local user creation on W2K server DC

Brian

Distinguished
Sep 9, 2003
1,371
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to create a local user on a Windows 2000 Server domain
controller? If so how or where. Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

No. There's no concept of a local user on a DC. All users created on a DC
are domain users.

What is it you are trying to accomplish?

--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.


"Brian" <Brian@discussions.microsoft.com> wrote in message
news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
> Is it possible to create a local user on a Windows 2000 Server domain
> controller? If so how or where. Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

That can not be done. There is only one local user on a domain controller -
the built in administrator account used for Recovery Console and Directory
Services Restore. Beyond that you will have to rely on user rights,
privileged group membership [server operators and such], and maybe Group
Policy [software installation] to give a user more powers on a domain
controller without actually making them a domain admin. If you want a non
domain admin to create and manage users/groups/Group Policy, that can be
done via user delegation which give a users additional permissions to an
Active Directory object or container. -- Steve


"Brian" <Brian@discussions.microsoft.com> wrote in message
news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
> Is it possible to create a local user on a Windows 2000 Server domain
> controller? If so how or where. Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If you remove an account from Domain Users, or if a DC
local admin is your objective from Domain Admins, then
you can start to come close to a local account by placing
that account instead in Users or Administrators. As much
that is domain-wide is granted in terms of the Domain Users
and Domain Admins groups this does limit the account
down somewhat - but it is still a domain account.

I am left at the same point as Bob when he asked What
is it that you are trying to do?
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
> Is it possible to create a local user on a Windows 2000 Server domain
> controller? If so how or where. Thanks
 

Brian

Distinguished
Sep 9, 2003
1,371
0
19,280
Archived from groups: microsoft.public.win2000.security (More info?)

I was just trying to create less privaled local account for some
applications running on this server like SQL. Thanks
"Brian" <Brian@discussions.microsoft.com> wrote in message
news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
> Is it possible to create a local user on a Windows 2000 Server domain
> controller? If so how or where. Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

SQL Server can and should be installed/configured to run with
the main and the agent account being just plain user accounts.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Brian" <sendnospam@nowhere.com> wrote in message
news:e4qV22B7EHA.2016@TK2MSFTNGP15.phx.gbl...
> I was just trying to create less privaled local account for some
> applications running on this server like SQL. Thanks
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
> > Is it possible to create a local user on a Windows 2000 Server domain
> > controller? If so how or where. Thanks
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Remember, there is no concept of "least privileged" when you log on
interactively to a domain controller.

The assumption is that if you can put hands on the box, you can "0wn" that
box. This is why we emphatically state that physical security for domain
controllers is *critical path* important.



"Brian" <sendnospam@nowhere.com> wrote in message
news:e4qV22B7EHA.2016@TK2MSFTNGP15.phx.gbl...
>I was just trying to create less privaled local account for some
> applications running on this server like SQL. Thanks
> "Brian" <Brian@discussions.microsoft.com> wrote in message
> news:0B396189-342C-410B-970E-C3A1072D0335@microsoft.com...
>> Is it possible to create a local user on a Windows 2000 Server domain
>> controller? If so how or where. Thanks
>
>