Managing Security Accounts

Each security account (users, groups, and computers) is identified by a unique security identifier (SID). Use a SID to uniquely identify a security account and to perform access checks against resources, such as files, file directories, printers, Exchange mailboxes, Microsoft® SQL Server ™ databases, objects stored in Active Directory, or any data that is protected by the Windows 2000 security model.

A SID is made up of header information and a set of relative identifiers that identify the domain and the security account. Within a domain, each domain controller is capable of creating accounts and issuing each account a unique security identifier. Each domain controller maintains a pool of relative IDs that is used in the creation of security identifiers. When 80 percent of the relative ID pool is consumed, the domain controller requests a new pool of relative identifiers from the relative ID operations master. This ensures that the same pool of relative IDs is never allocated to different domain controllers and prevents the allocation of duplicate security identifiers. However, because it is possible (but rare) for a duplicate relative ID pool to be allocated, you need to identify those accounts that have been issued duplicate security identifiers so that you prevent undesirable application of security.

One cause of duplicate relative ID pools is when the administrator seizes the relative ID master role while the original relative ID master is operational but temporarily disconnected from the network. In normal practice, after one replication cycle, the relative ID master role is assumed by just one domain controller, but it is possible that before the role ownership is resolved, two different domain controllers might each request a new relative ID pool and be allocated the same relative ID pool.

Table C.10 lists and describes the menu commands for security account management.

Table C.10 Security Account Management Menu Commands

Command	Description
Check Duplicate SID	Checks the domain for any objects that have duplicate security identifiers.
Cleanup Duplicate SID	Deletes all objects that have duplicate security identifiers and logs these entries into the log file.
Log File %s	Sets the log file to % s . If a log file is not explicitly set, the log file defaults to Dupsid.log.