Windows account types

The Windows 10 operating system supports five types of accounts, each used to enable different functionality:

  • System account: These accounts are used to run background services and are assigned specific permissions. They are not used to log in to the system, but may be used remotely. Domain-joined computers may have additional service accounts assigned to enable central administration.
  • Local user account: By default, at least one local user account is created to run as the local administrator when first configuring the operating system. Depending on how Windows is installed, this account may be a generic account, such as administrator, or it could be named after the first user that completes the first-time run wizard and they choose not to register a Microsoft account. These accounts are governed by the local password policies, which can be configured via Group Policy, or a device/application management service, such as Microsoft Intune.
  • Microsoft account: If the computer is not domain joined, the user can register their Microsoft account (such as @outlook.com) as their local user account. In this configuration, all user settings are synchronized with the Microsoft cloud to provide a seamless transition between multiple computers, or when rebuilding the computer. Microsoft accounts can coexist with local user accounts and Azure Active Directory (AD) accounts.
  • Azure AD user account: This account type has the user's corporate credentials stored in Azure AD, such as an Office 365 user. This logon method can be enabled in one of two scenarios:
    • If the computer account is joined to Azure AD (also known as workplace join), then the user can sign in with their corporate credentials in Azure AD.
    • If the computer account is not joined to Azure AD, the user can sign in with either a local user account or a Microsoft account and then link their Azure AD account using the Connect to work or school option. When this is done, the user will be able to store their credentials securely to enable single sign-on (SSO) to company applications, such as Office 365. 
  • Windows Server AD user account: The majority of Windows 10 Enterprise computers are likely to be joined to a Windows server AD domain. When this occurs, the Microsoft account and Azure AD user account options are disabled. However, the AD user account can be automatically linked to the Azure AD user account, to enable SSO when the user is not on the corporate network.