Can someone explain exactly what the login process is in NT and 2000? Meaning, step by step, after a computer boots up to the login window, what occurs in order for the user to have a successful login. I've got most of the steps down (probably not in the right order :). Does the computer acct get validated first before the user acct? How does the computer know where the domain controllers are (i.e. broadcast?). Which DC answers first? Is it a random choice or based on geographical location only? Thanks!!!

OI!!

It's a long story but basically:

1.) The computer is Identified by the Primary Domain Controller based upon the MAC address of the NIC card. This lets the Primary Domain Controller know that a computer with the unique Machine Address Code of xxxx-xxx-xx-x is physically attached to the network.

2.) The Domain Controller having determined that a machine has been connected to the network,seeks the unique name of the computer and compares that name with a list of known machines. The name is a combination of the MAC address and a name assigned to the computer by whoever configured it.

If items 1 and 2 are satisfactory,(ie. validated),the Domain Controller needs to determine which user is attempting to access the network.

3. The Domain controller then demands that the user supply 2 pieces of ID. The username and the user password. If the username and the password match a known profile the user is logged onto the network via the machine that the domain controller has validated. The foregoing assumes that the user has been set up to use a roaming profile which allows the user to log onto any workstation within a given domain,(the most commonly used setup).

On some networks the user is not allowed to log onto any machine other than their own workstation. In that case the username and password and the MAC address of the NIC,(network interface card) must all satisfy the security settings established by the network administrator.

The network administrator may also specify a mix of profiles within a domain and therefore the rights and permissions available to a user can be setup to meet the users particular needs and those of the organization. I have seen an example wherein the user had access to virtually everything on the network when working at their own workstation but their roaming profile would not allow access to certain sensitive material when that same user using the same username and password logged on from anywhere but their own machine,(which was located in a special high security area safe from the prying eyes of co-workers and potential spies).

To summarize:

1.) The domain controller detects the presence of a computer.

2.) The DC then confirms that it is unique.

3.) The user is prompted to supply identifying information.

4.) The user is validated as having access to the network.

5.) The user profile is checked and the user is granted access consistent with the rights and permissions included within their profile.

6.) The profile(s) for any given user govern what programs the user may access - What they may or not modify on the computer - Which machines the user may use,(usually all but not necessarily so). The profile also stores information as to the user's personal preferences,(screensavers,startup group programs,email settings,browser homepage etc.)

This is a 1/2 page discussion of an issue that has been discussed over several hundred pages written by folks who know a hello of a lot more about this issue than I :D . I recommend Mark Minasi's books on NT Server and Windows 2000 Server if you wish a more in depth explanation of this process. The guy knows his stuff and does a tremendous job of explaining the material.

Hopefully this has been more helpful than tedious.

[ 27 April 2001: Message edited by: lynnm ]

Thanks Lynn. Splendid job as usual :)
One more question. I dont understand profiles completely. Does the user need a roaming profile? Why can't the administrator not even have to deal with profiles and just have a default profile get created by the workstation when the user logs in? That way a user can modify their own profile, it gets stored on their local machine, it doesn't take up space on a server
also: what's an avg size for a profile anyway?).

I understand that roaming profiles allow a standard desktop etc. But if the user logs in elsewhere and that computer doesn't have the same software loaded then the user's downloaded shortcuts won't work right?

Hello dere

A user does not necessarily require a roaming profile. The administrator may elect to restrict the user to a single machine and have the user bound to the use of a mandatory profile which could relate to a single machine as described in my earlier response.

In answer to your earlier question about whether a user would be able to use various programs when logging in from a different workstation -

Quote: "But if the user logs in elsewhere and that computer doesn't have the same software loaded then the user's downloaded shortcuts won't work right?"

That would depend upon where the program in question were stored. If the program is stored on the user's local hard disk then when the user logs in his/her profile would be downloaded from the server and the icon for the particular program would appear on the desktop but the icon would be pointing to their local hard disk and the program would not load when the icon is clicked. The user would simply get a file not found message.

On the other hand if the icon points to a program which resides on a network drive the program would execute from wherever the user has logged on. If for example HooDoo.exe resides on drive J: which is a network drive and assuming that the profile and the network are properly configured then HooDoo will load and run from anywhere in the domain that the user requests it from. Again there are exceptions to this rule but basically that is how things work.

Regarding the question about default profiles. The set up you envision is quite common. The administrator sets up a standard profile for all users in the Accounting section for example,(by using the group membership option under user accounts) and then can easily add or subtract additional rights and permissions as required for individual users. That way the administrator need not re-invent the wheel everytime a new user is created within the system.