Do Not Disk Duplicate Installed Versions of Windows NT

Last reviewed: November 5, 1997
Article ID: Q162001
The information in this article applies to:
  • Microsoft Windows NT Workstation, versions 3.1, 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server versions 3.1, 3.5, 3.51, and 4.0
  • Microsoft Windows 95

SUMMARY

Microsoft provides several methods for the proper deployment of the Windows NT operating system. The use of a supported method is very important to ensuring the security of the systems running Windows NT is not compromised.

There is a reason you can't just copy the hard disk from one computer to another to deploy Windows NT. One of the important features of Windows NT is its security. Each computer is assigned a unique Security ID (SID) during Setup at the time the machine name is entered; this ensures that it can be identified on the network. Almost all of the network services have this security information encoded in their entries in the registry during Setup or subsequent installation. Simply copying the contents of one hard disk to another would give each computer the same SID, making security impossible to maintain.

MORE INFORMATION

When a computer is installed, it is given a SID. For a Windows NT Workstation, Windows NT Member server, or a Windows NT primary domain controller (PDC), that SID is computed to contain a statistically unique 96-bit number. For a Windows NT backup domain controller (BDC), that SID is identical to the SID of the PDC for the domain.

The primary SID is generated during the installation of Windows NT and is the prefix of the SIDs for all the user accounts and group accounts created on the computer. The SID is concatenated with the RID of the account to create the account's unique identifier.

So, if two workstations have the same primary SID, the first user account generated (and so forth) on each workstation is the same because the SID on both computers is the same.

Here is what happens when the SID is created. When you install Windows NT, Setup creates a unique SID for that computer and uses this SID as a prefix for all local machine accounts. This can be seen by using Regedt32.exe to view the local user's SID. If you create several local accounts you will see the SID for that account when logging on as that user.

   HKEY_USERS on Local Machine

   Example:

   S-1-5-21-191058668-193157475-1542849698-500       administrator
   S-1-5-21-191058668-193157475-1542849698-1000      User one
   S-1-5-21-191058668-193157475-1542849698-1001      User two
   S-1-5-21-191058668-193157475-1542849698-1002      User three

Notice that only the last four digits are incremented as new accounts are added. The implication of this for Workgroup security is that local users have rights on other computers according to the order the account in which was created. Additionally, the impact on file ownership for shared/removable media will be compromised and would make security unmanageable.

The "after GUI replication" method is unsupported because of the security, resource ownership and unmanageability implication.

Because the SID identifies the computer or domain as well as the user, it is critical that it be unique to maintain support for current and future applications.

Microsoft Policy Statement

Microsoft does not provide support for systems that have been installed by duplicating fully installed copies of either Windows NT Workstation and Server or Windows 95. Microsoft supports using disk duplication as a method of distribution for Windows NT 4.0 if the disk is duplicated at the point in the Windows NT 4.0 setup process after the second reboot and before the graphical mode portion of Windows NT 4.0 setup.

Clarification

Essentially, this duplication consists of 'XCOPY' of the entire tree structure after Windows NT has been installed, affecting security, hardware and other areas of the product. More technical details below. Windows NT 3.51 CPS and Windows NT 4.0 Deployment Tools, while unattended, are not simple copies and do configure the operating system correctly.

REFERENCE

The Microsoft Knowledge Base provides a variety of articles that outline specifications and how to information for the proper deployment of Windows NT.

The Windows NT 4.0 Workstation Resource Kit provides documentation on the deployment procedures for Windows NT 4.0.

Consult the Computer Profile Setup documentation in the Windows NT 3.5 and Windows NT 3.51 Resource Kits on deployment utilities.

Additional information about Windows NT deployment is available from the following Microsoft Web site:

   http://www.microsoft.com/ntworkstation/info/deployguide.htm


Additional query words: prodnt clone cloning ghost ghosted win95
Keywords : ntreskit ntsetup NTSrvWkst kbnetwork kbsetup
Version : 3.1 3.5 3.51 4.0
Platform : Win95 winnt


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 5, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.