Monday, September 1, 2014

Identify Servers with Duplicate SIDs in Varonis

One of the challenges in managing a multitude of Windows servers is that Microsoft allows more than one server to has the same SID within a domain.  This usually results because people clone an existing server and then change the name.  Varonis DatAdvantage uses the SID as a unique identifier for the server in some portions on its system.  The primary impact is in managing local groups.  So if we have two or more servers in DatAdvantage with the same SID, only one of them will correctly collect and report on the local security groups, such as the Administrators group.  We can identify these servers by running a SQL Server Query from the IDU server.  Here is the query.

use vrnsDomainDB;

select filer_hostname,filer_ipaddress,filerIdentity from filers where fileridentity in (select filerIdentity from filers Group By  filerIdentity having (COUNT(filerIdentity) > 1)) order by filerIdentity