G
Guest
Is it possible to create a local user on a Windows 2000 Server domain
controller? If so how or where. Thanks
controller? If so how or where. Thanks
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
B
Bob McCoy [MSFT]
No. There's no concept of a local user on a DC. All users created on a DC
are domain users.
What is it you are trying to accomplish?
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
are domain users.
What is it you are trying to accomplish?
--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.
S
Steven L Umbach
That can not be done. There is only one local user on a domain controller -
the built in administrator account used for Recovery Console and Directory
Services Restore. Beyond that you will have to rely on user rights,
privileged group membership [server operators and such], and maybe Group
Policy [software installation] to give a user more powers on a domain
controller without actually making them a domain admin. If you want a non
domain admin to create and manage users/groups/Group Policy, that can be
done via user delegation which give a users additional permissions to an
Active Directory object or container. -- Steve
the built in administrator account used for Recovery Console and Directory
Services Restore. Beyond that you will have to rely on user rights,
privileged group membership [server operators and such], and maybe Group
Policy [software installation] to give a user more powers on a domain
controller without actually making them a domain admin. If you want a non
domain admin to create and manage users/groups/Group Policy, that can be
done via user delegation which give a users additional permissions to an
Active Directory object or container. -- Steve
R
Roger Abell
If you remove an account from Domain Users, or if a DC
local admin is your objective from Domain Admins, then
you can start to come close to a local account by placing
that account instead in Users or Administrators. As much
that is domain-wide is granted in terms of the Domain Users
and Domain Admins groups this does limit the account
down somewhat - but it is still a domain account.
I am left at the same point as Bob when he asked What
is it that you are trying to do?
local admin is your objective from Domain Admins, then
you can start to come close to a local account by placing
that account instead in Users or Administrators. As much
that is domain-wide is granted in terms of the Domain Users
and Domain Admins groups this does limit the account
down somewhat - but it is still a domain account.
I am left at the same point as Bob when he asked What
is it that you are trying to do?
B
Brian
I was just trying to create less privaled local account for some
applications running on this server like SQL. Thanks
applications running on this server like SQL. Thanks
R
Roger Abell
SQL Server can and should be installed/configured to run with
the main and the agent account being just plain user accounts.
the main and the agent account being just plain user accounts.
S
Steve Clark [MSFT]
Remember, there is no concept of "least privileged" when you log on
interactively to a domain controller.
The assumption is that if you can put hands on the box, you can "0wn" that
box. This is why we emphatically state that physical security for domain
controllers is *critical path* important.
interactively to a domain controller.
The assumption is that if you can put hands on the box, you can "0wn" that
box. This is why we emphatically state that physical security for domain
controllers is *critical path* important.