follow. In the first phase, the SECURITY and SAM
Registry hives are scanned for occurrences of the
old computer SID in key values, as well as the
names of the keys. When the SID is found in a
value it is replaced with the new computer SID,
and when the SID is found in a name, the key and
its subkeys are copied to a new subkey that has
the same name except with the new SID replacing
The final two phases involve updating security
descriptors. Registry keys and NTFS files have
security associated with them. Security
descriptors consist of an entry that identifies
which account owns the resource, which group is
the primary group owner, an optional list of
entries that specify actions permitted by users or
groups (known as the Discretionary Access Control
List - DACL), and an optional list of entries that
specify which actions performed by certain users
or groups will generate entries in the system
Event Log (System Access Control List - SACL). A
user or a group is identified in these security
descriptors with their SIDs, and as I stated
earlier, local user accounts (other than the
built-in accounts such as Administrator, Guest,
and so on) have their SIDs made up of the computer
SID plus a RID.
The first part of security descriptor updates
occurs on all NTFS file system files on the
computer. Every security descriptor is scanned for
occurrences of the computer SID. When NewSID finds
one, it replaces it with the new computer SID.
The second part of security descriptor updates is
performed on the Registry. First, NewSID must make
sure that it scans all hives, not just those that
are loaded. Every user account has a Registry hive
that is loaded as HKEY_CURRENT_USER when the user
is logged in, but remains on disk in the user's
profile directory when they are not. NewSID
identifies the locations of all user hive
locations by enumerating the
NT\CurrentVersion\ProfileList key, which points at
the directories in which they are stored. It then
loads them into the Registry using RegLoadKey
under HKEY_LOCAL_MACHINE and scans the entire
Registry, examining each security descriptor in
search of the old computer SID. Updates are
performed the same as for files, and when its done
NewSID unloads the user hives it loaded. As a
final step NewSID scans the HKEY_USERS key, which
contains the hive of the currently logged-in user
as well as the .Default hive. This is necessary
because a hive can't be loaded twice, so the
logged-in user hive won't be loaded into
HKEY_LOCAL_MACHINE when NewSID is loading other
Finally, NewSID must update the ProfileList
subkeys to refer to the new account SIDs. This
step is necessary to have Windows NT correctly
associate profiles with the user accounts after
the account SIDs are changed to reflect the new
NewSID ensures that it can access and modify every
file and Registry key in the system by giving
itself the following privileges: System, Backup,
Restore and Take Ownership.
Using the Source
Full source code to NewSID has been provided for
educational purposes. You may not use this code in
a commercial or freeware SID-changing product, but
you may use its techniques in other programs for
private or commercial use."
olfgang See-Metz schrieb:
Hallo Rudi, hallo Arkturianer,
Am 06.08.2012 13:05, schrieb Rudi Münz:
Dann könnte Microsoft Dich mit dem Client-Gedächtnis ärgern;
irgendwelche Informationen werden für irgendeine (unbekannte) Zeit in
der Registry gespeichert. Leider.
Ähnliche Probleme hatte ich auch gelegentlich.
Gib doch auf dem Client unter Start -> Ausführen "cmd" ein und im dann
erscheinenden Fenster "net use * /del /YES" (alles ohne
Anführungszeichen), damit Windoes die alten Netzeinstellungen vergisst.
Den Befehl habe ich nun eingegeben.
Leider ohne Erfolg.
Ausgabe des Befehls:
Es sind keine Einträge in der Liste
Gibt es noch eine Möglichkeit des Vergessens?
schan-user mailing list
schan-user mailing list