On all our domain controllers (server 2003 R2 and 2008) we have found an "account unknown" listed under My computer-properties advance-user profiles-settings. My concern is that the Account Unknown profiles shows under all our Domain Controllers in the aforementioned place and it shows that that particular profiles is still being access. By being access I mean that the “Modified” date shows that it was modified just a few days ago, and it changes a couple of days. Also, the option to delete the account is grayed out and I can not find any orphaned profiles under documents and Settings. What I need to know is if that profile is being use by some system account, or have the servers been compromised. Any assistance or clarification of this issue will be greatly appreciated. Thank you.

Hi, A possible cause of the “Account Unknown” profile is that the domain account that the profile is mapped to was deleted but the profile was not able to be deleted because some applications or services have open handle on the file. That’s also one of the reasons that the option to delete the account is grayed out. I suggest that you have a look at the subkeys under HKEY_USERS key and check if there is any user has been deleted. The HKEY_USERS key lists all profiles that are currently loaded on the computer. The PsGetSid utility (http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx) can help you translate SIDs to their display name. Meanwhile, you’d better perform a full virus scan to ensure that the computer is not infected by virus. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How's everything going? Just want to check if the suggestion has helped. If you need further assistance or if there is anything unclear, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry for the delay. I figured it out a couple of hours after I posted. The account unknown is the old administrator account from before I ran DCPROMO, and the system service/account was using the ntuser.dat under the old administrator profile. That is why it still shows that it is still being access by something. Your suggestions were still helpful, it help me verify my findings. I actually used the handle utility from the sysinternals suite to figure out what was using the ntuser.dat file. The interesting thing is that all the 2003 2008 DCs showed the unknown user but I was only able to delete it from the 2008 DCs. On all the 2003 the ntuser.dat is being used by the system service and I cannot delete the profile. Thanks for you suggestions.