I'm a developer, not a server admin, so please bear with me!
I've been tasked with checking the installation of some software on a Windows Server 2008 R2 machine in the cloud, within two scenarios:
- There is no domain, the software will use local users and groups for authentication
- There is a domain, the software will use domain users and groups for authentication
I've done part 1, but I'm puzzled about part 2.
I've just installed the Active Directory Domain Services role on the server, so now I have a domain of one computer. When I look in Active Directory Users and Computers, I see all my original local users and groups. Have they now been 'promoted' to domain users? Or do I not have any domain users yet? Is there a way I can tell the difference between domain users and local users now?
Thanks
Best Answer
Everything that appears within the Active Directory Users and Computers console is in the domain and replicated to all Domain Controllers.
On a Domain Controller (i.e. a server with the Active Directory Domain Services role installed), there are no local users and groups (except for the directory services restore mode user which is a special case).
Member servers and workstations in a domain have their own local users and groups. When a machine is added to a domain, some Domain groups are automatically nested into the local groups; the Domain Admins group becomes a member of the local Administrators group, the Domain Users group becomes a member of the local Users group.
In short though, if the user account appears in the ADUC console, it's a domain account.