LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 10, 2003

Administration
  Batch Files
  Command Line
  Env Variable
  Logon & Auth
  Logon Scripts
  MMC
  Password Mgmt
  Run As
  Scheduling Service
  Services
  Telnet
  Time Synch

 

 

 

 

 

 

 

Windows 2000 Logon and Authentication

Windows 2000 has replaced the LAN Manager (LM) Authentication used in Windows NT with a more secure Kerberos authentication scheme
Where to Start...

Windows 2000 Startup and Logon Traffic Analysis
The client startup and logon process is the process the Microsoft© Windows? operating systems uses to validate a computer or User in the Windows networking environment. Developing an understanding of the client startup and user logon process is fundamental to understanding Windows 2000 networking.

Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Microsoft Knowledge Base Article: 217098 - This article describes Kerberos user authentication in Windows 2000. 

Guidelines for Enabling Smart Card Logon with Third-Party Certification Authorities 
Microsoft Knowledge Base Article: 281245 - You can enable a smart card logon process with Microsoft Windows 2000 and a non-Microsoft Certificate Authority (CA) by following the guidelines in this article. There is limited support for this configuration, as described later in this article. 

Local Logon Process for Windows 2000 
Microsoft Knowledge Base Article: 231789 - This article describes how Windows 2000 authenticates users on your local computer.

Step-by-Step Guide to Using Secondary Logon in Windows 2000 
This technical step-by-step guide provides examples of using the secondary logon feature, the Run as service, in the Windows© 2000 operating system. Secondary logon allows administrators to avoid having to log on with an administrative account for each task. Instead, secondary logon enables administrators to log on with an ordinary user account and then start trusted administrative tools in the context of the administrator's account without logging off. A user with multiple credentials can start applications under different credentials without needing to log off.. Source: Microsoft.com (March 3, 2000)

Windows 2000 Logon Passwords
Microsoft Knowledge Base Article: 258289 - A new Windows 2000 installation, or a Windows 2000 upgrade from Microsoft Windows 95 or Microsoft Windows 98, may unexpectedly prompt you for a password. The following notification occurs when you log on to the Windows 2000-based computer:

How to:

Assign "Log On locally" Rights to Windows 2000 Domain Controller
Microsoft Knowledge Base Article: 234237 - This article describes how to assign "Log on locally" rights for users and groups to Windows 2000-based domain controllers.

Automatically Use Dial-Up Networking to Logon 
Microsoft Knowledge Base Article: 172125 - This article explains how to configure a computer that runs Microsoft Windows NT 4.0 or Microsoft Windows 2000 to always "Logon using Dial-up Networking". This option enables you to dial into your logon server to authenticate your user account

Bypassing Automatic Logon in Windows NT
Microsoft Knowledge Base Article: 114615 - After you set up automatic logon, the Window NT Logon dialog box no longer appears at startup. You are then unable to logon as a different user until the automatic logon feature is disabled in the Registry. However, there are times when you would need to temporarily bypass the automatic logon procedure; for example, when you need to perform an action that the current user does not have permission to do.

Changing Background Bitmap for the Windows NT Logon Screen
Microsoft Knowledge Base Article: 103327 - You can change the default background bitmap used at the Windows NT logon screen by modifying a value in the Registry.

Guidelines for Enabling Smart Card Logon with Third-Party Certification Authorities
Microsoft Knowledge Base Article: 281245 - You can enable a smart card logon process with Microsoft Windows 2000 and a non-Microsoft Certificate Authority (CA) by following the guidelines in this article. There is limited support for this configuration, as described later in this article.

How Authentication Works for Net Use Command
Microsoft Knowledge Base Article: 149861 - When you use the NET USE command to connect to a share on a server in a domain, the following authentication process verifications take place:

How to Configure Automatic Logon to a Terminal Server
Microsoft Knowledge Base Article: 260711 - This article describes how to set up automatic logon on a Terminal Server.

HOW TO: Configure Windows Clients to Use Both NetWare Servers and Windows 2000 Servers
Microsoft Knowledge Base Article: 300976 - This step-by-step article is intended for use by network administrators who operate in an environment that requires client access to both Windows 2000 and Novell NetWare resources but do not wish to install additional software on each client.

How to Disable LM Authentication on Windows NT
Microsoft Knowledge Base Article: 147706 - Prior to Windows NT 4.0 Service Pack 4 (SP4), Windows NT supported two kinds of challenge/response authentication:

How to Enable Automatic Logon in Windows NT
Microsoft Knowledge Base Article: 97597 - Windows NT allows you to automate the logon process by storing your password and other pertinent information in the Registry database.

How to Enable Logon Screen Shutdown Button in Windows 2000 Server 
Microsoft Knowledge Base Article: 232399 - In Microsoft Windows 2000 Professional, the Shutdown button is available in the Welcome screen after pressing CTRL+ALT+DELETE to log on. However, in Windows 2000 Server, the Shutdown button is not available by default.

How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT
Microsoft Knowledge Base Article: 239869 - Historically, Windows NT supports two variants of challenge/response authentication for network logons: LAN Manager (LM) challenge/response and Windows NT challenge/response (also known as NTLM version 1 challenge/response) 

How to Enable NTLM 2 Authentication for Windows 95/98 Clients
Microsoft Knowledge Base Article: 239869 - Historically, Windows NT supports two variants of challenge/response authentication for network logons: LAN Manager (LM) challenge/response and Windows NT challenge/response (also known as NTLM version 1 challenge/response)

How to Install Microsoft Authentication on a Macintosh
Microsoft Knowledge Base Article: 101747 - Windows NT Advanced Server provides an installable component to validate users that are connecting to the Windows NT Advanced Server from a Macintosh. The Microsoft User Authentication Module (UAM) provides a more secure logon session by sending an encrypted password, rather than a straight text password, across the network.

How to Make Accessibility Options Active in Logon Screen
Microsoft Knowledge Base Article: 274804 - This article describes how to make the Windows 2000 accessibility features active in the logon screen to assist people with disabilities with logging on. 

HOW TO: Make the Shutdown Button Unavailable in the Logon Dialog Box 
Microsoft Knowledge Base Article: 313924 - This article describes how to prevent users from shutting down the computer from the.. 

HOW TO: Prevent Users From Submitting Alternate Logon Credentials 
Microsoft Knowledge Base Article: 310360 - This step-by-step article describes how to prevent users from submitting alternate logon credentials. You may want to do this because of the "Runas" feature. The "Runas" feature was introduced in Microsoft Windows 2000, and an administrator who is logged on with a regular user account could use it to type in a user name and password that has administrative privileges in order to install programs. 

How to Receive Verbose Startup, Shutdown, Logon, and Logoff Status Messages 
Microsoft Knowledge Base Article: 316243 - This article describes how to configure Windows so that you receive verbose startup, shutdown, logon, and logoff status messages. In scenarios where you are troubleshooting slow startup, shutdown, logon, or logoff behavior, you may find it helpful to enable verbose logging 

How to Restore the Original Logon Interface in Windows 
Microsoft Knowledge Base Article: 302346 - When you start your computer after you install a third-party program, the default Windows logon interface may not appear. 

How to Run a Logon Script Once When a New User Logs On
Microsoft Knowledge Base Article: 284193 - This article describes how to configure a logon script, or program to run one time. These steps apply only to new users who have never logged on to the computer. If a user already has a local user profile, or a roaming profile, the script will not run.

How to Set the NUM LOCK State at Logon Using a Logon Script
Microsoft Knowledge Base Article: 262625 - Windows preserves the keyboard state when a user logs off. When a user logs off and then logs on again, the NUM LOCK state is set to "off." 

How to Set Up the Internet Authentication Service for Multiple Domain Logon Sessions by Using the Realm Replacement Rules 
Microsoft Knowledge Base Article: 296094 - This article describes the steps to set up the Internet Authentication Service (IAS - in Windows 2000 for multiple domain logon sessions by using the Realm Replacement rules.

Windows Logon Welcome, Displaying Warning Message
Microsoft Knowledge Base Article: 101063 - The logon dialog box Windows NT displays can be interpreted as an invitation to breach system security. The "Welcome" caption on the dialog box cannot be changed. However, you can enable a warning message dialog box by making the following changes to the Registry:

Troubleshooting: Known Logon and Authentication Issues

Troubleshooting Internet Service Provider Login Problems
Microsoft Knowledge Base Article: 161986 - This article describes how to troubleshoot Internet service provider (ISP) logon problems. This article discusses only logon problems, not modem or dialing problems. For information about modem or dialing problems, see the following article: 

Troubleshooting Netlogon Event 5774, 5775, and 5781
Microsoft Knowledge Base Article: 259277 - One or more error messages may be logged in the System event log if the Netlogon service registration or deregistration process does not succeed. This article describes these error messages and offers some troubleshooting techniques. 


A User May Experience a Slow Logoff Process Because of an Open Registry Handle in the Classes Hive 
Microsoft Knowledge Base Article: 319909 - The first user who logs on to a workstation after the computer is restarted may experience slow logoff times (more than 60 seconds). When this problem occurs, the Userenv.log file contains entries that are similar to: USERENV(76c.818) 13:06:00:133... 

A Windows 2000 Client Authenticates with the Primary Domain Controller Operations Master After a Password Change 
Microsoft Knowledge Base Article: 268518 - In typical operations, a Windows 2000-based domain user should be authenticated by the "closest" domain controller in the domain. This is usually a domain controller that is located in the same site as the client. The mechanism that controls behavior is described in the Windows 2000 Distributed System Guide. However, in some cases, the authentication takes place with the primary domain controller operations master (also known as flexible single-master operations or FSMO) for the domain, even if it is in a site that is physically remote from the client. 

Access Violation When Running the Network Identification Wizard
Microsoft Knowledge Base Article: 255569 - When you run the Network Identification Wizard prior to logon, your computer may silently restart or you may receive an "access violation" error message in Svchost.exe.

Account Lockout Because BadPasswordCount Not Reset to 0 
Microsoft Knowledge Base Article: 263821 - User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains. 

Cannot Log Off Current User in Windows
Microsoft Knowledge Base Article: 228801 - When you click Start, click Shut Down, and then click Log Off User, you may be logged on again without a password prompt.

Cannot Logon After Changing Keyboard Settings
Microsoft Knowledge Base Article: 138354 - You have configured your U.S. version of Windows NT with a foreign language keyboard layout and you have extended characters in your password. After changing your password, you cannot log on. 

Citrix ICA Client Automatic Logon Domain Name Not Filled In
Microsoft Knowledge Base Article: 291528 - Windows 2000 does not place the domain name in the logon dialog box for a remote Citrix ICA session if the user name is blank. 

Clients Unable to Log On to Domain in the Absence of Domain Controllers
Microsoft Knowledge Base Article 263108 - Using a Microsoft Windows 2000 client, you may be unable to log on to a domain with Microsoft Windows NT 4.0 domain controllers after the demotion of the last remaining Windows 2000 Active Directory domain controller.

Domain Logon Script Fails to Run 
Microsoft Knowledge Base Article: 142672 - When you log on to a Windows NT domain from a computer running Windows 95, your logon script may not run, you may get no indication of the error, and none of the logon script gets processed.

Domain Users Cannot Join Workstation or Server to a Domain 
Microsoft Knowledge Base Article: 251335 - When you attempt to join a Windows 2000, or a Window XP domain, from a computer running Windows NT 4.0 Workstation or Windows NT 4.0 Server, the following error message may be displayed: 

Error Messages About User Profile Appear in Several Logon Situations 
Microsoft Knowledge Base Article: 289158 - Under the following circumstances, a user may encounter several error messages that concern profiles: 

Error Message: The Local Policy of This System Does Not Permit You to Log on Interactively
Microsoft Knowledge Base Article: 276590 - When you add a group, such as, Domain Users, Everyone, or Authenticated Users, to the "Deny Logon Locally" user right, users that are members of those groups can no longer log on to certain computers. When a user tries to log on to the computer the user may receive the following error message: The Local policy of this system does not permit you to log on interactively. The administrator of your system may find this behavior to be unexpected.

Error Message: The Account Is Not Authorized to Login from This Station
Microsoft Knowledge Base Article: 281648 - When you attempt to join a Windows 2000-based computer to a Microsoft Windows NT 4.0-based domain, you may receive the following error message: The following error occurred attempting to join the domain "domainname": The account is not authorized to login from this station. 

Error Message When You Log On to Windows 2000 Using IPX
Microsoft Knowledge Base Article: 260399 - When you attempt to log on to a Windows 2000 domain or a mixed Windows 2000\Microsoft Windows NT 4.0 domain, you may receive the following error message: The domain password you supplied is not correct, or access to your logon server has been denied. This problem may be intermittent in a mixed environment (Windows 2000/Windows NT 4.0), because Windows NT 4.0 does not exhibit this problem 

Interactive Logon Allows Unauthorized Actions in Desktop Process
Microsoft Knowledge Base Article: 260197 - If you interactively log on to a computer running Windows 2000, you may be able to perform unauthorized actions because of a security vulnerability. 

Home Folder Mappings to Down-Level Servers May Not Work During Logon  
Microsoft Knowledge Base Article: 308580 - If a user's home folder is mapped to a network drive on a downlevel Server Message Block (SMB - server, the drive may not connect during the logon process. 

Kerberos Authentication May Not Work If User Is a Member of Many Groups
Microsoft Knowledge Base Article: 280830 - If a user is a member of many groups either directly or because of group nesting, Kerberos authentication may not work. The Group Policy object (GPO) may not be applied to the user and the user may not be validated to use network resources.

Local Security Policy Does Not Enable a User to Locally Log on to System 
Microsoft Knowledge Base Article: 285548 - When you attempt to locally log on to a Microsoft Windows 2000-based computer, you may receive the following error message: The local policy of this system does not permit you to logon interactively. Network access, however, to the computer is still available, and the Domain security policy that disables the log on to the local computer is not set. 

Logged-On Users May Not Be Authenticated to Services After KRBTGT Password Change
Microsoft Knowledge Base ArticleQ295083 -  After a change in the password for the KRBTGT account (the account that is used for Kerberos authentication), users who are currently logged on may begin to experience unsuccessful authentication to some services. 

Logging on to a Domain Does Not Work From a Windows 2000-Based RAS Client
Microsoft Knowledge Base Article: 269119 - When you try to log on to a domain from a Windows 2000-based Remote Access Services (RAS) client by using Dial-Up Networking, you are logged on with cached credentials. This problem may result in logon scripts that do not run, and also may prevent access to group policies, roaming profiles, and home folders.

Logon Banner Can Be Dismissed Without User Action
Microsoft Knowledge Base Article: 274190 - In Windows 2000, you can configure a logon banner to be displayed before the prompt for logon credentials. If a user presses CTRL+ALT+DELETE, the logon banner is displayed in a message box with an OK button at the bottom. If a user does not click the OK button, the logon box is automatically dismissed after two minutes and the prompt for logon credentials is displayed.

Logon Behavior of a User Account with an Appended Dollar Sign
Microsoft Knowledge Base Article: 314898 - When a user account name with a dollar sign ($) appended to it exists in the Active Directory (such as "testuser$"), a logon attempt with the account succeeds even if the dollar sign is not appended ("testuser"). The exception to this rule is the case where two user accounts exist as "testuser" and "testuser$". In that case, the logon attempt without the dollar sign appended only succeed for the actual "testuser" account.

Logon Error Message Reports, 'No Domain Controller Found or Domain Does Not Exist'
Microsoft Knowledge Base Article: 290129 - When you attempt to log on to a Microsoft Windows 2000-based domain from a non-Windows 2000-based client computer, you may receive the following error message: No Domain controller found or domain does not exist. This behavior can occur when use of NetBIOS over TCP/IP is not enabled on the client computer. 

Logon Process Hangs After Encrypting Files on Windows 2000
Microsoft Knowledge Base Article: 269397 - After you encrypt files on your Windows 2000-based computer, the computer may stop responding (hang) during the logon process. When this occurs, no users can log on to the computer. 

Logon Time Restrictions Prevent Users on Windows NT 4.0 from Remotely Accessing Windows 2000 Resources
Microsoft Knowledge Base Article: 263006 - In an environment with a Microsoft Windows NT 4.0-based primary domain controller (PDC) and Windows 2000-based computers, non-administrative users who are logged on to Windows NT 4.0-based computers may not be able to gain access to Windows 2000 resources remotely. 

Logon Time Restrictions Prevent Users on Windows 95/98 or Windows NT 4.0 from Remotely Accessing Windows 2000 Resources
Microsoft Knowledge Base Article: 263006 - In an environment with a Microsoft Windows NT 4.0-based primary domain controller (PDC) and Microsoft Windows 2000-based computers, non-administrative users who are logged on to Windows NT 4.0-based computers may not be able to gain access 

Members of an Extremely Large Number of Groups Cannot Log On to the Domain 
Microsoft Knowledge Base Article: 306259 - When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot recover the domain controller because the administrator will have a token that has more than 1,024 security identifiers (SIDs), and Local Security Authority (LSA) will ultimately fail the logon because of too many SIDs. Also, the failure will take a long time to appear because of the increased SAM activity.

Netlogon Service Does Not Start, Event Viewer Records Event IDs 2114 and 7024
Microsoft Knowledge Base Article: 269375 - When you start your Windows 2000 Server-based computer, the Netlogon service does not start, even though the "Startup type" is set to "automatic". Event Viewer logs the following errors: 

No Username on Initial Logon to Windows NT 
Microsoft Knowledge Base Article: 106523 - If you install Windows NT and do not create any local user accounts, the Username field on the Welcome screen will be blank when you start Windows NT the first time. To log on, you must log on as either a guest or the administrator, using the appropriate password. 

Policy Restrictions on Drives Cause Unnecessary Error Message at Logon and in File Dialog Box
Microsoft Knowledge Base Article: 270037 - When the "Prevent access to drives from My Computer" policy is applied, you receive the following error message during the logon process: This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator Also, when this policy is applied, you see the same error message twice if you click a drive in My Computer. 

Registry Handles Leaked in Winlogon When Canceling Drive Reconnect Dialog Box 
Microsoft Knowledge Base Article: 266655 - When Windows 2000 is attempting to reconnect user-mapped drives during the logon process, a dialog box that you can use to cancel the operation is displayed. If, during this process, a drive is not available and you click Cancel, Windows 2000 may leak registry event handles 

The Administrator Profile Takes Longer to Load Than a Power User Profile
Microsoft Knowledge Base Article: 259787 - When you log on as an administrator, you may experience the following symptoms:

"The Net Logon Service Hung on Starting" Is Recorded in the System Even Log After You Run Dcpromo.exe 
Microsoft Knowledge Base Article: 315951 - After you run the Dcpromo.exe tool and restart the computer, the following information may be logged in the System event log on the new domain controller: 

Trusted Domains Do Not Appear in the Available List for Domain Logon or Setting Security Permissions 
Microsoft Knowledge Base Article: 310611 - When logging on to a Windows 2000 domain, other trusted domains (for both Windows 2000 and Windows NT 4.0 domains - are not displayed in the drop-down list of available logon options, and the only domain logon option that is available is for is the one to which you, the currently-logged on user, belongs. Also, when trying to add or change security permissions by clicking Add on the Security tab, the current domain is the only domain choice that is displayed in the Look in window. 

Unable to Log on if the Boot Partition Drive Letter Has Changed
Microsoft Knowledge Base Article: 249321 - After you try to log on to your Windows 2000-based computer by using a valid user name and password, Loading your personal settings dialog box is displayed, followed by the Saving your settings dialog box. However, the desktop does not appear, and the Welcome to Windows logon screen is displayed again. 

Users Cannot Log On to the Domain After Password Changes on a Remote Domain Controller 
Microsoft Knowledge Base Article: 318364 - After you change a user account password on a remote domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role, the user may not be able to log on to a local domain controller by entering the new password. However, the user may still be able to log on to the domain by using their previous password

User Is Not Alerted When Logging On with Cached Credentials
Microsoft Knowledge Base Article: 242536 - When you attempt to log on to a domain from a Windows 2000-based workstation or member server and a domain controller (DC) cannot be located, no error message is displayed. Instead, the you are logged on to the local computer using cached credentials 

Windows 2000 Member Computers Always Authenticate with PDC in NT 4.0 Domain 
Microsoft Knowledge Base Article: 272348 - Windows 2000-based host computers that are joined to a Microsoft Windows NT 4.0-based domain may always establish a secure channel with the primary domain controller (PDC).

Windows 2000 Does Not Support Windows NT 4.0 Directory Replication (LMRepl) 
Microsoft Knowledge Base Article: 248358 - You can configure Microsoft Windows NT 4.0 and earlier to synchronize the contents of the Netlogon shares on each of the domain controllers (DCs - in a domain. This functionality is called LanMan Directory Replication (LMRepl). Windows 2000 is not backwards compatible with this functionality. It has been replaced with the File Replicator service (FRS). FRS and LanMan Directory Replication cannot be configured to replicate or synchronize with each other. In a Mixed-mode environment, you may need to keep data synchronized between new Windows 2000-based DCs and the remaining down-level DCs. A Microsoft Windows 2000 Resource Kit utility named Lbridge.cmd is available to perform this function. 

Windows 98 Clients Are Unable to Log On to Windows 2000 Domain: 'This Device Does Not Exist on the Network'
Microsoft Knowledge Base Article: 285951 - After you upgrade a Microsoft Windows NT 4.0-based primary domain controller (PDC) to be a Microsoft Windows 2000-based Active Directory domain controller, clients running Microsoft Windows 98 clients may not be able to log on to the Window 2000-based domain. They may receive the following error messages:
This device does not exist on the network. The domain password you supplied is incorrect or access to your logon server has been denied.

You May Experience Logon Delay After Installing Directory Services Client on Windows 95 or Windows 98
Microsoft Knowledge Base Article After you install the Windows 2000 Directory Services client for Windows 95 or Windows 98, you may experience a 15 seconds delay when you log on to the domain. 


Entire contents
© 1999-2003 LabMice.net and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.