70-270 Question on Domain Controllers

[thewun1]

First time poster...

The MS Press book states:

"NOTE: Because domain controllers do not maintain a local security database, local user accounts are not available on domain controllers. Therefore, a user cannot log in locally to a domain controller."

I was assuming at first glance that NO ONE can log on to the local machine (sitting down in front of it) acting as a DC. Anyone wanting to log on to the DC would have to do it from a separate terminal.

Correct me if I'm wrong but this is simply to restrict "users" aka non-admins the ability to log on to the DC and mess things up?

So bottom line, i am guessing... you can still log on locally to the DC, you just have to be in the admin group or other permitted group allowed by the group policy.

Now can an admin log on to the DC from a remote workstation with the proper credentials?
Thank for any input!
-Mike

 

[MrCoffee]

"
So bottom line, i am guessing... you can still log on locally to the DC, you just have to be in the admin group or other permitted group allowed by the group policy."

i'm not sure what the answer is here but I think it simply means you must have a Domain account to logon to the DC as there is no local security database. I.e. you can sit down infront of it and log in but only with a domain account. With a workstation you could log in as a local account (all though you would have no access to the network)

 

[bilbus]

non domain admins can not login to DCs by default, you can change that in local policy.

a admin can login to the remote DC with his active directoy account.

They are just trying to say that member servers have AD logins and local logins (domainname\username and computername\username) while DCs only have (domainname\username)