Forgot to sysprep, any hope left?
Posted by Ordinary_Setting_167@reddit | sysadmin | View on Reddit | 29 comments
When I created multiple terminal servers, I initially built one machine, joined it to the domain, installed all required applications, and then used Hyper-V export and import to duplicate it four times. During the import process, I selected the option to generate a new ID, as I assumed that would be sufficient. After importing, I changed the hostname and IP address on each server. At first, everything seemed to work fine. testusers could log in without any errors.
Recently, however, I started encountering login issues related to SID conflicts. That made me realize the root of the problem. I did not run Sysprep and create a proper golden image before cloning. That was my mistake. It has just been a while since I last had to deploy terminal servers.
Now I am trying to figure out the best way to correct this. I have read suggestions about taking one of the existing servers, removing it from the domain, running Sysprep, and then using that as a new base image. Unfortunately, that approach has not worked well so far. When I clone that VM, local accounts end up broken.
At this point, I am considering rebuilding the terminal server environment properly from scratch. Does anyone have recommendations or best practices for fixing this situation or setting it up cleanly going forward?
No_Resolution_9252@reddit
rebuild all of them and don't do that it again. Its not worth dealing with all the random problems and business disruptions you will have over the next 3-5 years to save a few hours rebuilding them.
dhardyuk@reddit
https://learn.microsoft.com/en-us/sysinternals/downloads/newsid
thomasmitschke@reddit
This tool is 20years old.
https://www.stratesave.com/html/sidchg.html Is well maintained and works even on a domain joined machine.
ender-_@reddit
newsid isn't recommended for recent Windows versions; sidchg worsk at least for desktop Windows, but I've never tried it on a server.
External-Shoe6599@reddit
We had the same issue with out entire Server Environment. It helped us fix our issues but the Servers are now ofc unsupported by Microsoft (Microsoft Support themselfes said it's our only Option instead of rebuilding our 300+ VM's but they can't guarantee it works and won't help if anything goes wrong.)
So far we had no issues after using sidchg but if the machines get Upgraded to Server 2025 we don't allow Upgrades just new from fresh install (sysprepped golden Image).
dhardyuk@reddit
He’s already in an unsupported state.
It’s worth a go as a stop gap whilst he rebuilds everything as it should be.
lastwraith@reddit
NewSID isn't worth the go IMO. Too many people online saying it left them in a bad state, but took forever, or both. SIDCHG definitely works for desktops, we've used it before on machines that were cloned and had issues with RDP or shares after getting 25h2. Running sysprep in-place should work as well, though I can't imagine any of this is a great idea on a server.
USarpe@reddit
you shouldn't uce local accounts when you have several Terminalserver, FSLOGIX
scytob@reddit
this isn't just true for terminal servers, this is true for any windows machine (server or desktop)
reminds me of the original windows 2000 deployment conference in Nice (yes the one in France) where one admin had rolled out tens of thousands of desktops withou sysprepping... you could feel the audience feel his pain as he argued with the AD team there must be some way to fix his mistake
it was re-roll all machines then, it is reoll all the machine now 25 years later
sorry bud if you have been doing the same thing on server types / desktops ....
honeymouth@reddit
I feel your pain. Dumped dozens of hours into updating golden images and redeploying AVDs in clients tenant this week only to find the image was half baked. It was way quicker for us to just fix the image, nuke the bad deploys, and redeploy as opposed to fixing the bad deployments. Not to mention, you just gotta address the root cause. Be considerate to future you.
nousername1244@reddit
maybe you can check this thread if can help you: https://www.reddit.com/r/sysadmin/comments/1s40nzb/how_to_change_sid_on_windows_11/
unauthorizeddinosaur@reddit
SIDCHG works really well for this scenario. I had to fix cloned VM Win11 workstations and 2019 & 2025 servers and it worked without taking them off the domain.
Take a backup Disable UCPD service Disable or Exclude AV Run this:
It'll reboot and your problems should be solved.
theballygickmongerer@reddit
I had to use this after I learned how to sysprep. Worked very well at the time but was only on workstations.
fr33bird317@reddit
Dooh! Rebuild time. Do waste time
MeetJoan@reddit
At this point a clean rebuild is probably the least painful path. Build a proper reference image, sysprep it before joining the domain, snapshot it, then clone from that. The SID conflicts on the existing servers aren't going away cleanly without more pain than starting fresh.
countsachot@reddit
I've inherited sid conflicts before, and after a few attempts at fixing it, thy last painful option was to re image properly.
Existing-Strength-21@reddit
I also inherited a SID conflict nightmare. 2000 laptops, imaged by Dell and shipped directly to us. Golden image was not sysprepped...
The initial headache was basicially an all hands manual remediation by a different part of our team, so I didnt do too much there. But we were feeling the after quakes of this fuck up for YEARS.
SCCM issues. GPO issues. Update issues... shit, I left there 9 months ago and I bet they are still having problems.
xSchizogenie@reddit
No sysprep - no rollout. Period.
Master-IT-All@reddit
Rebuild. Dont' fuck up next time.
xSchizogenie@reddit
This
Tr1pline@reddit
There are 2 Sids. One of the PC side and one on the DC side. Make sure you verify which one is conflicting
tj818@reddit
I had to do this recently due to a MS Update. I Disjoined from the Domain, created a generalization xml and ran it through sysprep. Confirmed with pstools that after it was sysprep’d the SID changed and was able to get it back on the domain
brispower@reddit
rebuild, bit of work now for less pain later
barefacedstorm@reddit
You’ll hear tons of suggestions from different backgrounds, mine says dump Hyper V if you are going to do it right.
Sobeman@reddit
What does "doing it right" have to do with dumping hyperv?
barefacedstorm@reddit
Honestly, not a thing. Lots of ways to skin a cat.
melissaleidygarcia@reddit
Better to rebuild with Sysprep than fix SID conflicts.
wtf_com@reddit
Take one Server, remove it from the collection and also from the deployment.
At this point you can sysprep the image.
willwilson82@reddit
If you sysprep each one now. that should remove the SID and recreate it (I think, not used sysprep on a server before).