LogonConcepts

WS2003 supports several kinds of logons .

Interactive logon

Logging on to the local machine from the console by pressing Ctrl+Alt+Delete and entering credentials (a logon name and password). On a standalone server in a workgroup, all console logons are interactive logons. In a domain scenario, all logons to a domain controller are network logons, but when you log on to a member server you have a choice of logging on to the:

• Local machine (interactive logon) by selecting the computer name in the Log On To box

• Logging on to the network (network logon) by selecting the domain name in the Log On To box

Network logon

Logging on to the network from the console by pressing Ctrl+Alt+Delete and entering a logon name and password. When you log on to the local machine (interactive logon), your credentials are authenticated by the SAM database on the standalone or member server. When you log on to the network, your credentials are authenticated by a domain controller, that is, by Active Directory.

Automatic logon

The process of automating the logon process by storing the user 's credentials in the registry. While autologon is convenient , it can represent a security risk since anyone who can physically access the computer can gain access to information stored on it. Furthermore, when automatic logon is configured, the user's password is stored in clear text in the registry and users who can remotely connect to the machine may be able to view registry information if they have sufficient permissions.

Secondary logon

Also called Run As, this feature lets the currently logged-on user run programs using another set of credentials if he has them. For example, sysadmins typically have two sets of credentials:

• An ordinary user account ( belonging to the Domain Users group ) that they use for accessing their email, browsing the web, writing reports , and so on

• An administrator account (belonging to the Domain Admins group) that they use to perform administrative tasks such as installing programs, configuring services, creating shares, and so on

Using secondary logon, an administrator can run programs and perform tasks that require Administrator privileges while logged on to her desktop computer using her ordinary user account.

Logon Names

Consider a user named John Smith who has a user account with username jsmith . In a workgroup scenario, the logon name for John Smith is simply his username jsmith , and to log onto a standalone server John Smith enters jsmith and his password in the Log On To Windows box invoked by Ctrl+Alt+Delete. Things are somewhat different in a domain scenario when Active Directory is deployedin this case, each user has two different logon names:

User logon name

This name is of the form username@UPNsuffix , where username is the name of the user's account and UPNsuffix is the DNS name of the domain in which the user's account resides. If John Smith belongs to a domain named mtit.com , his user logon name would be jsmith@mtit.com . Another name for this name is user principal name (UPN), and every user in the forest must have a unique UPN. For example, if there is another John Smith in the company but he belongs to the sales.mtit.com domain, then his UPN would be jsmith@sales.mtit.com , which is different from the UPN for the first John Smith. If a third John Smith was then hired to the same sales.mtit.com domain, then the administrator would have to assign him a different username such as jsmith2 so that his UPN will be unique throughout the forest.

Downlevel logon name

This name is of the form DOMAIN\username , where DOMAIN is the downlevel domain name for the domain. For example, if the downlevel domain name for the mtit.com domain is MTIT , then the downlevel logon name for the first John Smith would be MTIT\jsmith . Downlevel domain names must also be unique across the forest, so in our previous example the downlevel domain name for the second John Smith would typically be SALES\jsmith , and for the third John Smith, it would be SALES\jsmith2 . Downlevel domain names are supported primarily for interoperability with downlevel NT domain controllers in domains whose domain functional level is Windows 2000 mixed or Windows 2000 interim and for downlevel Windows 95/98/Me/NT clients .

While the UPN suffix is usually the DNS name of the domain where the user's account resides, it doesn't have to beyou can assign a different UPN suffix to all users in your forest if desired. See Forest earlier in this chapter for more information.