Why are there no local users and groups on Windows 2K3/2K8 domain controllers?

security windows-server-2008 domain-controller

MS have taken great pains to remove 'Local Users and Groups' from the GUI tools, and even if you tickle up lusrmgr.msc directly it complains that the snap-in won't run on a domain controller.

The question is "why not?" Why doesn't it make sense for a DC to have local security groups?


In short, the "local users" become "domain users". Microsoft opt'ed to only allow 1 authentication repository for 1 computer. When you promote a computer to a domain controller, the local authentication repository is used to store domain accounts. Since there is no longer a set of local users/groups/etc... you're only left with domain users & accounts. In all honesty, having "local" users on a domain controller really defeats the purpose of having a domain controller in the first place.

Related

Linux solution for VPN on-demand for iOS devices
SSH through a SOCKS Proxy? (client = OpenSSH OS X)
How to unit test a controller with XUnit, Moq and AutoFixture?
How to create a loop with wheel picker in ReactJs
Replacing If/Else Statements Python
Adding New User programmatically in SharePoint 2010
Auto close program after X seconds inactivity (in that program)
Creating Docker network bridge to route outgoing traffic via specific interface
How can I log TBW per process (even if not so accurate)?
Calculate cell number in the formula
Why can I ping 127.0.0.1 (Kali Linux VMware) through my PC which it's IP is 192.168.1.5? [duplicate]
How does heat transfer from a processor depend on fan speed in a computer (graph)?