Congratulations to Kathel Kelton of Portland, Oregon, who wins first prize, a copy of Admin911: Windows 2000 Registry (and a special "thank you" for submitting an answer that made me laugh out loud). Second prize, a copy of Admin911: Windows 2000 Group Policy by Roger Jennings, goes to Dan Fineman of University Place, Washington.
The Problem
Abner, Barry, and Charlie work in an IT lab, where they test software, configuration options, and service packs before deploying them to the enterprise. The Windows 2000 network test lab has six computers: one Domain Controller (DC), three member servers, and two workstations. The lab is self-contained on its own concentrator and has no Internet access. Because computers outside the test lab network can't access the lab computers, Abner, Barry, and Charlie feel safe using the Administrator account when they log on to the computers. In fact, to save log-on time, the Administrator account has no password. To test the effects of their experiments on users, they log on as domain users, having previously set up domain users within a variety of groups.
Yesterday, Abner told Barry and Charlie that he saw an employee hanging around his cubicle. "I'm assigning a password to my Administrator account," Abner announced. Barry and Charlie insisted that they needed to know the password to log on. Abner explained that each logon is tied to the client computer, so that when he logs on as Administrator from the computer named Server3, he's logged on as \Server3\Administrator. "After all, we can all log on as Administrator at the same time," he reminded them. Barry and Charlie said Abner was wrong—the domain has only one Administrator account. Who's right?
The Solution
Barry and Charlie are right; Abner is wrong. When they log on to the domain as Administrator, they’re logging on as the same person. Each logon name in a domain must be unique, and it has only one password. However, a unique name can log on to the domain more than once, which is what’s happening here.
Incidentally, if Abner, Barry, and Charlie go through the same scenario after they upgrade to a Windows .NET domain, the system will object. For instance, let say they’re all logged on as Administrator, using the same password (or a null password). Then, Abner presses Ctrl-Alt-Del to open the Windows Security dialog and clicks the Change Password button. Within minutes of changing the password, Barry and Charlie won't be able to work (their computers are locked), and they’ll see an Expired Credentials error dialog with the following message:
"Windows needs your current credentials to ensure network connectivity. Please lock this computer, then unlock it using your most recent password or smart card. To lock your computer, press CTRL+ALT+DELETE, and then press Enter."
When I experimented from a Windows 2000 Professional workstation on my Win2K domain, I didn’t receive any error messages from the Domain Controller (DC). After changing the password on one of the four computers from which the Administrator was logged on, I was able to work regularly--gaining access to other computers on the network, changing domain policies on the DC, and generally having the run of the domain. The only time I encountered a problem was when I tried to log on to another computer as Administrator with the old password.
