Why are there no local users and groups on Windows 2K3/2K8 domain controllers?
MS have taken great pains to remove 'Local Users and Groups' from the GUI tools, and even if you tickle up lusrmgr.msc directly it complains that the snap-in won't run on a domain controller.
The question is "why not?" Why doesn't it make sense for a DC to have local security groups?
In short, the "local users" become "domain users". Microsoft opt'ed to only allow 1 authentication repository for 1 computer. When you promote a computer to a domain controller, the local authentication repository is used to store domain accounts. Since there is no longer a set of local users/groups/etc... you're only left with domain users & accounts. In all honesty, having "local" users on a domain controller really defeats the purpose of having a domain controller in the first place.