What Is a Local Account?
A local account is a login that exists directly on an individual machine, a server, workstation, or network device, rather than in a centralized directory like Active Directory or an IdP. Most operating systems ship with at least one built-in local administrator account, and IT teams routinely create additional local accounts for setup, troubleshooting, or software that needs a machine-level login to run.
Because a local account lives only on the machine itself, it’s invisible to tools that discover identity by querying a central directory. An IdP has no record of it, because it was never provisioned through the IdP. A PAM vault has no record of it, unless someone manually onboarded that specific machine’s local admin credential. It simply exists, on that one machine, until someone with local or physical access happens to find it.
That invisibility is exactly what makes local accounts a recurring foothold in real intrusions. An attacker who compromises one endpoint often finds a local administrator account with the same or a similar password reused across dozens or hundreds of other machines, a pattern that, once discovered, turns a single compromised laptop into lateral movement across the fleet.