To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log on to workstations in a domain with their domain accounts.
Check
Run "Computer Management".
Navigate to System Tools >> Local Users and Groups >> Users.
If local users other than the accounts listed below exist on a workstation in a domain, this is a finding.
The accounts listed assumes a system is joined to a domain and thus (per best practice), the local default accounts have been disabled.
For standalone or nondomain-joined systems, this is Not Applicable.
Built-in administrator account (Disabled, SID ending in 500) Built-in guest account (Disabled, SID ending in 501) Built-in DefaultAccount (Disabled, SID ending in 503) Built-in defaultuser0 (Disabled, *SID unique per workstation) Built-in WDAGUtilityAccount (Disabled, SID ending in 504) Local administrator account(s) * Note that the SID for defaultuser0 is machine-specific and immutable (cannot be changed). It will differ per Windows installation.
All of the built-in accounts may not exist on a system, depending on the Windows 11 version.
Fix
Limit local user accounts on domain-joined systems. Remove any unauthorized local accounts.