Let’s take a look at a little trick to login to Windows with a local user account instead of a domain account. By default, when the user enters a username on the Welcome Screen of a domain-joined computer, and there is also a local account with the same name, the domain account will take precedence. We keep coming across people that don’t know this little trick, so we thought it would be worthwhile sharing.
Logging Into Local Accounts on Windows
After the computer is joined to the Active Directory domain, you can sign in under the domain or local user account. On the login screen in Windows XP and Windows Server 2003, there is a drop-down list “Log on to“. Here you can choose whether you want to log in under the domain account or use a local user (select “this computer”).
However, in newer versions of Windows, this drop-down menu no longer exists. Instead of this, a user is faced with a small button How to log on to another domain which appears near on the domain-joined computers Welcome Screen. If you click this button, the following tip will appear:
Type domain namedomain user name to sign in to another domain.
Type NY-FS01\local user name to sign in to this PC only (not a domain)
As you can see, the message contains the name of your computer/server (NY-FS01 in our case). If you want to login with a local account (for example, Administrator), type in NY-FS01\Administrator in the User name field and type the password. Of course, if your computer name is quite long, the input can be a real challenge!
Fortunately, there is a simple trick that allows you to log in under a local account.
Login Windows with Local Account without Typing Computer Name
Windows uses the dot as the alias symbol for the local computer:
- In the username field simply enter .\. The domain below will disappear, and switch to your local computer name without typing it;
- Then specify your local username after the .\. It will use the local account with that username.
You can also type the computer name followed by a backslash and the username, and it will do the same thing.
This way you can logon to a local account on a domain-joined computer on all Windows versions. This applies versions from Windows Vista to Windows 10/Windows Server 2016.
Tip. You can use the same trick when you need to use the local user credential to access the shared folder over the network (using SMB protocol).
Types of User Accounts in Windows 10
In Windows 10, you can use three types of accounts to sign in to the device:
- Local account — these accounts are stored in the local Windows security account database (Security Account Manager, SAM);
- Domain user — accounts are stored on the Active Directory domain controllers;
- Microsoft account — the account is stored in the Microsoft cloud. Its advantage is that you can use it on any computer, and the basic user settings with a Microsoft account will be the same on any Windows 10 computer. For the Microsoft account, as well as for local users, a separate profile is created in the C:\Users directory (%UserProfile%). Any local account can be linked to a Microsoft account.
Hint. Can you sign in with a Microsoft account without an Internet connection? Of course! You only need to be connected to the Internet when you create a Microsoft account or switch to a local account. After the first login, the credentials of that account are cached locally, and subsequent logins don’t require an Internet connection.
The default local Windows account name is Administrator. In modern versions of Windows, this account is disabled by default. Instead, when you first log in to Windows, you are prompted to create a new account. This account is automatically added to the built-in Administrators group.
Unfortunately, Windows Login Screen UI doesn’t enumerate local users on domain-joined computers by default, so you’ll have to enter the username manually. If the name of the built-in administrator on the computer is changed from Administrator to something else (for example, using Local Administrator Password Solution), you can only find out the names of all local users by logging in with your domain account.
If you do not know the names of local accounts on your computer, or you cannot log in under the built-in administrator (this account name can be renamed manually or via domain Group Policies), you can display a list of all local Windows accounts from the command line:
How to Login to Windows 10 under the Local Account Instead of Microsoft Account?
In the latest Windows 10 builds, Microsoft recommends using Microsoft accounts instead of local Windows accounts. On Windows 10 1909 you can’t even create a local account when installing Windows if you have an Internet connection available. If you do not want to use the Microsoft account on Windows 10, you can switch to a traditional local Windows account.
- Open the menu Settings > Accounts > Your info;
- Click on the button Sign in with a local account instead;
- Enter your current Microsoft account password;
- Specify a username, password, and a password hint for your new local Windows account;
- Press the Sign out and finish button;
- Now you can log in to Windows 10 under a local account. Your Windows 10 account will disconnect from your Microsoft account.
Once you complete these steps, your Windows 10 account will be disconnected from your Microsoft account. It will switch to the traditional local account style.
Show All Local Accounts on Welcome Screen in Windows 10
On Windows 10 and Windows Server 2016/2019, you can list all enabled local user accounts on the Logon Screen. To show all local users on Windows 10 Welcome Screen:
- Open the local group policy editor – gpedit.msc;
- Expand the following GPO section: Computer Configuration > Administrative Templates > System > Logon;
- Enable the policy “Enumerate local users on domain-joined computers”;
- Update local policy setting on your computer using gpupdate command;
- Logoff, press Ctrl+Alt+Delete on your Windows 10 Welcome Screen, and check the local account list.
As a result, you do not need to type the user name manually, but simply select it from the local account list.
How to Allow or Prevent User from Signing In Locally on Windows 10?
By default, users in the local groups Users, Guests, Backup Operators, and Administrators can sign in locally to Windows 10. However, an administrator can use local or domain Group Policy to restrict logins to Windows locally.
If, when logging in with a local account, you are getting the error “The sign in method you’re trying to use isn’t allowed. For more info, contact your network administrator”, this means that this user or group is not allowed to log on locally.
If you have administrator rights on your computer, you can allow specific users or groups to log on to Windows locally.
- Run the local Group Policy Editor: Win+R > gpedit.msc;
- Browse the following GPO section: Computer Configuration > Windows Settings > Local Policies > User Rights Assignment;
- Find the policy Allow log on locally and open its properties;
- Click the Add User or Group button and add the local accounts/groups to the policy that you want to allow sign in Windows locally;
- Also, make sure there are no local accounts in the Deny log on locally policy. This policy takes precedence over the Allow log on locally settings.
By default, in Windows 10 and 11, users are allowed to log on locally if they are members of the following local groups.
- Backup Operators.
On Windows Server hosts, a local user account is not allowed to logon locally. You can logon to Windows Server locally only if your account is a member of the following local security groups:
- Account Operators.
- Backup Operators.
- Print Operators.
- Server Operators.
Hint. Please note that you won’t be able to log in with your local Windows account to a domain controller. After promoting the member-server to DC, the local SAM database becomes unavailable. The only local account on the Active Directory domain controller is the DSRM Administrator.
How to Login Windows via Remote Desktop (RDP) with a Local Account?
The above trick for logging into a domain-joined Windows device under a local account using the .\Administrator account format does not work if you logging into a remote computer over RDP.
When you specify .\administrator in the Remote Desktop Connection client window (mstsc.exe), your RDP client resolves that to <your_current_computername>\Administrator, and not to <remote_server _name>\Administrator.
Accordingly, you will not be able to RDP into a remote computer if the passwords of the local and remote users are different.
To connect to a remote domain computer via RDP with a local Windows account, you can use one of the following formats for specifying the username:
- Specify the host name of the remote computer, eg: wks323221s\administrator
- Specify the IP address of the remote computer: 192.168.100.221\administrator
- Use shorthand local instead of remote machine name: local\ administrator
In all of these cases, the RDP client will understand that it needs to use the local Windows user on the remote computer to authenticate.
In order for a local user to be able to connect to a domain computer via RDP, he must be a member of the Remote Desktop Users group, or added to the local policy Allow Log on through Remote Desktop Services in the following section of the GPO editor (Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights).
Otherwise, you will see an error:
To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Administrators group have this right, or if the right has been removed from the Administrators group, you need to be granted this right manually.
By default, RDP login is allowed only for members of the local Administrators group.