I am a bit out of my depth here.
I have a computer in which it has two accounts Owner and Owner.BOWL. The only other time I've seen that is on my local machine when I had my local account and domain account using the same username. The .BOWL, then, would seem to show the domain it was part of (again, based on my computer accounts)
When I look at System\ControlSet00x\Tcpip\Parameters, the Domain value is clear. That should indicate it was not part of a domain currently.
However, in putting the Security hive into PRTK, it cracks the cached domain password. The local password was cracked as well. They both were the same.
Looking at the MAC times for the User home directories; the Owner.BOWL was created and accessed later than the Owner account. The Owner account, in fact, hasn't been written to since 2005. It is also bare, containing an Application Data folder and My Documents folder.
If this isn't a Domain computer (past or current) what could explain this?
Another way to check this is to see which of the accounts appears in the SAM. Then go to the ProfileList key in the Software hive and look at the SIDs for the accounts. If they're both local to the system, they'll have the same basic SID but different RIDs. Otherwise, they'll have different SIDs.
The Owner account appears in the SAM. With a SID of S-1-5-21-1004336348-1965331169-725345543-1003. This is also the SID seen in the Recycle Bin. It is also the only one listed in ProfileList.
The other SIDs seen in the Recycle Bin are S-1-5-21-1326149274-3656358154-894121911-1006 (and -500) with nothing in them.
Although, I just now see under Winlogon, the DefaultDomainName = BOWL. And, the Computer name is BOWL. In the System hive, DhcpDomain = domain.actdsltmp.
I don't get why there is a domain user password in the Security hive, yet the computername is being appended to a user account, nor the odd DhcpDomain value. It isn't adding up to me.
If anyone has insights, I'd be grateful.
Hi,
Just a quick answer
Not sure that helps but it seems that the "domain.actdsltmp" problem could be du to a bug using OPENDNS with Actiontec modem (actdsltmp might be "actiontec dsl tmp")
http//
http//
http//
Thierry
Thank you tg92. That appears to be the case. They did in fact have an Actiontec (I don't have the device, so I don't know what it was exactly).