General discussion

  • Creator
  • #2150611

    Local User Accounts on a Domain Controller


    by c’town larrymac ·

    This is just sort of me wondering out loud.

    Why don’t Local Groups and Users exist on a Domain Controller? It was one of those things that I remember learning but never really thought about until I started building an AD environment from the ground up.

    I was just wondering if anybody had any insight into the rationale since local accounts exist on other servers.

All Comments

  • Author
    • #2914102

      A domain is a network of computers

      by dumphrey ·

      In reply to Local User Accounts on a Domain Controller

      where each “host” has about the same weight. Local accounts defeat the central administration and control of a domain. In a sense, each domain account is like a universal “local” account, since it allows log on to any machine not explicitly denied.

      • #2914087

        Then why have local accounts?

        by c’town larrymac ·

        In reply to A domain is a network of computers

        I get that part of it, but then why have local accounts at all is my point?

        Non-DC servers still have them. Why, if the idea is to eliminate them in favor of the central administration and control. I always understood the reason being that beyond allowing access to network resources, you wanted to control who could directly access mission-critical servers. So why wouldn’t you want to extend that same protection to the Domain Controller?

        Or am I missing something?

        • #2914056

          Speculation – Local accounts on DCs.

          by charliespencer ·

          In reply to Then why have local accounts?

          The only local account we have on our servers or desktops is the local Administrator account. A small minority of our laptops have an additional local account for the primary user, but that’s it. This is partly for security reasons, and partly to prevent the users from making even more work for the support team.

          As to why local accounts don’t exist on a DC but do on other servers, here’s some speculation. A non-DC servers can exist as stand-alone device (technically the only member of it’s own domain) or as a member of a workgroup. A domain controller by definition must be part of a domain. Since it can’t function in a local or non-domain mode, there’s no need for local accounts. Again, just raw speculation.

Viewing 0 reply threads