none
active directory local user account

    Question

  • good day

    Is there a way of creating a local active directory account once the server has been promoted to a domain controller? please help. Im using server 2003 active directory


    • Edited by mpholi Wednesday, July 17, 2013 9:42 AM
    Wednesday, July 17, 2013 9:40 AM

Answers

  • The "guy" providing you the information about local accounts on DCs is incorrect.  The information described in this thread so far is accurate.  Once you promote a server to the role of Domain Controller, you are unable to create local accounts.  

    However, on non DCs, such as member joined computers (workstations and servers), yes you can still create local accounts.




    Wednesday, July 17, 2013 2:15 PM

All replies

  • Hello,

    no, on a DC no local accounts are existing. The local SAM database existing on non-DCs is removed and replaced with AD database.

    There is ONLY a registry based local account created, the DSRM administrator so you can start the server without AD started.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, July 17, 2013 10:03 AM
  • Please understand that when a Windows server is promoted to a domain controller, the server no longer uses the local account (Security Accounts Manager [SAM]) database during normal operations to store users and groups. When the promotion is complete, the new domain controller has a copy of the Active Directory database in which it stores users, groups, and computer accounts. The SAM database is present, but it is inaccessible when the server is running in Normal mode. The only time that the local SAM database is used is when you boot into Directory Services Restore mode or the Recovery Console.

     

    If this new domain controller is the first domain controller in a new domain, the local SAM database that the new domain controller contained as a stand-alone server is migrated to the Active Directory database that is created during the promotion. All of the local user accounts that the local SAM database contained when it had been a stand-alone server are migrated from the local SAM database to the Active Directory database. In addition, any permissions that had been assigned to the local users, such as, NTFS permissions, are retained when the users are migrated to the Active Directory database.

     

    As a result, you cannot create any local user account on a domain controller.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Wednesday, July 17, 2013 10:04 AM
  • ok thanks i have a guy that wants me to create a local account and he says its  easy to do even when the server has already been promoted
    Wednesday, July 17, 2013 12:43 PM
  • The "guy" providing you the information about local accounts on DCs is incorrect.  The information described in this thread so far is accurate.  Once you promote a server to the role of Domain Controller, you are unable to create local accounts.  

    However, on non DCs, such as member joined computers (workstations and servers), yes you can still create local accounts.




    Wednesday, July 17, 2013 2:15 PM