A user can log onto a machine from more than one domain. The sAMAccountNames, and therefore profile folder names, are the same in each domain. Looking at the profile folder contents, can I identify the name of the domain that the accounts belongs to. The domain name is not part of the folder name.
If not, is there any other way (e.g. registry) to identify it?
If the physical user has accounts with the same samAccountName in several domains and the machine accepts logins with all of them then Windows will create separate user profile folders for each of these accounts. As Windows does not allow two folders to have the same name, only the first of these profile folders will have exactly the name given by the samAccountName AD attribute. All others will have the AD domain name (or, in the case of a local account, the machine name) appended, separated by a dot. So you can identify the domain of all but one of the profile folders by looking at their names.
For the remaining profile folder, the one just named after samAccountName without a domain suffix, you can either proceed by exclusion, striking off from your list of domains all those appearing as a suffix until one remains which doesn't appear as a suffix and must hence be the unsuffixed profile folder's domain. Or you can look at the owner of the NTUSER.DAT file within the profile folder. This will be the user account in the domain to which the profile belongs.
