Domain User details

AFAIK if the user is a domain user then the account details won't be in the local SAM file, it will be on the domain controller. You may get the profile directories stored on the local machine (I know of setup's where the profiles are stored on mapped network drives)

Domain logins are cached in a registry key. If you have EnCase you can use the Analyze EFS function and it will pull the information into the Secure Storage tab under 'Net Logons'.

I think the Registry Key that stores them is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

I don't have time to have a detailed look unfortunately, but you might be able to do some research based on this. Also I think Reg Ripper might pull this info too.

RegRipper can pull anything you tell it to…

Will SAM store details of domain user also?

The SAM on a workstation will NOT store the 'details' of a domain user, no. The local SAM only stores information about the local users.

In our org. we use Active Directory. I always though that it will store the user details in SAM and encrypts the password and store that in System file. This feature would in turn help the machines to authenticate when disconnected from the network.

This is not a correct assumption. The encrypted user password is maintained in the SAM. Cached domain credentials are maintained elsewhere. For a good description, see

http//moyix.blogspot.com/2008/02/cached-domain-credentials.html

If my understanding is correct then why doesn't PRTK show my domain user name when i loaded my SAM file in to it.

Well, there could be several factors here…for one, are you using the tool correctly?