How domain authentication works if both local administrator and Domain Administrator have the same credential

Question

I have gone through the detailed architecture of Windows Interactive logon procedure both for local and domain login.

But one thing I am not sure how actually it works when:

My system is part of a Domain group and both local administrator and Domain Administrator have the same credential/password.

e.g: MyDomain\Administrator this is Domain Administrator have the same password for local administrator.

In this case how authentication actually works? Whether it validates the user from the local LSA or it goes till Domain controller LSA?

Answer 1

If you're logging into the domain then it authenticates with a Domain Controller. If you're logging into the local computer then it authenticates with the local security authority of the computer that you're logging into. It doesn't matter that the usernames and passwords are the same. The difference is in the context, are you logging into the domain or the local computer?

Domain\Username

OR

Computer\Username

Answer 2

It does not matter if they have the same password (though this is not necessarily a best practice). When logging in, the password is checked in different places:

• the local administrator is checked in the local machine
• the domain administrator is checked in the domain (the Active Directory).

When you log in, the login dialog makes this distinction, e.g., by requiring you to prefix the account name with a domain (or the local machine name) if you want to use anything other than the currently selected domain- or machine-name (in the "Options").

Incidentally, for the special case of a domain controller (machine), there is no local administrator. It has only the domain administrator account.