Local Admin Account locks out the Domain Admin Account

Discussion in 'Windows Server' started by Tim Trabold, Mar 2, 2006.

  1. Tim Trabold

    Tim Trabold Guest

    We have an unusual situation. We have set up some stand alone servers and
    renamed the local admin account - (it was Administrator). We gave the local
    account the same name as a domain admin account, but it has a different
    password.

    If we are logged onto a server locally using the local admin name and
    password we have problems when browsing the domain. Any time we try to
    browse to the domain and look at a folder on the DC, a GP tries to apply and
    it locks the domain admin account (same name, but different password) and we
    get a message saying the domain account is locked out. If we make the
    passwords the same, this doesn't happen and it asks us to enter domain
    credentials. If we turn off all group policies, it will ask for credentials
    regardless of the password.

    Our questions are these: Why is the domain treating a local account as a
    domain account? Why does it not see the local account, even though the name
    is the same, as a different account since it is not a domain account? Why is
    group policy trying to use the local credentials as domain credentials and
    not first asking for domain credentials?

    Here is another caveat. The above happens in our test lab. In our
    production environment, we have servers with the local admin account the same
    as a domain admin account of the same name. They have different passwords,
    we do push down some GPs and it always asks for credentials when we browse
    from a locally logged on server to the domain. It doesn't lock it out.

    Any ideas? Which action is correct? If one way is wrong why? How do we
    fix it?

    Thanks.
    Tim Trabold
     
    Tim Trabold, Mar 2, 2006
    #1
    1. Advertisements

  2. Tim Trabold

    Charlie Guest

    I can address part of this -

    When logged on with a local account that has the same name and password as
    an account that exists on the server you are trying to access, you will have
    success, as you may know.

    To a domain controller, it sees the accounts that exist on it the same as if
    it were a stand alone server. I.E., as local accounts. That is why to the
    domain controller machine_name\jsmith is the same as domain_name\jsmith, the
    same way a member server would see remote_machine_name\jsmith the same as
    local_machine_name\jsmith.
     
    Charlie, Mar 2, 2006
    #2
    1. Advertisements

  3. Tim Trabold

    Tim Trabold Guest

    Why doesn't it see them as two different accounts with 2 different SIDs?
     
    Tim Trabold, Mar 3, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.