Security Identifiers Tools
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security Identifiers Tools
The following tools are associated with security identifiers (SIDs).
Getsid.exe: Get Security ID
Category
Included with Windows Server 2003 Support Tools.
Version compatibility
This tool is compatible with domain controllers running Windows Server 2003.
Use this command-line tool to compare the user SIDs of two accounts. For example, you can use Getsid.exe to compare account SIDs between domain controllers when you suspect user database corruption.
For more information about Getsid.exe, see “Support Tools Help” in the Tools and Settings Collection.
Sidwalk.exe, Sidwalk.msc, and Showaccs.exe: SIDWalker Security Administration tools
Category
Included with Windows Server 2003 Support Tools.
Version compatibility
These tools are compatible with domain controllers running Windows Server 2003.
Use these tools to help you migrate or merge computers from a Windows NT 4.0 resource domain to a Windows Server 2003 domain. You can also use these tools to help manage server resources that you move between domains. The SIDWalker toolset allows you to change the access control lists (ACLs) on objects that were previously owned by accounts that have been moved or deleted. You can use these tools to either delete or replace every occurrence of an old security identifier (SID) with the corresponding new SID.
For more information about the SIDWalker Security Administration tools, see “Support Tools Help” in the Tools and Settings Collection.
Netdom.exe: Windows Domain Manager
Category
A command-line tool that is included in Windows Server 2003 Support Tools.
Version compatibility
This tool is compatible with Windows Server 2003.
You can use Netdom.exe to apply or remove SID filtering. SID filtering is set on outgoing external or forest trusts to prevent malicious users who have domain-level or enterprise-level administrator access in a trusted forest from granting (to themselves or to other user accounts in their forest) elevated user rights to a trusting forest. SID filtering does this by preventing misuse of the SID-History attribute on security principals in the trusted forest.
For more information about SID filtering, see “Security Considerations for Trusts.”
For more information about Netdom.exe, see “Support Tools Help” in the Tools and Settings Collection.
Ntdsutil.exe: Ntdsutil
Category
A command-line tool that is included in Windows Server 2003.
Version compatibility
This tool is compatible with Windows Server 2003.
You can use Ntdsutil with the security account management command to check for and resolve duplicate SIDs in Active Directory — in the unlikely situation that duplicates are issued. Only experienced administrators should use this tool.
For more information about Ndtsutl, see “Command-Line References” in the Tools and Settings Collection.