Share via

security account management


Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Manages security identifiers (SIDs). At the security account maintenance: prompt, type any of the parameters listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


[{check duplicate SID | cleanup duplicate SID}] [connect to server %s] [log file %s]




check duplicate SID

Checks the Security Accounts Manager (SAM) database for any objects that have duplicate SIDs but does not delete any of the duplicates.

cleanup duplicate SID

Deletes all objects that have duplicate SIDs and logs these entries into the log file.

connect to server %s

Connects to the server, NetBIOS name, or Domain Name System (DNS) host name. You must connect to a specific domain controller before you can check for or clean up duplicate SIDs.

log file %s

Sets the log file name to %s. If you do not explicitly set a log file name, the default log file name is dupsid.log.


Takes you back to the previous menu, or exits the utility.


Displays Help at the command prompt.


Displays Help at the command prompt.


  • Each security account (users, groups, and computers) is identified by a unique SID. Use a SID to uniquely identify a security account and to perform access checks against resources, such as files, file directories, printers, Exchange mailboxes, Microsoft SQL Server databases, objects that stored in AD DS, or any data that is protected by the Windows Server 2003 security model.

    A SID is made up of header information and a set of relative identifiers (RIDs) that identify the domain and the security account. Within a domain, each domain controller is capable of creating accounts and issuing each account a unique security identifier. Each domain controller maintains a pool of relative IDs that is used in the creation of security identifiers. When 80 percent of the RID pool is consumed, the domain controller requests a new pool of RIDs from the RID operations master. This ensures that the same pool of RIDs is never allocated to different domain controllers and prevents the allocation of duplicate SIDs. However, because it is possible (but rare) for a duplicate RID pool to be allocated, you have to identify those accounts that have been issued duplicate SIDs so that you prevent undesirable application of security.

    One cause of duplicate RID pools is an administrator seizing the RID master role while the original RID master is operational but temporarily disconnected from the network. In normal practice, after one replication cycle, the RID master role is assumed by just one domain controller. However, it is possible that before the role ownership is resolved, two different domain controllers might each request a new RID pool and be allocated the same RID pool.

  • Ntdsutil does not correctly handle special characters, such as the apostrophe character ('), that you can enter at the ntdsutil: prompt at the command line. In some situations, there may be an alternative workaround. For more information, see local roles.


To connect to a domain controller named DC1, type the following command, and then press ENTER:

semantic account maintenance: connect to DC1

To check for duplicate SIDs on a domain controller named DC1, type the following command, and then press ENTER:

semantic account maintenance: check duplicate SID

Additional references

Command-Line Syntax Key



authoritative restore

configurable settings

DS behavior


group membership evaluation


LDAP policies

local roles

metadata cleanup

partition management


semantic database analysis

set DSRM password