لطفا منتظر باشید ...
Publisher| LogonConcepts |
- Interactive logon
Logging on to the
local
machine from the console by pressing Ctrl+Alt+Delete and entering
credentials (a logon name and password). On a standalone server in a
workgroup, all console logons are interactive logons. In a domain
scenario, all logons to a domain controller are network logons, but
when you log on to a member server you have a choice of logging on to
the:- Local machine (interactive logon) by selecting the computer name in
the Log On To box - Logging on to the network (network logon) by selecting the domain
name in the Log On To box
- Local machine (interactive logon) by selecting the computer name in
- Network logon
Logging on to the
network
from the console by pressing Ctrl+Alt+Delete and entering a logon
name and password. When you log on to the local machine (interactive
logon), your credentials are authenticated by the SAM database on the
standalone or member server. When you log on to the network, your
credentials are authenticated by a domain controller, that is, by
Active Directory.- Automatic logon
The process of
automating
the logon process by storing the user's credentials
in the registry. While autologon is convenient, it can represent a
security risk since anyone who can physically access the computer can
gain access to information stored on it. Furthermore, when automatic
logon is configured, the user's password is stored
in clear text in the registry and users who can remotely connect to
the machine may be able to view registry information if they have
sufficient permissions.- Secondary logon
Also called
Run
As, this feature lets the currently logged-on user run programs using
another set of credentials if he has them. For example, sysadmins
typically have two sets of credentials:- An ordinary user account (belonging to the Domain Users group) that
they use for accessing their email, browsing the web, writing
reports, and so on - An administrator account (belonging to the Domain Admins group) that
they use to perform administrative tasks such as installing programs,
configuring services, creating shares, and so on
Using secondary logon, an administrator can run programs and perform
tasks that require Administrator privileges while logged on to her
desktop computer using her ordinary user account.- An ordinary user account (belonging to the Domain Users group) that
Logon Names
Consider a user named John Smith
who has a
user account with username jsmith . In a
workgroup scenario, the logon name for John Smith is simply his
username jsmith , and to log onto a standalone
server John Smith enters jsmith and his password
in the Log On To Windows box invoked by Ctrl+Alt+Delete. Things are
somewhat different in a domain scenario when Active Directory is
deployedin this case, each user has two different logon names:
- User logon name
This name is of the
form
username@UPNsuffix , where
username is the name of the
user's account and UPNsuffix is
the DNS name of the domain in which the user's
account resides. If John Smith belongs to a domain named
mtit.com , his user logon name would be
jsmith@mtit.com . Another name for this name is
user principal name (UPN), and every user in the forest must have a
unique UPN. For example, if there is another John Smith in the
company but he belongs to the sales.mtit.com
domain, then his UPN would be
jsmith@sales.mtit.com , which is different from
the UPN for the first John Smith. If a third John Smith was then
hired to the same sales.mtit.com domain, then
the administrator would have to assign him a different username such
as jsmith2 so that his UPN will be unique
throughout the forest.- Downlevel logon name
This name is of the
form
DOMAIN\username , where
DOMAIN is the downlevel domain name for the
domain. For example, if the downlevel domain name for the
mtit.com domain is MTIT ,
then the downlevel logon name for the first John Smith would be
MTIT\jsmith . Downlevel domain names must also be
unique across the forest, so in our previous example the downlevel
domain name for the second John Smith would typically be
SALES\jsmith , and for the third John Smith, it
would be SALES\jsmith2 . Downlevel domain names
are supported primarily for interoperability with downlevel NT domain
controllers in domains whose domain functional level is Windows 2000
mixed or Windows 2000 interim and for downlevel Windows 95/98/Me/NT
clients.
While the UPN suffix is usually the DNS name of the domain where the
user's account resides, it doesn't
have to beyou can assign a different UPN suffix to all users
in your forest if desired. See Forest earlier in
this chapter for more information.
