Platform SDK: Active Directory, ADSI, and Directory Services |
A local user account (name format: .\username) exists only in the SAM database of the host computer; it does not have a user object in Active Directory. This means that a local account cannot be authenticated by the domain. Consequently, the service does not have access to network resources (except as an anonymous user) and it cannot support Kerberos mutual authentication in which the service is authenticated by its clients. For these reasons, local user accounts are typically inappropriate for directory-enabled services. On the plus side, bugs in the service cannot damage the system. If your service can run under those limitations, it should.