Link to home
Start Free TrialLog in
Avatar of Daniel Hwang
Daniel Hwang

asked on

Active Directory Vs. Local Account

We are planning to deploy AD to use SmartCard, but i dont like the ideal having AD in a production servers. A lot of speacialists recomment to use local user account cuz it is more reliable then AD.
Most of my case AD is to be used in a internal office, but not in web or production servers.

I will be more satisfied having 3rd persons opinions.
Avatar of Roachy1979
Flag of United Kingdom of Great Britain and Northern Ireland image

Theres nothing wrong with using AD in production equipment - in fact it's the preferred way of handling things, as it gives the ability to use centralised management, security etc.    For an office environment AD is the way forward.

The only instance I wouldn;t use AD on a production server is on an external facing web server where no AD functionality is required (ie. the server doesn't need to connect to Active Directory resources) in which case I would isolate the machine using a VLAN so it's effectively standalone with an internet connection.
Avatar of Daniel Hwang
Daniel Hwang


Can you tell me why you wouldnt use AD on an external facing web server in more detail?
The simple answer would be that AD is the answer - full stop.

Everything that you can do with a local account, you can also do with an AD account.  Further to this, with a little wizardry, you can set certain accounts to only be allowed to log onto certain machines - therefore making them effectively network based local accounts.  

If you were worrying about the security aspect - Don't.  AD accounts are more secure.  I can't remember the technical details behind it, but there are a lot of security overheads on AD and server accounts that arent there on standard machine accounts.

In essence, there is no situation where AD accounts wouldn't be a better solution than local accounts.

"Can you tell me why you wouldnt use AD on an external facing web server in more detail?"

The only reason why I wouldn't use AD on an external facing webserver is that I would have the machine completely standalone - with no access to my network other than for remote management, thus eliminating any security risks from the outside world to my sensitive data.  The exception to this is servers that HAVE to be AD integrated (Sharepoint

Ben is completely right though in that AD is infinitely more secure than a local system account.  

Sorry - didn't finish that comment!!  

Sharepoint and Outlook Web Access would be my exceptions...
Thanks... That the comments that i will need.. :)
Roachy1979 - Thanks :) nice to see my comment was a good one :) where it's due - and sometimes it's good to have a couple of opinions expressing the same point :)
I would not use active directory unless it's needed in a web server to protect my active Directory itself, WebServers are exposed to the internet (listening at port 80 at least), if my web server got compromise, the hacker will have access only to that webserver, not to my AD.
Avatar of Pearl_export_ben
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial