Quickpost: Windows Domain Controllers Have No Local Accounts

Saturday 28 March 2020

Filed under: Quickpost — Didier Stevens @ 0:00

Windows domain controllers have no local accounts. I think I learned this back when I made my “Practice ntds.dit File Overview” series of blog posts.

Today I had to search for a Microsoft document covering this: Built-in and Account Domains.

Comments (4)

Didier, this is not actually the case sir. Domain controllers have Administrator & Guest (disabled). These accounts are how Active Directory Restore Mode operates.

Comment by Robert — Saturday 28 March 2020 @ 0:33
Well, this could become a philosophical discussion 🙂

I guess you are referring to the Administrator and Guest account in the SAM database?
They are not disabled (active:no), but the SAM database is not used when a domain controller is active (performing AD roles). It’s the ntds.dit database that is used.

When you boot your DC in DSRM mode, the machine is no longer a DC (it is not performing AD roles), and then the SAM database is used.

Comment by Didier Stevens — Saturday 28 March 2020 @ 10:11
Thanks for the reply sir! No need to dip into philosophy. My post was somewhat misleading; I meant to say that the DSRM GUEST account in the local SAM was disabled. Yes, it was the local SAM I was referring to.

Anyway, thanks for all you do here! I’ve been following you for quite a while and always look forward to seeing your ‘stuff’.

Keep on being awesome Didier!!

Comment by Robert — Saturday 28 March 2020 @ 16:29
Thanks for your kind words!

Comment by Didier Stevens — Saturday 28 March 2020 @ 17:41

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (Address never made public)

Name

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s