Manages security identifiers (SIDs). At the security account maintenance: prompt, type any of the parameters listed under Syntax.

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


[{check duplicate SID | cleanup duplicate SID}] [connect to server %s] [log file %s]


Parameter Description

check duplicate SID

Checks the SAM database for any objects that have duplicate security identifiers (SIDs), but does not delete any of the duplicates.

cleanup duplicate SID

Deletes all objects that have duplicate security identifiers and logs these entries into the log file.

connect to server %s

Connects to server, NetBIOS name or DNS host name. You must connect to a specific domain controller before you can check for or cleanup duplicate SIDs.

log file %s

Sets the log file name to %s. If you do not explicitly set a log file name, the default log file name is dupsid.log.


Takes you back to the previous menu or exits the utility.


Displays help at the command prompt.


Displays help at the command prompt.

Remarks <optional section>

  • Each security account (users, groups, and computers) is identified by a unique security identifier (SID). Use a SID to uniquely identify a security account and to perform access checks against resources, such as files, file directories, printers, Exchange mailboxes, Microsoft SQL server databases, objects stored in Active Directory, or any data that is protected by the Windows Server 2003, Standard Edition security model.

    A SID is made up of header information and a set of relative identifiers that identify the domain and the security account. Within a domain, each domain controller is capable of creating accounts and issuing each account a unique security identifier. Each domain controller maintains a pool of relative IDs that is used in the creation of security identifiers. When 80 percent of the relative ID pool is consumed, the domain controller requests a new pool of relative identifiers from the relative ID operations master. This ensures that the same pool of relative IDs is never allocated to different domain controllers and prevents the allocation of duplicate security identifiers. However, because it is possible (but rare) for a duplicate relative ID pool to be allocated, you need to identify those accounts that have been issued duplicate security identifiers so that you prevent undesirable application of security.

    One cause of duplicate relative ID pools is when the administrator seizes the relative ID master role while the original relative ID master is operational but temporarily disconnected from the network. In normal practice, after one replication cycle, the relative ID master role is assumed by just one domain controller, but it is possible that before the role ownership is resolved, two different domain controllers might each request a new relative ID pool and be allocated the same relative ID pool.


To connect to a domain controller named DC1, type:

semantic account maintenance: connect to DC1

To check for duplicate SIDs on a domain controller named DC1, type:

semantic account maintenance: check duplicate SID