Can PC use both local and domain account same time?

I'm trying setting up a domain for local company network and some users take their laptops to home. and my question is can they use local and domain accounts at the same time? for example at home they use local at work they use domain. i don't want to screw their local accounts .I'm planning to use Forensit for migrating their local accounts to domain.


Solution 1:

Joining a machine to an AD domain does not disable local accounts at all. It does hide the "user list" in the corner (this can be re-enabled via GPO), but a local account name can always be entered into the "Username" field by specifying . (dot) as the domain. For example, .\Fred means a local account "Fred".

But there is usually no point in using local accounts, as Windows by default caches credential verifiers so that if a domain user has previously logged in to a machine, they will continue to be able to log in even if the machine cannot contact the DCs. (The verifiers aka "cached credentials" are stored for, I think, 30 days? It's adjustable via GPO.)

(Besides, if your users are taking their laptops for work, then they'll presumably connect to the company's VPN, which should allow Windows to re-authenticate and extend the expiry time of the cached credentials, so there won't be any need to bring the laptop back every week.)

On the other hand, using local accounts has many downsides:

  • As noted in comments, they will always remain two separate accounts (they cannot share profile directories; a local account will always have a different SID than any domain user). This means the user now has to manually keep both in sync so that they'd be able to get any work done.

  • As the two profiles will be different, no one will bother switching between accounts – if they have a working local account they'll just happily continue using that, and no force in the world short of deleting the local account will make them use the domain account instead.

  • Using a local account also means "user" GPOs will not work, only machine GPOs will apply.

  • Local account also means no AD SSO; the user will have to enter their password separately for each network server they want to access. (And if you have password expiry enforced, they'll have to re-enter the new password for every server separately.) Many applications that access files from a remote share do not trigger a password prompt and will just fail, until the user manually visits the share and enters their credentials.

In short, you're just creating extra work for your users for no good reason. The plan is probably worse than not having AD in the first place.