I recently needed to verify that SYSPREP had been run on a few servers. You can download a utility PSGETSID to do this, but I didn't want to introduce an external utility to the servers.
I found the following PowerShell code to get the SID of the local Administrator account.
$u = New-Object System.Security.Principal.NTAccount('administrator') $SID = $u.Translate([System.Security.Principal.SecurityIdentifier]) $sid.Value
This returns a SID with -500 on the end. If you ignore the -500, the SID is the SID of the local machine. If this is unique, you know that SYSPREP was used.
You can also look for the CloneTag value in HKLM:\SYSTEM\Setup. This contains the time when SYSPREP was run. However, I prefer to see the unique SID.
More info about using SYSPREP:
