D.3 Novell ZENworks ISD Service (novell-zisdservice)

The Novell ZENworks SID Service (novell-zisdservice) saves certain device-unique data (such as IP addresses and hostnames) to an area on the hard disk that is safe from imaging. The Imaging Agent records this information when you install it on the device. Then the novell-zisdservice restores this information, except for the SID, from the image-safe area after the device has been imaged. This allows the device to use the same network identity as before. The SID is restored by the SIDchanger.

The novell-zisdservice is available only on Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 devices.

NOTE:After installing the ZENworks Adaptive Agent on a Windows 7 device (32-bit and 64-bit), Windows Server 2008 32-bit, or Windows Server 2008 R2 and subsequently rebooting the devices, only the device ID and the device GUID are written into the ISD. Consequently, ziswin displays only the device ID and the device GUID. However, this does not have any impact on the functionality of ZENworks Configuration Management. Other device data are retrieved on the subsequent reboot (manual or automatic) of the device.

If a device is new and does not contain a unique network identity, the default settings that you have configured for the Management Zone are applied when you image the device by using a Preboot bundle.

The data that the Imaging Agent saves to (or restores from) the image-safe area includes the following:

Novell-ziswin usually runs automatically.

The ZENworks SIDchanger runs automatically after the image restoration on the Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows 7 managed device. It runs within the ZENworks imaging distro, which is a Linux environment. Consequently, the SIDchanger changes the Windows SID within the Linux environment.

Review the following sections for detailed information:

D.3.1 Understanding the SID

The Security Identifier (SID) is generated by a security authority, which is Windows on a local computer and the Domain Controller on a domain or Active Directory network.

Windows grants or denies access and privileges to resources based on ACLs that use SIDs to uniquely identify users and their group memberships. When a user requests access to a resource, the user’s SID is checked by the ACL to determine if the user is allowed to perform the action or if the user is part of a group that is allowed to perform that action.

The SID of a machine is a unique 96-bit number. The machine SID prefixes the SIDs of user accounts and group accounts that are created on the computer. The machine SID is concatenated with the relative ID (RID) of the account to create the account's unique identifier.

SID has the following format: S-1-5-12-7623811015-3361044348-030300820-1013.

A SID should be unique across different machines because duplicate SIDs can lead to problems if the machine or user must be uniquely identified. In a domain environment, if a system with a duplicate SID tries to join the domain, it results in errors.

For example, in a Workgroup environment, security is based on local account SIDs. Consequently, if two computers have users with the same SID, the Workgroup cannot distinguish between the users. All resources, including files and registry keys, can therefore be accessed by both users.

D.3.2 Disabling the SIDchanger

You must disable the ZENworks SIDchanger by using either ziswin or Image Explorer if you want to use a third-party tool such a SYSPREP to change the SID.

Using Ziswin to Disable the SIDchanger

You can use ziswin to disable the SIDchanger only for managed devices. Do the following before taking the image:

  1. In ziswin, click Edit > Options > Restore Mask.

  2. Select Windows SID.

    This creates a hidden restoremask.xml system file in the system drive, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
      <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>
    

    To disable the SIDchanger, ensure that the value of <SID> is set to true. If you want to enable the SIDchanger, set the value to false.

Using Image Explorer to Disable the SIDchanger

  1. Create the restoremask.xml file, with the following contents:

    <ISDConf>
     <DoNotRestoreMask>
        <SID>true</SID>
     </DoNotRestoreMask>
    </ISDConf>
    
  2. Open the image to be restored in the Image Explorer, then add the restoremask.xml file to the system drive of the image.

  3. Save the image.