On all our domain controllers (server 2003 R2 and 2008) we have found an "account unknown" listed under My computer-properties advance-user profiles-settings. My concern is that the Account Unknown profiles shows under all our Domain Controllers in the aforementioned place and it shows that that particular profiles is still being access. By being access I mean that the “Modified” date shows that it was modified just a few days ago, and it changes a couple of days. Also, the option to delete the account is grayed out and I can not find any orphaned profiles under documents and Settings.

What I need to know is if that profile is being use by some system account, or have the servers been compromised.

 

Any assistance or clarification of this issue will be greatly appreciated. Thank you.

Hi,

 

A possible cause of the “Account Unknown” profile is that the domain account that the profile is mapped to was deleted but the profile was not able to be deleted because some applications or services have open handle on the file. That’s also one of the reasons that the option to delete the account is grayed out.

 

I suggest that you have a look at the subkeys under HKEY_USERS key and check if there is any user has been deleted. The HKEY_USERS key lists all profiles that are currently loaded on the computer. The PsGetSid utility (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx) can help you translate SIDs to their display name.

 

Meanwhile, you’d better perform a full virus scan to ensure that the computer is not infected by virus.

Hi,

How's everything going? Just want to check if the suggestion has helped. If you need further assistance or if there is anything unclear, please feel free to respond back.

Thanks.

Sorry for the delay. I figured it out a couple of hours after I posted. The account unknown is the old administrator account from before I ran DCPROMO, and the system service/account was using the ntuser.dat under the old administrator profile. That is why it still shows that it is still being access by something.

Your suggestions were still helpful, it help me verify my findings.  I actually used the handle utility from the sysinternals suite to figure out what was using the ntuser.dat file. The interesting thing is that all the 2003 2008 DCs showed the unknown user but I was only able to delete it from the 2008 DCs. On all the 2003 the ntuser.dat is being used by the system service and I cannot delete the profile.

Thanks for you suggestions.

• Marked as answer by Laura ZhangMicrosoft employee, Moderator Monday, September 13, 2010 2:50 AM

"Account Unknown" means that the Profile has a SID no longer in Active Directory; or more simply, the user has been deleted from AD.

The reason "Delete" is greyed out; in my experience, is because the 'logoff' has not fully completed; and NTUser.DAT is still locked.  The solution for me has been to open the registry; and locate any subkeys of HKey_Users\ that don't have a HKey_Users\....SID...._classes.

Select the HKey_Users\......SID.....\ key; and then on the File Menu; chose "Unload Hive".

Then refresh "User Profiles" (close and reopen) and Delete will be avai

Though it's probably to post it as a separate question, but anyway: If I have similar situation on Windows Server 2008 R2 RDSH server - loads Account Unknown entries in User Profiles (because of deleted AD accounts) & Delete button is active in my case... Are there any options to delete such profiles in bulk? (I have hundreds of such profiles)

Perfect solution (from J.Smith), except that the keys that I had to Unload Hive upon, were in HKEY_USERS not HKEY_CURRENT_USER (as were the _Classes subkeys) for Server 2003 R2

• Edited by Xagyg Saturday, August 02, 2014 11:18 PM

Thanks Xagyg,

I've edited my post.  What's the proper abbreviation for HKey_Users?

HKCU - HKey_Current_User

HKLM - HKey_Local_Machine

HKU - HKey_Users?