phantom user RRS feed

  • Question

  • If I look in the control panel UserPasswords2 it lists a user I don't know. I set up this system and I and the user have been in as Admin and as "Joe". Joe is a domain AD user. Desktop so never moved. The phantom name is not in AD, has no folder under c:\users, but there is activity in the security event log. This system is accessed by remote desktop for work from home but thru a VPN. Joe has not complained about being bumped off as you would expect if Phantom logged on. I'll change passwords and delete this user etc. Security software finds no problems. But what the heck do I make of this phantom user? Thanks.
    Thursday, July 23, 2020 7:11 PM

All replies

  • Hi,


    Open netplwiz.

    Uncheck the box for "Users must enter a user name and password to use this computer." Then click apply. On the window that pops up, click cancel. The check box for "Users must enter a user name....." should be checked again. Click OK.


    Hope above information can help you.

    This "Windows 10 Security" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    "Windows 10 Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows 10 Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.
    Friday, July 24, 2020 6:52 AM
  • Farena, maybe I'm just missing something but how does this explain or deal with the phantom user? Thanks.

    Saturday, July 25, 2020 3:31 AM
  • If I look in the control panel UserPasswords2 it lists a user I don't know. 

    What is the name of this phantom user? What groups is it a member of?

    Look in Local Users and Groups or use Powershell to query users.

    PS C:\> get-localuser
    Name               Enabled Description
    ----               ------- -----------
    Admin              True
    Administrator      False   Built-in account for administering the computer/domain
    DefaultAccount     False   A user account managed by the system.
    Guest              False   Built-in account for guest access to the computer/domain
    sshd               True
    sysconsole         True    915 admin account
    testuser           True
    WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scen...
    PS C:\Temp> Get-LocalUser admin | Format-List -Property *
    AccountExpires         : 
    Description            : 
    Enabled                : True
    FullName               : 
    PasswordChangeableDate : 5/31/2019 1:26:47 PM
    PasswordExpires        : 
    UserMayChangePassword  : True
    PasswordRequired       : True
    PasswordLastSet        : 5/31/2019 1:26:47 PM
    LastLogon              : 5/25/2020 12:18:00 PM
    Name                   : admin
    SID                    : S-1-5-21-3320722524-193523071-2819253668-1008
    PrincipalSource        : Local
    ObjectClass            : User
    PS C:\> get-localgroupmember -Name administrators
    ObjectClass Name                  PrincipalSource
    ----------- ----                  ---------------
    User        TEST10B\Admin         Local
    User        TEST10B\Administrator Local
    User        TEST10B\sysconsole    Local

    • Edited by MotoX80 Sunday, July 26, 2020 11:58 AM
    Saturday, July 25, 2020 12:11 PM
  • Hi,


    Just checking in to see if the information provided was helpful.


    If the reply helped you, please remember to mark it as an answer.

    If no, please reply and tell us the current situation in order to provide further help.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 27, 2020 8:00 AM