Running the check called: Is 'Accounts: Administrator account status' set to 'Disabled'? (found in various CIS standards for Windows) is resulting in FAIL when run against Domain Controllers.
This occurs even when the Administrator account has been disabled in Active Directory.
This is working as designed.
Domain controllers do not have "local" users and "local" groups. All users and groups on a domain controller are domain accounts and domain groups.
CCS is making a call for the Is 'Accounts: Administrator account status' set to 'Disabled'? check which is a call against local accounts only. Since a domain controller's (DC's) administrator account is not "local" the information for this account is kept in a different storage location accessible only by domain API calls, not local calls.
Therefore even when the administrator account is disabled in Active Directory, the check will be unaware that the account has been disabled and will FAIL (due to the logic in the check).
WARNING: Because the administrator account on a Domain Controller is often the account that created the domain, certain domain functions can only be done with this account.
NOTE: An exception can be created for this check for domain controllers. This will keep CCS from counting this check against the CVSS score for the DCs.