Daily Blog #621: ADFS accounts in SAM hives
Hello Reader,
I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around since the original 'Microsoft Account' in Windows 8.
They key value 'InternetUserName' will store the full account name with domain that the user authenticated with. A true local account will not have this value, only those accounts who are being authenticated against cloud hosted domains should contain it. In combination with a 0 logon count this can be used to determine not only that the user was not a local account but the full account name associated.
I wanted to make a quick post about ADFS (Active Directory Federated Services) and Azure AD. If the Windows system you are examining has a user that is authenticating against Azure AD in any configuration (cloud, hybrid, office 365) then you should be looking for an additional key value that has been around since the original 'Microsoft Account' in Windows 8.
They key value 'InternetUserName' will store the full account name with domain that the user authenticated with. A true local account will not have this value, only those accounts who are being authenticated against cloud hosted domains should contain it. In combination with a 0 logon count this can be used to determine not only that the user was not a local account but the full account name associated.
Daily Blog #621: ADFS accounts in SAM hives
![]()
Reviewed by David Cowen
on
February 09, 2019
Rating:
No comments: