LogonNotes

To log on to a domain, you must have a domain user account defined in Active Directory for that domain. A local user account can be used only to log on to a local computer.

If your machine's domain is a child domain within a domain tree, you can log on to either your local domain or its parent domain within the tree by using the drop-down box. (Your credentials must be defined in the domain you want to log on to.)

If you don't specify which domain in a tree to log on to, you will be logged on to the domain you most recently logged on to.

Domain names are listed in the Log On To box using their old NT form (e.g., SUPPORT ) instead of as domain names (e.g., support . mtit.com ).

If there is no Options button on your Log On To Windows box, your machine belongs to a workgroup instead of a domain. You must first join your computer to a domain before you can log on to a domain (see Domain earlier in this chapter).

Secondary logon may not work with some programs.

If you try to run programs over the network using secondary logon, it will fail if the credentials you specify using Run As are different from those used to connect to the network share.

Secondary logon works only with password authentication; it won't work with smart card logons .

Passwords in WS2003 can be up to 128 characters long and can contain upper- and lowercase letters , numbers , and nonalphanumeric characters.

Here are some tips for using passwords in a WS2003 environment:

• Assign the Administrator account a complex password and keep it secure. If you are really paranoid (or believe that someone in your enterprise may be running password-cracking software), change the password every week or so.

• Let users control their own passwords. This frees administrators from maintaining lists of user passwords and places the onus of responsibility upon the user. It also removes the temptation for administrators to snoop in users' home folders.

• Educate users on how to select a password that is hard to crack. One suggestion is to think of an original and catchy phrase that is easy to memorize and then to form the password from the acronym generated by the phrase. For example, "I always brush my teeth two times per day" generates the password iabmt2tpd . Also, educate users on what makes a bad password, such as your dog's name , postal code, phone number, and so on.

• Prohibit users from changing their passwords if multiple users share the same user account. For example, do this for temporary employees using a temporary account or the Guest account for network access.

• Required passwords for services or applications should be nonexpiring.

See Also

Active Directory , Domain , runas , shutdown , Users