ZCM SID changer isn't being disabled after following the documentation

  • Document ID:7010627
  • Creation Date:15-Aug-2012
  • Modified Date:23-Oct-2012
    • Micro Focus Products:
      ZENworks Configuration Management

Environment

Novell ZENworks Configuration Management 11

Situation

SID changer isn't being disabled after following the documentation (section D.3.3 Disabling the SIDchanger)

Resolution

This is fixed in version 11.2 - see KB 7010044 "ZENworks Configuration Management 11.2 - update information and list of fixes" which can be found at https://www.novell.com/support

Cause

Here is what that happens in the Imaging engine,

1. Imagine engine restores the base image/ addon image. After restoring ZCM will invoke SIDchange (exe) which will actually check whether it should change the SID or not for the machine. [This is the reason, the message Sidchange exe is running is displayed]

2. Sidchanger does the following,
   a. It would exit gracefully if it finds Windows XP.
   b. It would try to change SID of the machine only if it satisfies the below condition: 
    b1. If it is an Windows Vista, Windows 2k8, Windows 7 and sysprep is not run before taking an image.

For addon images: 

What if the addon image has an file which has old SID, when this is applied to an different machine the SID has to be changed other wise there would be two SIDs in an same machine. 


Why SID is changed?

SID is an unique identifier which is used to identify the machine/object, such as a user or a group of users in network. Due to this when an image is restored to an different box, ZENworks will ensure that the SID is unique in both the boxes.

Windows grants or denies access and privileges to resources based on ACLs, which uses SIDs to uniquely identify users and their group memberships. When a user requests access to a resource, the users SID is checked by the ACL to determine if that user is allowed to perform that action or if that user is part of a group that is allowed to perform that action.

Additional Information

Here are the cases when ZENworks actually changes the SID of the machine:

1. First ZENworks will check if there is any SID present in the ISD or not, if there is no SID then ZENworks would generate the new SID for the machine.
 [SID is present in ISD only if our agent is installed, ziswin actually sync's the SID of the machine to ISD (or) if ZENworks has restored any base image from ZENworks Imaging]

2. ZENworks also needs an new SID if the partition's(system) SID does not match the image-safe data SID if it already had one. [This is the case where ZENworks has applied an new base image on to an existing system where ISD is already there]

So now in a case of applying an Addon images to the existing machine, if the SID of the machine actually matches the SID in the ISD, we will not proceed to change the SID.