none
Lost Local Users after joining to domain RRS feed

  • Question

  • This may involve two different forms, but here it goes. We have a newly installed Windows Server 2012 R2 Standard with Active directory, DNS and DHCP. In addition we have several newly installed Windows 10 workstations. The workstations have local user accounts (not Microsoft accounts) like Blah1, Blah2, Blah3 etc. and the local administrator account. We do all of our setup, app loading and configuration as the local administrator. Prior to bringing the workstations into the domain we log in to the workstation as Blah1, which is an administrator level account, and copy the actual Administrator Profile to the Default profile so that every new user starts with the same basic desktop at first login. Once the Default profile is set we log back in as the local administrator of the workstation and then join the domain. All good at this point. I can now log in as a domain user (XXXX23.domain.xxx) for that workstation and I get the administrator desktop and settings and the group policy is pushed from the server. That user can then customize the desktop however they wish. Still all good.

    The problem is that, unlike previous OS's, with Windows 10, once we join that PC to the domain all of the local users for that PC disappear. So If I now try to login locally as "workstation name\ local user1" that user no longer exists. Even If I remove that PC from the domain, none of the local users I created prior to joining the domain are there anymore, not even the Blah1 administrator level user I logged in as to copy the administrator profile just prior to joining the domain. Only the local PC Administrator user is present. In Windows 8 and prior there were the local users, and the domain users. The local users would be maintained in the Control Panel\User accounts regardless of what server active directory I was connecting to. In Windows 10 all the pre-domain local users are lost. 

    Is there a setting I am missing to retain this information?

    Tuesday, December 29, 2015 10:43 PM

Answers

  • Local Users and Groups shows local users regardless if they have logged or not. With Ctrl Panel\User accounts\manage user accounts on Windows 10 it adds accounts that can log into the PC based on an external security provider. These are not local users. When they log in a local user account is created for the them, as you have noted they do not an associated local user account until that point.

    Moving the PC to a domain security i.e. adding it to the domain removes the ability of the machine to log in to other external security providers, hence the accounts marked allowed to login using another security provider are no longer shown.

    I can only suggest in Windows 10 you user Local Users and Groups via Computer Management to create Local Users and they will remain after the PC is added to the domain.

    Wednesday, December 30, 2015 8:13 PM

All replies

  • Hi,

    Could you check Local users & groups in computer management whether users are exist or not.

    Check also the the C:\users directory whether you are able to see the previous local users profile.

    check user profile also with sysdm.cpl in computer management.

    Try to run below command also post the results. This will help MS persons to analyze more on this issue.

    net localgroup "users"


    Regards, Krselva. Please remember to mark the replies as answers if its helps you, and unmark the answers if it is not help you.

    Tuesday, December 29, 2015 11:28 PM
  • Hi,

    Would you please check if there is such GP to delete user profile automatically?

    Delete user profiles older than a specified number days on system restart under Computer Configuration\Administrative Templates\System\User Profiles to be Enabled 

    Also, please check the event log to see if there is any event related to this issue, and post back for our research.

    Please first enable the audit User account management: https://technet.microsoft.com/en-us/library/dd772693(v=ws.10).aspx

    https://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx

    Then, check security events in event viewer to see the details for this issue.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.



    Wednesday, December 30, 2015 8:01 AM
    Owner
  • Thank you for the prompt response. Here is some addition information that may help:

    >>Could you check Local users & groups

    Local Users and Groups will only show users that have actually logged into the system and created profiles by doing so. This is not in question. What we are losing is the 20 or so dummy users that we create. They show up in Ctrl Panel\User accounts\manage user accounts. We create a host of accounts that may or may not not be used that way if each PC is ever take out of the domain and used as a stand alone or moved to a Peer environment there would be a stock set of local user names to login with. It is this stock set of accounts that are being lost when Windows 10 is logged into the domain. This does not occur in windows 7 Pro or Windows 8.1 Pro.  

    >>Check also the the C:\users directory 

    Again, this will only show profiles for users that have actually logged into the local system prior to joining the domain. What we are loosing is the list of users that were created but not logged in and thus do not have a profile yet.

    >> Unfortunately I was not able to run the cmd you noted in your response. I will try that on the next system we build though.

    Thank you.

    Wednesday, December 30, 2015 3:00 PM
  • Local Users and Groups shows local users regardless if they have logged or not. With Ctrl Panel\User accounts\manage user accounts on Windows 10 it adds accounts that can log into the PC based on an external security provider. These are not local users. When they log in a local user account is created for the them, as you have noted they do not an associated local user account until that point.

    Moving the PC to a domain security i.e. adding it to the domain removes the ability of the machine to log in to other external security providers, hence the accounts marked allowed to login using another security provider are no longer shown.

    I can only suggest in Windows 10 you user Local Users and Groups via Computer Management to create Local Users and they will remain after the PC is added to the domain.

    Wednesday, December 30, 2015 8:13 PM
  • Thank you for the suggestion. At present I do not have a set up to test this. I am a system builder. Once I finish a system I ship it to our customer. I am waiting for another setup that involves Server 12 R2 and Windows 10 to test some of your helpful suggestions. I will update my findings as information becomes available. 
    Thursday, January 7, 2016 12:55 PM