0

Why would a user on a Domain joined PC (or any PC, really) have two entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, in the case as these SIDs:

S-1-5-21-3229509536-3853329613-2519243864-1117

S-1-5-21-3840458582-4119228877-3303071312-1127

This machine has never been WORKGROUP, it was Domain joined by an admin account when deployed and the user added as a domain user. The user in question is admin on the PC.

There is a VirtualBox installation on this PC, where the user has a Windows 10 VM with same username but I can't see how or if that would affect the actual PCs registry.

SKidd
  • 45
  • 1
  • 8

1 Answers1

0

Accounts from two different domains, or a domain account and a local account. Also there may have been some profile "cleanup" that removed the profile folder but left the registry key. You can tell by the SID prefix that they aren't both from the same domain or same PC.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • The typical scenario on a new PC is the first account created is a non-domain Admin account, like LocalAdmin. This account then creates the account for the domain user account that will use the PC, like Sally. The duplicate SIDs both belong to the same user, Sally. This just seems wrong. Is it? – SKidd Sep 13 '22 at 10:47
  • We cannot identify the SIDs. But you can. Have you? – Greg Askew Sep 13 '22 at 10:52
  • What do you mean "you can" identify the SIDs"? Your post isn't clear. Two SIDS, only one user. Not different domains, etc. as per what I said on 13-09-2022. If you mean via Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, same user on both SIDS, same path in ProfileImagePath – SKidd Sep 14 '22 at 14:03
  • @SKidd: Windows identifies security principals with SIDs. SIDs have a prefix to identify where they are sourced from, such as the local workstation or a domain SID. These are obviously from two different sources, such as one domain and one local. We can't determine that but you can. – Greg Askew Sep 14 '22 at 15:07
  • Yeah that sound right, but have to wonder since the user is added as a Domain User fresh OOB, and was never a local user. Might it get added if the network/domain is not available? Or is that standard behavior? "Here are two SIDs for you, you're welcome, Windows"? – SKidd Sep 16 '22 at 08:04
  • @SKidd: No need to wonder, you have the information. – Greg Askew Sep 16 '22 at 08:05