Why are users created on the domain controller always part of the domain?

Why are users created on the domain controller always part of the domain?

When I want to create a local user on the domain controller, net user <username> <password> /add, I find that the user is automatically included in the Domain Users group.

I want to create a local administrator account on the domain controller, not part of the domain, that is able to log onto the domain controller interactively and carry out administrative tasks.

Is this possible?


Solution 1:

Local accounts are stored in a file called the SAM database. This exists on a domain controller - if you boot a domain controller in restore mode then the account you use to do this is just the local administrator account in the SAM database. However when Windows is running normally access to the SAM database is disabled and none of the accounts in it can be used. That means it is impossible to log on with a local account on a domain controller.

However this can be sort of done if you are happy to work from a command line and if you don't require network access. The trick is to log on as the local system account. Windows does not provide any way to do this but I have done it by writing a simple telnet server then running it as a service using the local system account. When you connect to the telnet server you are logged in as the system account not a domain account. The only restrictions are that it's command line only and the system account has no network access. If you're going to use a hack like this be very, very careful about security!

Though all this sounds like a horrible hack it does have legitimate uses. For example at work we use a management tool called N-able that allows remote access to a console on servers, and it does it using basically the technique I describe above. If I open a console on one of our domain controllers and use the whoami command I get:

enter image description here

Footnote

Windows has no built in method for opening a remote command prompt, but as grawity mentions in a comment The SysInternals psexec utility can do this, and the SysInternals utilities are provided and supported by Microsoft so this is at least semi official. Using psexec on one of my servers I get:

D:\temp\psexec>psexec64 \\cheddar -s cmd.exe

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 10.0.17134.345]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>exit
cmd.exe exited on cheddar with error code 0.

Solution 2:

No, this is not possible. Domain controllers don't have their own authentication database. It is replaced by Active Directory when promoted to a Domain Controller.