Determining Domain ...
 
Notifications
Clear all

Determining Domain membership

5 Posts
3 Users
0 Reactions
618 Views
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter  

I am a bit out of my depth here.

I have a computer in which it has two accounts Owner and Owner.BOWL. The only other time I've seen that is on my local machine when I had my local account and domain account using the same username. The .BOWL, then, would seem to show the domain it was part of (again, based on my computer accounts)

When I look at System\ControlSet00x\Tcpip\Parameters, the Domain value is clear. That should indicate it was not part of a domain currently.

However, in putting the Security hive into PRTK, it cracks the cached domain password. The local password was cracked as well. They both were the same.

Looking at the MAC times for the User home directories; the Owner.BOWL was created and accessed later than the Owner account. The Owner account, in fact, hasn't been written to since 2005. It is also bare, containing an Application Data folder and My Documents folder.

If this isn't a Domain computer (past or current) what could explain this?


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Another way to check this is to see which of the accounts appears in the SAM. Then go to the ProfileList key in the Software hive and look at the SIDs for the accounts. If they're both local to the system, they'll have the same basic SID but different RIDs. Otherwise, they'll have different SIDs.


   
ReplyQuote
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter  

The Owner account appears in the SAM. With a SID of S-1-5-21-1004336348-1965331169-725345543-1003. This is also the SID seen in the Recycle Bin. It is also the only one listed in ProfileList.

The other SIDs seen in the Recycle Bin are S-1-5-21-1326149274-3656358154-894121911-1006 (and -500) with nothing in them.

Although, I just now see under Winlogon, the DefaultDomainName = BOWL. And, the Computer name is BOWL. In the System hive, DhcpDomain = domain.actdsltmp.

I don't get why there is a domain user password in the Security hive, yet the computername is being appended to a user account, nor the odd DhcpDomain value. It isn't adding up to me.

If anyone has insights, I'd be grateful.


   
ReplyQuote
 tg92
(@tg92)
Active Member
Joined: 15 years ago
Posts: 13
 

Hi,

Just a quick answer

Not sure that helps but it seems that the "domain.actdsltmp" problem could be du to a bug using OPENDNS with Actiontec modem (actdsltmp might be "actiontec dsl tmp")

http//serverfault.com/questions/313668/what-is-domain-actdsltmp
http//forums.opendns.com/comments.php?DiscussionID=4176
http//forums.opensuse.org/archives/sf-archives/archives-network-internet/342744-host-name-problem.html (post 13-Jan-2008, 0902)

Thierry


   
ReplyQuote
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
Topic starter  

Thank you tg92. That appears to be the case. They did in fact have an Actiontec (I don't have the device, so I don't know what it was exactly).


   
ReplyQuote
Share: