I'm running Windows Small Business Server 2003 on my Domain Controller and have a number of client computers in the domain. Everything worked perfectly. Recently I accidentally changed the SID number on one of the client PCs to a random SID (generated by NewSID) -I forgot to remove ClientPC2 from the domain before changing the SID, then adding back to the domain after. Instead I changed the SID on ClientPC2 while it was still on the domain, and now its user is locked out from the domain due to an SID mismatch between ClientPC2 and the Domain Controller. I want to reestablish the trust between the DC and ClientPC2, so the user can access his files and profile "userlogin2" exactly as before. 1) I know I can log in as the local admin on ClientPC2 still, but how can I use that to reestablish trust between "userlogin2" and the DC? 2) If I knew what the original SID on ClientPC2 was, could I just change the SID back to that to get access? And if so, can I find a copy of the original SID on the Domain Controller in SID History? I'd love to how to do that if it's possible. 3) If I log in as the local administrator on ClientPC2, remove it from the non-functioning domain, then re-add it to the domain to re-establish trust with the DC, will the files and settings for "userlogin2" on this computer be lost in the process? Thanks

24 hours and not a peep from anyone. I guess you get what you pay for on these sites.

It's a HOLIDAY here in the USA buddy. Patience! And you are right you don't pay for anything here :-) You are confusing a machine sid with a user sid/profile. Not the same. changing the machine sid [which is what the new sid utility does] will make the pc act like its not joined to the domain. Join a workgroup and then rejoin the domain to correct this issue [after you have deleted the machine account] Confirm you also don't have a profile problem by having the user logon from a different machine.

Thanks! "Join a workgroup and then rejoin the domain to correct this issue [after you have deleted the machine account]" I understand why I need to go to a workgroup PC, then back to a domain to re-establish the trust (I've done some reading since my first post) but... why (and how) do I delete the machine account? I think I know how, but I want a second opinion to be sure I'm doing it the right way. What happens if I don't delete the original machine account? What sort of problems might that cause? Also, I changed the PC name as well as the machine SID just before the trust got accidentally broken, so will that mean it won't be essential to delete the original machine account as there won't be a conflict anyway? Will the Domain Controller just assume this is an entirely different PC anyway because both machine SID and PC name are different? Can a local administrator access the locally saved files saved by another user who can't log in due to this problem accessing the domain? I was also wondering if I were to connect the client PC's hard drive as a slave into another machine, would I be able to access the user's files? Or are they encrypted? That's another taster of my trademark blend of stupid and sensible questions.

new name/sid and AD will see it as a different unit but leaving an invalid machine account in AD is bad admin practices. Unless you have reorganized AD the machine will be under Computers in AD. Can a local administrator access the locally saved files saved by another user who can't log in due to this problem accessing the domain? Google taking ownership of files. Yes admin can access. I was also wondering if I were to connect the client PC's hard drive as a slave into another machine, would I be able to access the user's files? Same advice - google taking ownership. Or are they encrypted? Only if the user encrypted them.