If you demote a supervisory controller from a Site Director to a child device on the site, all local and Active Directory service user accounts that you added to the device while it was a Site Director remain in the Security Database unless you manually remove them. If you do not manually remove them, any user with an active (enabled) account in the Security Database may locally log in to the demoted device.
Also, user accounts from the demoted device are not synchronized with user accounts on the new Site Director. This feature prevents you from maintaining the user accounts from the demoted sites. For example, if you change the privileges of a user account at the Site Director, these changes do not propagate to the demoted device. For details on how to manually remove a user account from a demoted Site Director, refer to the NAE Commissioning Guide (LIT-1201519) , SNC Commissioning Guide (LIT-12013295), SNE Commissioning Guide (LIT-12013352), the ADS/ADX Commissioning Guide (LIT-1201645) , ODS Commissioning Guide (LIT-12011944) and the Open Application Server (OAS) Commissioning Guide (LIT-12013243) .