11

MS have taken great pains to remove 'Local Users and Groups' from the GUI tools, and even if you tickle up lusrmgr.msc directly it complains that the snap-in won't run on a domain controller.

The question is "why not?" Why doesn't it make sense for a DC to have local security groups?

David Bullock
  • 821
  • 3
  • 15
  • 21

1 Answers1

15

In short, the "local users" become "domain users". Microsoft opt'ed to only allow 1 authentication repository for 1 computer. When you promote a computer to a domain controller, the local authentication repository is used to store domain accounts. Since there is no longer a set of local users/groups/etc... you're only left with domain users & accounts. In all honesty, having "local" users on a domain controller really defeats the purpose of having a domain controller in the first place.

TheCompWiz
  • 7,409
  • 17
  • 23
  • 2
    Entirely correct. "Local" means "not in the domain." This is the way MS designed AD. – mfinni Apr 28 '11 at 14:14
  • OK, that makes sense. So the implications of this are: that the "local authentication repository" in the case of a DC happens to be AD, and the groups/users defined in that repository have a domain scope? – David Bullock Apr 28 '11 at 14:23
  • Exactly. I believe that the tools you would use to work with local-users/groups/etc... also will no longer allow you to create local users/groups/etc. – TheCompWiz Apr 28 '11 at 14:30
  • Also, where a non-DC computer might have the notion of a 'Local Administrators' group, does a DC respect a domain group? Is that group the 'Domain Administrators'? – David Bullock Apr 28 '11 at 14:31
  • 3
    The domain equivalant to the Local Administrators group is the Builtin\Administrators group. When you promote a server to a DC the local groups are converted into Builtin groups in the domain. If you look in the Bultin container in ADUC you'll see the domain groups that were formerly local groups. Also, What do you mean "Does a DC respect a domain group"? – joeqwerty Apr 28 '11 at 14:38
  • @joequerty Great info, thanks. By "does DC respect a domain group?" I meant do local security policies on the DC that reference groups (eg. 'members of "Local Admins" group may reboot the machine) now refer to domain-scoped groups? You answered it by telling me about the Builtin scope. Thank-you. – David Bullock Apr 28 '11 at 15:07
  • @David: Glad to help. – joeqwerty Apr 28 '11 at 16:51