In networks in which the servers run Windows NT Server, user account information can be stored in one of two places: either in a private local user accounts database, or in a domain user accounts database that is shared by all the Windows NT Server computers in the domain.
This section addresses some of the issues involved in logging on to a Microsoft network from computers running Windows NT Workstation and from computers running Windows 95.
To prepare for account logons from a Windows NT Workstation, use User Manager on the computer running Windows NT Workstation to set up local access to the Windows NT Workstation operating system. Then use the User Manager for Domains on the domain controller to set up access to the specific domain.
When a user logs on to a workgroup computer, that user's logon information is compared with the local user accounts database. When a user logs on to a computer that participates in a domain, that user can choose whether to log on locally, or log on to the domain. (If the domain trusts another domain, the user can alternately choose to log on to the trusted domain.)
If a user's local password doesn't match the password for the domain account, and that user tries to browse the domain or connect to a resource in the domain, access is denied. While tools such as Windows NT Explorer prompt for a valid password, the command-line interface and some applications simply deny access. It is always a better idea to have one set of credentials that apply everywhere in a trusted enterprise.
For a complete discussion of logon scenarios on a Windows NT Network, see the Chapter 2, "Network Security and Domain Planning," in the Windows NT Server Networking Guide.
If you want Windows 95 to validate user logons by checking the domain database, logon validation must be enabled on each computer running Windows 95.
1. In the Network option in Control Panel on the computer running Windows 95, double-click Client for Microsoft Network in the list of network components.
2. In General Properties, check the Log On to Windows NT Domain option if you want to log on to a Windows NT or LAN Manager domain automatically when starting Windows 95. Otherwise, make sure this option is cleared.
3. When you select logon validation, you must also specify the domain to be used for validation. To do so, type or select a name in the Windows NT Domain box.
Although Windows NT networks allow multiple domains, a computer running Windows 95 can specify only one domain for user-level security. For information on using trust relationships to access multiple domains, see Windows NT Server 4.0 Concepts and Planning, which is part of the Windows NT Server documentation set.
For more information, see Chapter 8, "Windows 95 on Microsoft Networks" in the Windows 95 Resource Kit.
By default, password caching and unified user logon are enabled in Windows 95. These features work as follows:
When the user supplies a password in order to connect to a resource, that password is saved in a password list file. The next time the user accesses that resource, the password is supplied from the password list. The user only needs to remember one password, the one to log on to the user account.
Password caching and unified user logon are useful when the user needs to log on to multiple networks (for example Windows NT and Novell NetWare networks). To use unified logon, a user account must be available on the network and must contain user account information for the user.