What a fascinating question! I believe that local user accounts are stored
in the SAM under Windows 2000. I'm not sure if it has changed since NT. If
not, it should have the same limits as SAMs.
I am curious why you would want a local account on a server? Why not just
give the domain accounts the appropriate permissions for resources on said
server? There's an interesting TechNet article on security at http://www.microsoft.com/technet/tr...windows2000serv/maintain/monitor/logonoff.asp,
which contains the line "You won't often see local user account logons in a
domain environment; however, attackers like to target local SAM accounts-",
and it goes on to advise monitoring for this.
We've been forced (by short-sighted salesmen) into a
situation where external customers are required to either
have domain accounts or local accounts to allow for
authentication against a 3rd part app we will host. We
don't want external customers to be authenticated on our
domain, so figure the local accounts approach is the
lesser of two evils.
