Microsoft is starting to clamp down on cloned machines (article), but how do you know if your machine has a unique SID?
The idea is that each machine in a network needs a unique Security Identifier (SID). If you install Windows from scratch, it should get one. If you use Sysprep to prepare machine images, the SID is left “blank” and filled in on first boot, so it’s unique. But if you use cloning software to copy one machine to another, the two machines will have the same SID.
“SID” (Security Identifier) is a confusing term. The Active Directory SID for a computer is not the same as a the machine SID; in fact, two cloned computers would have different AD SIDs.
To check the machine SID:
1. Download and run Microsoft Sysinternals PsGetSid program without parameters.
2. Check the “base” portion of the local user accounts on a computer. There are several ways to do this.
wmic useraccount where "localaccount=true" get name,sid
This returns something like this:
Name SID
Administrator S-1-5-21-3344498276-3626854212-1817456103-500
DefaultAccount S-1-5-21-3344498276-3626854212-1817456103-503
Guest S-1-5-21-3344498276-3626854212-1817456103-501
“S-1-5-21-3344498276-3626854212-1817456103” is the machine SID (and should match the PsGetSid results).
To achieve the same thing in PowerShell, this command written by Claude checks the “base” of the Guest account (run this on one line):
((Get-WmiObject Win32_UserAccount -Filter "LocalAccount=True AND SID LIKE '%-501'").SID) -replace '-501$'
Again, confirm the results against PsGetSid.
Of course, these commands only give you the SID of one machine. You’ll have to run a command on each machine in the network and compare the results. Both PsGetSid and PowerShell commands can be run across a network with the proper permissions, but that’s beyond the scope here.