Why not interactively log in (revised) Liu Jun
Foreword: Since this article published on the computer world website, he received dozens of Email, which made a valuable opinion on this article. Since I am still half unemployment, I have not made the article accordingly. Modify (if any netizen can provide a job chance, I will be grateful ... But now I received more and more, I can't answer one by one, only a few places in the same place in this article I organized it out in "Question and Answers", I hope to help you, thank you. I made a Win2000 terminal network, using Win2000 Application Server Terminal Services Mode Citrix (SP3), the login window appears on the client. Tips will appear in the domain user's ordinary account: "Computer is not allowed to log in", but there is no problem with Administrator, there is no problem, and this problem is not a problem in the local account login domain server, then check I understand the information before I understand. First, you must talk about the authentication mechanism of NT and Win2000. NT and Win2000 validation for domain user accounts is through NTLM and Kerberos protocol, and verification on local account login is an MSV1_0 protocol. The user sends this information to the server by providing login information (such as user name and password). The verification mechanism, the verification body determines the identity authenticity of this user by comparing the local database file (SAM), if passing, send a token to the user, this access token is token. In the original NT mode Since the trust relationship between the domain is unidirectional, unpaid, a domain user must obtain resource access rights of another domain, and must handle the trust relationship, authorize the user's access. In the current WIN2000 domain mode, each user's token is Sid domain ID, which is GUID, which is never changed in a forest, allocated by the RID host (relative relationship host) per domain. The SID is unique in each domain, but the same SID may also occur in other domains, but due to the different domain IDs, the GUID of the two cannot be the same. However, this must be based on the Kerberos protocol, Kerberos provides the passable, two-way trust relationship between the domain, namely A trust B, B trust A; A trust B, B trust C, A trust C. Of course, it can also be manually adjusted. One user only has a token is not enough, and the token can only guarantee whether the user can login privileges on the domain or the local computer, and the user can access the resources and system permissions by ACL and ACE To control. ACL (Access Control List) is a user group and user access control list for each file and folder, and ACE (Access Control Entry) is a specific access type (such as Read, Write, etc.).
That talks about the mechanism for local interaction landing in Win2000 domain. It is well known that Win2000 is used to log in to the user's verification is the Kerberos protocol, and when a local user logs in to domain servers, Gina (Graphical Identification and Authentication graphic marker and identity) Verify that the DLL receives the login request, it will forward it to the LSA (local authority), and in Win2000, because Kerberos is the default authentication mechanism, then request Kerberos to verify the identity, and Kerberos receives the authentication request, An error message will appear because kerberos is used to verify the domain account rather than a local account. At this time, the LSA receives an error message, which will forward it to Gina, Gina to verify the identity of the LSA that specifies the MSV1_0 protocol, if passed Complete local interactive landing. Sarre to say so much, what is the relationship between the end user logs to the server. Is the end user login over the network? It is not local landing. Terminal as the name is the customer's input, send instructions to the server, and there is no large amount of data transfer, and finally through the client's display, it is actually a local login process, so the customer account must be Local account. Now give you a specific solution: Win2000 is proud of GPO, the Group Policy Object, Win2000 to modify the NTConfig.pol file by modifying the registry or running the POLEDIT.EXE to reach the purpose of the configuration policy, through GPO A group policy for achieving a super-functional central focus is based on the Active Directory, and the active directory is targeted by DNS. So if you want to use the GPO, you must use the DCPROMo.exe program to install the Active Directory after installation of Win2000 Server DNS, click Start - Program - Administrative Tools --active Directory users and Computer, Figure 1 screen
Right-click the domain controller (this example is Domain Controllers) - Property - Group Policy, as shown in Figure 2 (please pay special attention to this, not default domain policy)
Click on the option to check the prohibited override.
Click DEFAULT DOMAIN Controls Policy to select Edit to enter the GPO window. Select Computer Configuration - Windows Settings - Local Policy - User Rights Assignment (Figure 4)
Add the group where the end user is located on the option allowed to log in.
Close all windows. Open the win2000 command to process the window, run SECEDIT / RefreshPolicy Machine_Policy, to see if the group policy has been successfully used. Finally, in the client, you can successfully log in with the added end user account. Leave my email: Owlbird @ 163.com, I hope to make progress together with friends who love computer technology, welcome everyone to visit my website: OWLBIRD.XILOO.COM
Question & Answer:
1. Ask you a question, my server system is installed by Windows2000 Server SP3, installed the domain, work installation is Windows2000Professional, after the workstation system is installed, after the domain can log in, but the unit can not log in, the system Tip (This system does not allow this unit to use interactive logins) How to solve the master. Thank you! Reply: About this problem, the key to the power size of the group policy application. OU (organizational unit)> Domain> Site> This machine, after your Win2000Pro joins the domain, if you want to log in to the domain, you must have an account of domain servers, because once the domain is added, the domain group policy will overwrite the client. This unit policy, if you want to add an account to add this account on the domain server, and allow it to be able to log in. This is sure to pay attention to the domain policy does not equal the domain server group policy, as shown in Figure 5: Right click The domain controller (this example is wupanlan.com-attribute - group policy) 2.
I read your article, but I still don't engage in the Group Policy of the Domain server and the domain group policy. Why is the win2000 terminal is a Domain Controllers-Property-Group Policy, but the Professional client is in Wupanlan. COM- Property - Group Policy.
Reply:
This problem is very similar to the previous question, you must understand that the terminal mode is different from the server-client mode. One is remote control, one is remote access. Remote control, equivalent to local login to the server, and remote access Log in to the server in the client's way.
3.
A few days ago, because I met an interactive login problem under the Windows2000 domain under your guidance, I solved the problem that I could not interactively log in with Terminal Client. However, it also triggered another question. When I log in to the Windows 2000 domain, I promised that "The system's local policy is not allowed to log in", even if I use the local username Login This machine will also prompt the same information, that is, I can't enter the Windows 2000 PRO system of the machine. However, this situation seems to only occur on workstations running Windows 2000 PRO, because in my domain environment, there are also WIDOWS XP operating systems workstations, those workstations are no problem, they can log in normally. At first I thought it was a problem with the local strategy of the workstation, and I couldn't enter the workstation. Finally, I chose from the new installation system, but as you guess, the result is still the same, just at this time, another Windows 2000 PRO user The report says that he has the same problem, so I will set it back, from the machine, everything is returned to normal. I am not very familiar with the principles of the Windows domain environment, so I want to ask you to have a similar experience in this phenomenon? Thank you!
Reply:
WinXP does not have a group policy related setting, not affected by group policies, and the rest, please read the article I have corrected.
4.
Add a general user to the tab to allow local logins (where one of the users' password is empty), but I forgot to add the administrator. When the login window is not displayed on the terminal client, I will go directly to the general user. I hope that heroes take time to help solve it, it is grateful!
Reply:
NET User Users (Ordinary User Group Allowed Local Landing) Administrator / Add
Finally, I suggest you to buy a MCSE winning book << Windows 2000 Active Directory >>, Tsinghua Publishing House.
