Generation of User Profiles

[mhiney]

I have recently had an issue where it appears as though one of my users had logged on to a server (the security hole allowing this has now been plugged, of course). The person in question is flatly denying it, but there is a user profile on the box for him.

This is a standard client/server setup, not a terminal services setup, so there is no valid reason why this person should have logged on.

My question is: is it possible for user profiles to "spontaneously" be generated, or is there any other means aside from logging on to a box by which a valid user profile may be generated?

 

[mozingod]

There's no reason for a person's profile to be created other than logging onto the machine. Unless, of course, you or someone else made the profile w/o the user loggin on...

Darrell Mozingo

 

[mhiney]

Does this mean I can create the required directory structure? This is to be honest not something I would have even thought of doing, and I fail to see how I could recreate the necessary stuff under HKEY_USERS.

Obviously, from a security perspective, this is quite delicate, and a formal reprimand to the individual may be required, so I have to be utterly sure that what seems to have happened could absolutely only have happened under a certain circumstance, i.e. that the person logged on.

 

[Seaspray0]

Go to the user profile that was created and check the ownership. See if you can read any files inside the profile. When a new user logs on to a machine, a profile is created and the user becomes the owner and nobody, not even administrators can read the files inside without taking ownership and changing the access control list. If that user is the owner and you can't see the files in it, then that user did indeed log onto the computer which the profile was created... unless you have a roaming profile or are redirecting folders for the user. You can check the user account to see if a roaming profile is in effect and the path as well as if folders are being redirected. Those paths would have to have been shared over the network for the profile or folders to be created. No share, no way.

 

[mhiney]

Sounds like we're getting there, ta for all the help. I do redirect users' "My Documents" folder however. Further examination of the folder structure has revealed that this person has Full Control of their own profile, but standard read-only access to the top-level "Documents and Settings" folder. The necessary registry entries are also present, complete with a SID and a GUID.

 

[ahalecitrix]

Just one thing I'll throw out there. Because I'd hate to see someone get wrongly accused. Make sure you rule out the possiblity that one of the Administrators logged onto the server with the user's account to test it when it was created or something.

Also, I would try to find out if they've ever given their password out to another user and pursue all of those leads if a formal investigation is required.

 

[mhiney]

Yup, I personally have no desire to drop anyone in it, and if there is any doubt on the matter there will be no action taken.

I can discount your option 1 on account of the date on the profile, but option 2 is a distinct possibility.

 

[SelbyGlenn]

Just another thought as well. Check the users profile path on his account and make sure it isn't pointing to that server.

Glenn
BEng MCSE CCA