[This is preliminary documentation and subject to change.]
On Windows NT platforms, there is no distinction between local and remote access. The current user is assumed if no user and password is specified. For remote access, a user name and password can be specified which overrides the current user. For local access, it is not possible to override the current user name and password in the call to IWbemLocator::ConnectServer because it is disallowed in DCOM. By default, any user that is a member of the local Administrators group is granted full local and remote access to CIMOM. This typically includes the owner of the machine and the domain administrator.
On Windows 95 and Windows 98 platforms, local users are considered administrators and given full rights. There is no authentication. However, remote users are always validated using __NTLMUser instances in the Root\Security namespace. Because there is no default remote access on Windows 95/98 platforms, one or more __NTLMUser instances must be created to enable remote access.