I would like to create a group policy to set a specific password for all local administrator users. Now even though you can't manage local users on a domain controller ("This snap-in cannot be used on a domain controller"), even on a DC, the local and domain admins are distinct entities, right? So if I set up my group policy, it won't affect the domain admin passwords, right? But if I link this GP to the whole domain, it will affect the local admin password on the DC, which, if demoted, will matter, right?
The GP I'm planning to use: Computer configuration, Preferences, Control Panel Settings, Local users and groups, local user, update.
Best Answer
A DC doesn't have a local Administrator account (or any other local user account); if/when you demote it, the demotion process will ask you for a new password for the newly-created local Administrator user.
Be careful, though: depending on the specific way you use to set the password, it could affect the domain Administrator if the GPO gets applied to a DC.