SID values are typically displayed in format:
- S-1-5 is the SID revision level.
- d1-d2-d3 identifies the domain.
- rid Relative ID for user.
- 500 automatically created Administrator account
- 501 automatically created Guest account
- 1001 First user account created
- 1002 Second user account created
Since the builtin administrator account is the account with RID=500, it can not be obscured successfully. There are baby hacker tools which will tell you which account has RID=500.
There is are freeware utilities user2sid and sid2user, which will tell you the sid for any account or the user for a particular sid. Should the user2sid page go offline, the author made the utilities and source code available to ntbugtraq.
Mark Russinovich and Bryce Cogswell have written the freeware newSID which will generate a new randomSID for a cloned PC or SID-synchronized with PDC so one can move a BDC from one domain to another. As icing on the cake, Russinovich and Cogswell provide the source code for educational purposes,
I am not absolutely convinced but if I had to do, I would give this a try.