I need to use a native Windows process to confirm that a Windows computer is the same device that’s linked to a particular Active Directory object. I was intending to do this via looking for the AD SID in the device’s registry (which multiple sources tell me is stored in the last 12 bytes of “HKLMSECURITYSAMDomainsAccountV”) but that doesn’t appear to be the case on my own computer (with the two values differing greatly). What can I look at locally on the computer to compare to the AD computer object and say “Yup! That’s it!”?
The last 12 bytes of
V there are the last three components of the local machine SID, which is the base of the SIDs of local users on that machine.
The SID of the computer’s Active Directory machine account is stored in the default value of
HKLMSECURITYPolicyPolMachineAccountS. You may find it easier to look at the sister key
PolMachineAccountR, which holds just the RID (last component of the machine SID) in little-endian. Either way, you can compare the local Registry to the SID obtained from Active Directory, e.g. by looking at the
objectSid attribute in the Attribute Editor tab of the machine’s properties in Active Directory Users and Computers.
To be extra sure, you could also compare the password-last-set times. Active Directory records the last time the computer changed its machine account password in the
pwdLastSet attribute. The computer records that time inside an LSA secret, so you’d need to run this PowerShell command (based on this blog post) as SYSTEM:
[datetime]::FromFileTime([bitconverter]::ToInt64((gi 'HKLM:SECURITYPolicySecrets$MACHINE.ACCCupdTime').GetValue($null), 0))
Note that there may be a discrepancy in the hour due to time zone differences or in the second due to clock skew.