Windows domain controllers have no local accounts. I think I learned this back when I made my “Practice ntds.dit File Overview” series of blog posts.
Today I had to search for a Microsoft document covering this: Built-in and Account Domains.
Saturday 28 March 2020
4 Comments »
RSS feed for comments on this post. TrackBack URI
Didier, this is not actually the case sir. Domain controllers have Administrator & Guest (disabled). These accounts are how Active Directory Restore Mode operates.
Comment by Robert — Saturday 28 March 2020 @ 0:33
Well, this could become a philosophical discussion 🙂
I guess you are referring to the Administrator and Guest account in the SAM database?
They are not disabled (active:no), but the SAM database is not used when a domain controller is active (performing AD roles). It’s the ntds.dit database that is used.
When you boot your DC in DSRM mode, the machine is no longer a DC (it is not performing AD roles), and then the SAM database is used.
Comment by Didier Stevens — Saturday 28 March 2020 @ 10:11
Thanks for the reply sir! No need to dip into philosophy. My post was somewhat misleading; I meant to say that the DSRM GUEST account in the local SAM was disabled. Yes, it was the local SAM I was referring to.
Anyway, thanks for all you do here! I’ve been following you for quite a while and always look forward to seeing your ‘stuff’.
Keep on being awesome Didier!!
Comment by Robert — Saturday 28 March 2020 @ 16:29
Thanks for your kind words!
Comment by Didier Stevens — Saturday 28 March 2020 @ 17:41