In practice, this does not happen in an enterprise network; other mechanisms, such as domain authentication or NDS authentication, are at work, since workgroup-based NT can be an administrative hassle for large numbers of users and workstations. When using an NT domain, the SID of the domain (rather than the workstation) is used as the prefix for a fully qualified numerical user ID, so each user ID is guaranteed to be unique.

Although various services have the machine SID encoded in their registry, experience has shown that a duplicate SID makes no difference in the day-to-day operation of a given group of workstations. Nonetheless, because Microsoft says that duplicate machine SIDs are a bad idea, it's best to use SID generator tools to correct this problem.

A SID generator runs through the machine's local registry doing what amounts to a huge search-and-replace operation on the various binary and textual machine SID entries it finds. This makes it possible for Micro House's ImageCast to assign a SID while it duplicates a hard-drive image and modifies the registry files. However, this forces you to initiate a duplication operation to generate a SID for a workstation.

Symantec's Ghost Walker was created specifically to address the problem of identical SIDs on existing workstations. From a DOS boot disk, it will find a hard drive's NT partition and modify its registry on the fly. In many instances, this works fine.

Both Systems Internals' NewSID and KeyLabs' SIDgen can also assign SIDs to workstations, but because they're NT (rather than DOS) programs and can talk to the network, they offer additional features. A given NT domain has one SID (the primary and backup domain controller SIDs are identical). In order to move a backup controller to a different domain, both of these utilities will let you synchronize a backup domain controller's SID to a different domain.

Although SID generators have worked well, some folks remain skeptical. Even if you have the luxury of swapping hundreds or thousands of hours of labor for insurance against the unknowable, consider the precedent.

NT drive duplication without SID generation was occurring for the better part of a year before Microsoft issued the Knowledge Base article. All of a sudden, network managers found themselves with a documented problem, to which the industry quickly responded with SID changers. It's likely the same thing would happen if many users were affected by any other consequence of drive duplication that Microsoft hasn't yet revealed.

Another scary Microsoft claim is that its install software's interrogation routines are the only way to ensure that driver software matches up with a machine's particular BIOS, chipset and so on. The implication is that people who roll out hardware might not know to match up a batch of like machines to the same image, and risk intermittent or bizarre problems. Experience shows that this doesn't happen unless there's a nut loose behind the dupe software.