Thank you for the replies all you guys.
The only item which is available, is this external hard drive. No machine which it may or may not have been hooked up to is available for any type of imaging or scanning.
Also 2 of the SID's are the same, except for LF (last 4) which show up as 1000 and 1002. Every other SID is different and has 1000 for the LF.
quote="jhup"]In my experience I have mostly seen this is on a machine that is on an AD domain.
The accounts were not created on the that target machine, simply logged in - local or remote.
So you could have the same external drive attached to a single machine, but different user accounts on the domain.
HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\ should hold the cached logon for the domain.
Look under HKLM\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters will show a dynamic domain. If HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ SiteName is present, it is hardcoded.
This of course does not exclude the actual moving of the external drive to different machines.[/quote]
↧