What is Interactive Logon?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Windows Server 2003 requires that all users must validate their identities to successfully log on to the computer. The process of validating a user’s identity is called authentication.
Security in the Windows Server 2003 operating system controls the use of local and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, Windows Server 2003 uses the authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user is authorized to access a resource.
Windows Server 2003 can authenticate users and computers that have accounts either in the Security Accounts Manager (SAM) or the Active Directory directory service.
Interactive Logon Scenarios
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive. After an interactive logon, Windows runs applications on the user’s behalf and the user can interact with those applications.
Users can perform an interactive logon by logging on to a computer using a local user account or by using their domain account.
The following figure shows local and domain logons.
Interactive Logon Types
A local logon requires that the user have a user account in the SAM on the local computer. The SAM protects and manages user and group information in the form of security accounts stored in the local computer registry. The computer can have network access, but it is not required. Local user account and group membership information is used to manage access to local resources.
A domain logon requires that the user have a user account in the domain’s Active Directory. The computer must be joined to the domain and have a network connection to the domain. Users must also have rights to log on to a local computer or a domain. Domain user account and group membership information is used to manage access to domain and local resources.
Smart Card Logon
Windows Server 2003 can also be configured to support special domain logon processes that require the use of a hardware token, such as a smart card. A smart card logon is a form of enhanced-security logon that requires both a physical identifier (the smart card) and a personal identification number (PIN).