8.5 Using a DLU in a Domain Environment

Domain authentication is not possible when you do a local login based on the eDirectory credentials and not the domain credentials. Enabling a DLU policy forces the creation and use of a local account that does not have access to domain resources, even if you are logged in to the domain.

When a DLU policy is enforced on devices joined to a domain, it forces a local log in instead of a domain log in. Using a DLU is not supported on a domain controller, because the domain controller has no local Security Accounts Manager (SAM) to provide a local login.

You might want to use a DLU for certain reasons, even when the device is in a domain:

  • When only devices are in domain and not the users, users need a DLU to ease access to their computers or if the domain trust is broken

  • When the users are in the middle of a migration and do not want to flip a switch

  • When users require access to local personal computers while accessing certain devices versus their normal domain rights

To manage Windows user accounts in an eDirectory environment:

  • Use an NT or AD domain and then use Account Management or Identity Manager to synchronize AD and eDirectory accounts and passwords

  • Use a DLU policy to automatically create and manage the Windows account upon eDirectory login

Using a DLU in a domain environment might cause problems in some of the following circumstances:

  • When the user assigned to a DLU policy attempts to log in to eDirectory, the Windows authentication is done with a local user and not a domain user. This is because the Windows authentication settings to log in to the domain are ignored, when the DLU policy is in effect.

  • When the user is authenticated to Windows with a local account, domain access appears to be working if the local Windows account and the domain Windows account have the same username and password. The DLU user, although it is based on eDirectory credentials has the same username and password as the user in the Active Directory domain. However, account access depends on where the authentication request originates:

    • When you use a local Windows account to access a resource from a domain controller, the authentication attempts work and access is granted because the domain user account exists in the local Security Accounts Manager (SAM) of the domain controller.

    • When you use a local Windows account to access a resource from a member server using a local Windows account, the authentication attempt fails and access is not granted because it is a member server and the domain user account does not exist in its local SAM. The member server cannot access a domain controller to obtain authentication.