What are the limitations and detection risks of using RID hijacking in a penetration test?

RID hijacking has several shortcomings: the modified account must log in again to take effect, environment variables point to the impersonated user (causing profile confusion), the username display may show as `username.machine` or the original account name in some functions, and impersonating the Administrator creates a new user folder. These anomalies make the technique easily detectable. Defenders should regularly audit the registry under `HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account` for unexpected RID changes and check if the guest account has been enabled without authorization.