Let's throw a bit light on this.
Technically, there IS a local SAM on a domain controller.
It's only that it's content is identical to that of the SAMs
of all domain controllers, as they are all only replicated copies
of the SAM of the PDC. That is, although it has its own local
copy of the user accounts database (that's what it uses when
authenticating users), a BDC does not have a unique, singular
database.
As for normal (default) user accounts created on a PDC (thus
in a domain), yes, their usage scope is the full domain scope
itself, which means these accounts are recognised not only by all
member computers in the domain but also by computer members
of all the domains that trust it (trusting domains).
What "local" accounts mean in this context is a type of domain user
accounts that are designed only to authenticate users with the same
user/pwd pair in "untrusted" domains (i.e. the accessed computer can't
ask them to authenticate the user name from their own SAM).
These accounts will not be recognised by trusting domains.
This is somehow equivalent to the workgroup mode of authentication,
where user access to local resources is granted if an identical
user/pwd pair exists in the local SAM. Technically, it's not the
same user account who's granted access, but chance is, the account
is designed for and owned by the same human person.
Local accounts in domains thus allow you to grant access to local
resources to a user whose main (a.k.a login) account is defined in
a domain with which you don't have a trust relationship.
As mentioned by Howard the right flag for this type of account is
UF_TEMP_DUPLICATE_ACCOUNT
For more information on the user flags, check :
http://msdn.microsoft.com/library/psdk/network/ntlmapi3_13ea.htm
For more details on local accounts, see :
http://support.microsoft.com/support/kb/articles/Q102/0/35.asp
http://support.microsoft.com/support/kb/articles/Q103/3/90.asp
_____________________________________________
Bruno Bellenger
Sr. Network/Systems Administrator
-----Original Message-----
From: Finnerty, Sean [SMTP:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 10:10 PM
To: [EMAIL PROTECTED]
Subject: RE: Creating Local User on PDC
There is no Local SAM on a domain controller.
-----Original Message-----
From: Andrew Bosch [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 9:59 AM
To: [EMAIL PROTECTED]
Subject: Re: Creating Local User on PDC
Accounts created on a PDC will always be global.
andrew
>>> "Paul Greenwood" <[EMAIL PROTECTED]> 5/7/2001 12:39:49 AM
>>>
Hi,
I'm using Win32::Lanman to create local user accounts on a number of
machines.
When I use the NetUserAdd() function, the accounts created on the
PDC are
always *global* accounts - not *local* ones.
Is there anyway to force the account being created on the PDC to be
local?
Cheers, Paul
---------------------------- ERG Group --------------------------
The contents of this email and any attachments are confidential
and may only be read by the intended recipient.
-----------------------------------------------------------------
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
***************************************************************
This electronic message, including its attachments, is confidential
and
proprietary and is solely for the intended recipient. If you are
not the
intended recipient, this message was sent to you in error and you
are hereby
advised that any review, disclosure, copying, distribution or use of
this
message or any of the information included in this message by you is
unauthorized and strictly prohibited. If you have received this
electronic
transmission in error, please immediately notify the sender by reply
to this
message and permanently delete all copies of this message and its
attachments in your possession. Thank you.
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
http://listserv.ActiveState.com/mailman/listinfo/perl-win32-admin
