Windows domain users vs local users

It is important to remember that if you eventually remove your computer from the domain, you will be unable to log in because the computer will not be able to access the domain controller. If you plan to remove your computer from the domain for example, moving your computer to an off-campus location , you must create a local user.

This is document anbn in the Knowledge Base. Last modified on Skip to: content search login. Knowledge Base Toggle local menu Menus About the team.

Can you sign in with a Microsoft account without an Internet connection? Of course! You only need to be connected to the Internet when you create a Microsoft account or switch to a local account.

The default local Windows account name is Administrator. In modern versions of Windows, this account is disabled by default. Instead, when you first log in to Windows, you are prompted to create a new account. This account is automatically added to the built-in Administrators group. If you do not know the names of local accounts on your computer, or you cannot log in under the built-in administrator this account name can be renamed manually or via domain Group Policies , you can display a list of all local Windows accounts from the command line:.

In the latest Windows 10 builds, Microsoft recommends using Microsoft accounts instead of local Windows accounts. If you do not want to use the Microsoft account on Windows 10, you can switch to a traditional local Windows account. Once you completed these steps, your Windows 10 account will be disconnected from your Microsoft account. There is a big difference between Windows 7 and Windows XP in this instance, as Windows 7 forces the installation to create a new user account, which will be used in lieu of the built-in Administrator account.

The reason for this is to reduce the overall attack surface, as the built-in Administrator can be disabled, configured with a significant password, etc. When a user logs on with a local user account the scope and access that the user has access to, is significantly reduced.

Local user accounts only have access to resources on the local computer and nothing else. Thus, the access in a corporate environment is diminished enough to make the configuration undesired. There are plenty of default domain accounts when Active Directory is installed.

For a Windows Server or R2 freshly installed domain controller for a new domain, the list of user accounts include:. Again, notice that in a newer operating system domain, there is a forced admin account to be created, which is intended to be used in lieu of the built-in Administrator.

For the domain, it is not highly suggested to disabled the Administrator account, but rather rename it, configure a long and strong password, and then create a false Administrator account which has no admin privileges. The scope of a domain account is where the power of a Windows Active Directory domain comes into play.

Domain user accounts can be configured for the following:. To allow users to logon with a local account creates an insecure situation, as there is little that can be done to control local accounts. Domain user accounts can be controlled, disabled, and managed centrally. The concept of domain vs local user account is really not much of a debate. For any organization, I highly suggest that all local user accounts be deleted and only those that are truly required be allowed. Spiceworks Help Desk.

The help desk software for IT. Track users' IT needs, easily, and with only the features you need. Learn More ». Kelso May 28, at UTC. Thai Pepper. Bill Morrow This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Bart May 29, at UTC. Bart, thanks for that link.

Thank you to everyone for the replies. Bart Jun 5, at UTC. Wish you all the best.