Out of nowhere a new user folder shows up in C:\User. Is it possible remotely even though Remote Desktop Connection is turned off?

Panchali Mukherjee 1 Reputation point
2022-10-28T13:07:50.367+00:00

Hi we have a Windows Server 2019 with Active Directory. I am working on a new laptop. Until now in the C:\User folder was only my name, Default and another name. But suddenly since Tuesday another username shows up in the C:\User folder. Does this mean this person logged on to my laptop manually or can a profile name be created in C:\User even if that person did something remotely over Powershell. Just FYI Remote Desktop Connection is turned off on my laptop.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,552 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,005 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,102 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dave Patrick 426.4K Reputation points MVP
    2022-10-28T13:18:14.297+00:00

    Can a user folder be created in the C:\User folder if they were doing some updates over the network?

    I suppose anything is possible. Do you see ntuser.dat? If so then someone logged on and the file timestamp should tell you when they last logged on.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Dave Patrick 426.4K Reputation points MVP
    2022-10-28T13:10:20.71+00:00

    Not much to go on but most likely is the user has logged on to the laptop locally or remotely.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Zain Choudry 6 Reputation points
    2022-10-30T07:40:01.063+00:00

    There are other ways a user can log into your machine, a few examples are psexec or remote PowerShell. However, they would most likely need to be local administrator to do this.

    I would look at the Windows Security Event Logs to see if there's any clues to what might have happened.

    A few questions might help also.

    Is the computer added to a domain? Is the new profile a domain user? If it's not added to a domain then is the user a local admin on the computer? You can check this using computer management.