Operating system security

User Account Management in Windows 10

Greg Belding
September 25, 2019 by
Greg Belding


Windows 10 categorizes users into three types, each with a distinct purpose. Let’s explore the Local, Domain, and Microsoft user types. Then we’ll delve into related account management topics like admin versus non-admin accounts, how to configure User Account Control (UAC), single sign-on and domain versus workgroup accounts in Windows 10.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Local user

Local user accounts are old-school and well-known. Only a username of up to 20 characters and a password are needed to set up a Local user. These credentials are stored on the device the account was created and only access that device. 

As of version 1803, users setting up a local user account must select three security questions in case the local user password is lost or forgotten. This type of account is suitable for home users and small companies that do not have a need for a domain.

Domain user

Domain user accounts refer to user accounts connected to an enterprise network, with a Windows server as a domain controller. This type of user account requires an Active Directory account and a username and password. 

These credentials can sign in with the following formats: domainusername and username@domain. The “@domain” option is only available to domains with a fully qualified domain name. Prior to joining a Windows 10 system to a domain, a local account must be created on the Windows 10 system.

Administrator versus non-administrator accounts in Windows 10

Windows 10 further splits users into two subtypes: administrator and non-administrator (standard). Administrator accounts grant users control over the entire system, including permission to take action that may affect other users. Administrator actions include installing software, changing local policy and running elevated tasks.

Non-administrator accounts have restricted privileges. They can work with applications but can’t install new ones, and the changes they make only affect that user. When new applications or software needs to be installed or elevated credentials are required, an administrator will need to use their password to perform these tasks.

Minimal access to the administrator password is recommended to maintain a secure system. The administrator password is the proverbial key to the kingdom, and bad things are in store for a kingdom with its key in the wrong hands.

How to configure UAC in Windows 10

The UAC defends against malware damage and makes for a better-managed desktop. The UAC forces apps and tasks to run with the security rights of a non-administrator account (unless authorized by the admin). It can and will stop unauthorized changes to system settings and automatic installation of unauthorized apps and software.

To configure UAC in Windows 10, type “UAC” into the Cortana search bar and click on “Change User Account Control Settings.” A window pops up, asking when you want to be notified about changes to your computer. This will be in the form of a sliding scale, ranging from “never notify” to “always notify.” Windows offers suggestions when you change the slide position to help make sure you make the right choice with your configuration decision.

Single sign-on in Windows 10

Using single sign-on (SSO) access control in Windows 10 Enterprise environments, which use Azure Active Directory (Azure AD), adds both convenience and security to the user sign-on process. SSO facilitates organization network sign-on without entering a password or username. SSO methods available include:

  • OpenID Connect and OAuth
  • SAML
  • Password-based
  • Linked
  • Header-based
  • Integrated Windows Authentication

Domain versus workgroup accounts

Domain and workgroup accounts are popular. Both can be employed for different uses. For example:


  • Peer network: No system has control over another
  • Each workgroup system stores its own set of user accounts, so accounts need to be part of the workgroup set prior to gaining access to the workgroup
  • Workgroups are not password-protected
  • All systems in the workgroup must be on the organization’s network or subnet


  • Central control: Domain controllers or servers
  • Domain controllers control security and permissions for the domain with policies
  • Standard domain users cannot install apps without the domain administrator password
  • Domains can reside on different local networks

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.


Windows 10 systems are used by all walks of life — from simple home users to high-powered organization administrators. This is not new to Windows 10. It has been a staple since the inception of PCs. Windows 10 is using the tried-and-true methods used by previous versions of Windows, along with the more centralized Microsoft account that many already have without knowing it.


  1. Windows 10 setup: Which user account type should you choose?, ZDNet
  2. How to change a Windows 10 user account type and why, Windows Central
  3. User Account Control, Microsoft
  4. Single sign-on to applications in Azure Active Directory, Microsoft Azure
  5. Azure Active Directory Seamless Single Sign-On, Microsoft Azure
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.