Local Windows accounts authentication

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Local Windows accounts authentication

If you are not using Active Directory, but you want to create user accounts on the local computer where the POP3 service is installed, you can use local Windows accounts authentication to link the POP3 service into the local system user accounts.

Use local Windows accounts authentication if:

  • Your mail server is not a member of an Active Directory domain.

    -and-

  • You want to have user accounts on the same local computer as the POP3 service.

Local Windows accounts authentication integrates the POP3 service into the local computer's Security Accounts Manager (SAM). With Security Accounts Manager, users who have user accounts on the local computer can use the same user name and password to be authenticated by both the POP3 service and the local computer.

You can use local Windows accounts authentication to support multiple domains on the server, but user names across domains must be unique. For example, you cannot have a user named someone@example.com and a user named someone@northwindtraders.com.

POP3 Users Security Accounts Manager group

If a mailbox is created with a corresponding user account, the user account is added to the "POP3 Users" local group. Members of the "POP3 Users" group cannot log on locally to the server even though they have a user account on the server.

The restriction on local logon is enforced through the computer's local security policy. It increases server security by restricting local logon rights only to authorized users. Being unable to log on locally to the server does not affect the users' ability to use the POP3 service.

For more information on local groups and modifying local group membership, see Local Users and Groups.

For more information on local security policy, see Local Security Policy.

E-mail client authentication

Local Windows accounts authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication.

Because plaintext transmits the user's credentials in an unsecured, unencrypted format, the use of plaintext is not recommended. SPA, however, does require that e-mail clients transmit both the user name and password using secure authentication; it is therefore recommended over plaintext authentication. For more information, see Configure the mail server to require Secure Password Authentication.

Note

  • To install Active Directory on the computer where the POP3 service is installed, see the section on upgrading from local Windows accounts to Active Directory integrated authentication in Active Directory integrated authentication. Installing Active Directory on a member server without following the recommended procedure might cause the POP3 service to work incorrectly.