Introduction

Years ago, I was just starting out in tech. I was located at a remote facility compared to the rest of the company, and we had someone that was demanding domain administrator credentials. I kept telling them no and pointing them over to the people that controlled that access, but it was obvious that they would shoot the person down immediately. 

Eventually, this person got their manager involved, along with my manager at the time, and both of them started saying that I should grant this access. I was so torn on it, and due to time and distance, I didn’t really feel like I had backup. Thankfully, I stuck to my guns and didn’t give out the access, but it just goes to show you how easily someone can be pressured into trying to give up privileged information like that.

So why is this such a big deal? So what if this random person had domain administrator credentials? What does that even mean anyway?

To explain that question, we first need to drill down into the different kinds of user accounts that Windows recognizes: local accounts, domain accounts and Microsoft accounts.

Local user accounts

In general, when we’re talking about anything “local,” we’re referring in context to an individual computer right in front of you — this local box exclusively. A local user account can be used on this particular machine and no others … with some practical exceptions. If you tried to log in with this particular login and password anywhere that those credentials hadn’t been explicitly set up, it would bounce back and say that isn’t a valid username and password combination. 

Local user accounts can be divided into two broad categories: users and administrators. Normal users can log into the system, run most programs, print and perform a wide variety of tasks. What they can’t do, however, is make system-level changes. Most of the time, they cannot install new applications. 

I say “most of the time” in these situations because Windows tends to be a bit quirky when it comes to the exact permissions required for certain elements. For example, a normal user could plug in a USB keyboard or mouse and use them just fine. An advanced keyboard or mouse, however, which has custom drivers that aren’t already on the system, would be prompted for administrator-level access to install the support packages.

Some people may see the above and be wondering “But what about power users?” The power user group may still exist in your implementation of Windows 10 but is there only for legacy support. As of Windows Vista, it does not have the abilities it once did, due to the addition of user account control. 

It’s highly recommended to have at least one additional administrator level user account on any non-domain system, if only because of password recovery situations. If a user forgets their password, local user accounts historically haven’t any built-in methods for resetting their password without help. This is where the additional account comes into play: as long as you can get into the system, any local administrator can reset the password on other users on the local system. 

If you can’t or don’t want to have another local administrator active on your system and have at least version 1803 (the April 2018 update), then you may have another recovery option available to you. As of this version of Windows 10, you have the ability to set security questions related to your account so that you can recover your password. 

I mentioned before that most of the time, you can’t use the same credentials on more than one machine when using a local account. The trick to this lies in whether another user account was created on a different system with the same username and password that you are currently using. If this is the case, you can login or navigate to shared resources on the other systems as if you were using a domain account. On small-scale networks using a workgroup structure (a peer-to-peer-style network), this is usually enough for access to network shares and printers. 

Once you go beyond this, though, you’re most likely going to want to look at domain accounts.

Domain user accounts

As mentioned above, local user accounts are designed for single-system or very small networks. Once you get beyond this, however, you’re going to want to move up to an Active Directory-based domain network. 

This allows you to set up a very large number of users with as many machines and devices as you require, with the ability to allow a user to move from device to device and continuously access their network resources without hassles. Depending on what the user needs to do on an individual workstation, it is possible to assign local administrative privileges to a domain user account. This essentially gives the best of both worlds in very specific situations. 

As with local user accounts, we have standard domain users and domain admins to start with. Depending on how big your network gets, it may go further, but that’s beyond the scope of this article. 

Small networks don’t normally have to worry about assigning a great deal of permissions across the board, but with domains, it really is necessary to make sure that users only have access to what they need to do their jobs. This isn’t because of any particular animosity or fear of what a user would deliberately do, but rather because of what can happen when a malicious piece of software or an unauthorized person gains access to a user account. By keeping permissions at least-privilege levels, it minimizes potential risks to sensitive data and the health of the network as a whole.

One of the biggest benefits to a domain user account is the ease of password resets. Knowledge of the current password is not required, as Active Directory handles all of the heavy lifting. This one feature turns what could potentially be an ultra-panicky situation into a normal Tuesday morning.

Microsoft accounts

Over the past several years, Microsoft has been heavily pushing the concept of a Microsoft account instead of a local user account or even a domain user account — to the point where you have to jump through hoops to set up a new Windows 10 system without being forced to use a Microsoft account. 

So just what is a Microsoft account anyway? Essentially, this is a single sign-on (SSO) account that is managed by Microsoft for any devices and authorized websites you may be accessing. Once you’re authenticated into a system, it will automatically log you in to any supported URL or applications without having to authenticate again.

Microsoft accounts also support two-factor authentication via multiple different methods. This can give you a significant security boost if you only have a handful of systems that you work with. 

Password recovery on a Microsoft account is simultaneously easier and significantly harder than local or domain users. Because this is essentially a web-based account, web-based password recovery methods are available, including alternate email addresses and phone numbers. Unfortunately, this also means that there are no other people you will be able to easily talk to for assistance in this regard. 

Conclusion

Choosing the type of user account you need is very much based around how you use the system or systems you need on a daily basis. If you’ve got a standalone machine, a local or Microsoft account will do you just fine. If you’re in a large network, a domain account will most likely serve you much better. 

However, as the world continues to move more and more operations to web-based services and cloud providers, we may have to revisit this in the future. This is especially true if Microsoft starts moving away from on-premises Active Directory implementations.

 

Sources

  1. What Are the Different Kinds of User Accounts in Windows 10?, Dummies 
  2. How to change a Windows 10 user account type and why, Windows Central
  3. Local Accounts, Microsoft Docs
  4. Windows 10 setup: Which user account type should you choose?, ZDNet
  5. How to Determine if Users are an Administrator or Standard User in Windows 10, Windows TenForums
  6. Microsoft Accounts, Microsoft Docs
  7. The Difference Between Local and Microsoft Accounts in Windows, Lifewire
  8. How to Enable and Use Microsoft Two Step Authentication in Windows 10, TechNorms
  9. How to reset your Microsoft account password, Microsoft
  10. Reset your Windows 10 local account password, Microsoft

Be Safe

Section Guide

Kurt
Ellzey

View more articles from Kurt

As you grow in your cybersecurity career, Infosec Skills is the platform to ensure your skills are scaled to outsmart the latest cyber threats.

Section Guide

Kurt
Ellzey

View more articles from Kurt