Enhancement - Windows.sys.users type change and SAM parsing

[randomaccess3]

API calls on domain controllers return users as local users when this is not necessarily the case.

suggestion would be to have three separate types

1. API - list users based on API calls
2. SAM - parse the SAM hive for local users, these can be called local
3. Profilelist - parse the SOFTWARE hive for roaming users, these can be called local

There will definitely be duplication across this however it will also provide a bit more context for DCs as an unexpected local user on a DC can be identified quicker.

[scudette]

This is a good discussion and the old Windows.Sys.Users was actually very confusing and not very accurate. Previously we called a user account with registry profile a "remote" account which is confusing - yes it can be created by a user remotely logging into the machine via RDP but it is also created when a local user is logged in.

Also the artifact was usually used to get a quick view of who actually uses the machine. On a DC the enum users API will return the entire domain but these are clearly not "local' users.

in reality this artifact uses two separate sources of data to find users: The NetUserEnum API and cached profiles. These are independent and each is useful in different situations.

In #1863 I added a RemoteOnly flag to the artifact - this ensures it only looks at cached profiles. This is most usually what we want - it shows the users that were physically logged into the machine (so a cached profile exists). It is also much faster and will not return the entire domain on a DC.

[scudette]

It now also shows the profile last load time and unload time which are very useful in establishing timelines