I need to verify that an Active Domain Computer Object and a Windows Computer are the same device

I need to use a native Windows process to confirm that a Windows computer is the same device that’s linked to a particular Active Directory object. I was intending to do this via looking for the AD SID in the device’s registry (which multiple sources tell me is stored in the last 12 bytes of “HKLMSECURITYSAMDomainsAccountV”) but that doesn’t appear to be the case on my own computer (with the two values differing greatly). What can I look at locally on the computer to compare to the AD computer object and say “Yup! That’s it!”?

Answer

The last 12 bytes of V there are the last three components of the local machine SID, which is the base of the SIDs of local users on that machine.

The SID of the computer’s Active Directory machine account is stored in the default value of HKLMSECURITYPolicyPolMachineAccountS. You may find it easier to look at the sister key PolMachineAccountR, which holds just the RID (last component of the machine SID) in little-endian. Either way, you can compare the local Registry to the SID obtained from Active Directory, e.g. by looking at the objectSid attribute in the Attribute Editor tab of the machine’s properties in Active Directory Users and Computers.

To be extra sure, you could also compare the password-last-set times. Active Directory records the last time the computer changed its machine account password in the pwdLastSet attribute. The computer records that time inside an LSA secret, so you’d need to run this PowerShell command (based on this blog post) as SYSTEM:

[datetime]::FromFileTime([bitconverter]::ToInt64((gi 'HKLM:SECURITYPolicySecrets$MACHINE.ACCCupdTime').GetValue($null), 0))

Note that there may be a discrepancy in the hour due to time zone differences or in the second due to clock skew.