-3

I work in a very controlled environment. An image is created by an entity outside of our control that is tailored (read: locked down) for our environment.

The client support technicians are to take this disk (physical or ISO) and use it whenever they re/image a computer. Once the image is applied to the computer, the computer is joined to the domain and patches are applied (WSUS, SCCM, etc) before turning the PC over to the customer.

We are concerned the technicians are creating their own "image" (applying patches, etc) and "ghosting/cloning" (WDS, Ghost, Acronis, etc) THAT image (and changing the SID) rather following standard procedures. Is there a way to tell if PC has been properly imaged or "ghosted"?

As the junior sysad/new-kid-on-the-block, I've been tasked to figure this out.

Thank you,

ExpatChic
  • 1
  • 3
    If they're getting the same results, what does it matter? And if they're getting different results which cause problems, isn't that evidence enough that they're doing something wrong? i.e. what is it that makes you concerned? – TessellatingHeckler Sep 03 '15 at 16:30
  • If the image being created is under tight control, then the people providing it should also be providing you checksums and file/directory manifests for the image so that you can compare and contrast to what is in your environment. That would be my starting point, a request to the image provider, so that you are empowered to determine this for yourself. – Aaron Sep 03 '15 at 21:04

2 Answers2

1

I have only found this

To determine whether a computer system has previously been sysprepped, look under the following registry key:

HKEY_LOCAL_MACHINE\System\Setup key

kudos to Mitch Tulloch http://techgenix.com/Howtotellifacomputerhasbeensysprepped/

RNR1995
  • 21
  • 1
0

If I read this correctly, you are looking to see if you can tell if a machine is an image, or an image of an image. Frankly, it's not possible to tell.

If you suspect something like this - instead, identify a change that would be made on the image of the image and then look for that change on a newly imaged machine - that's about the only way you'll be able to tell if they are using the image you supply, or one they are creating off of that image.

If it's patches they are applying, then search for that patch on a newly imaged machine.

Eirik Toft
  • 834
  • 8
  • 20
  • Because it does matter. I would have not wasted my time or yours asking the question. Once the image is give to us, and we deploy it, we have no control over HOW the tech applies the image to their machines. There is nothing in place to prevent them from cloning our image once applied to a machine. The person who tasked me to find this out told me he'd figured it out once but could not remember how to do it. I'm hoping to find a WMI variable that I could test. – ExpatChic Sep 04 '15 at 19:58
  • "It matters because it matters" will not help us solve anything. If matters because some procedure failed, or any component didn't updated correctly, or you have any strange message, it would be very helpful to know, and we would know where to look. The way the question is worded sound more like "It matters because I wanted to know if it's possible". – ThoriumBR Oct 23 '17 at 19:56