General discussion


Local User Accounts on a Domain Controller

By C'Town LarryMac ·
This is just sort of me wondering out loud.

Why don't Local Groups and Users exist on a Domain Controller? It was one of those things that I remember learning but never really thought about until I started building an AD environment from the ground up.

I was just wondering if anybody had any insight into the rationale since local accounts exist on other servers.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

A domain is a network of computers

by Dumphrey In reply to Local User Accounts on a ...

where each "host" has about the same weight. Local accounts defeat the central administration and control of a domain. In a sense, each domain account is like a universal "local" account, since it allows log on to any machine not explicitly denied.

Collapse -

Then why have local accounts?

by C'Town LarryMac In reply to A domain is a network of ...

I get that part of it, but then why have local accounts at all is my point?

Non-DC servers still have them. Why, if the idea is to eliminate them in favor of the central administration and control. I always understood the reason being that beyond allowing access to network resources, you wanted to control who could directly access mission-critical servers. So why wouldn't you want to extend that same protection to the Domain Controller?

Or am I missing something?

Collapse -

Speculation - Local accounts on DCs.

by CharlieSpencer In reply to Then why have local accou ...

The only local account we have on our servers or desktops is the local Administrator account. A small minority of our laptops have an additional local account for the primary user, but that's it. This is partly for security reasons, and partly to prevent the users from making even more work for the support team.

As to why local accounts don't exist on a DC but do on other servers, here's some speculation. A non-DC servers can exist as stand-alone device (technically the only member of it's own domain) or as a member of a workgroup. A domain controller by definition must be part of a domain. Since it can't function in a local or non-domain mode, there's no need for local accounts. Again, just raw speculation.

Related Discussions

Related Forums