Monday, August 10, 2009

Logging on to Windows 2008 domain as an administrator on Windows 7 domain computer

This has probably been blogged a thousand times but let me be the 1001th ..blogger ;).

Thought I’d share this from Windows 7 perspective instead.

So, here’s the rundown:

  • I got myself W2008 R2 and Windows 7 RTM up and running, joined the domain and stuff.

Ok, so the thing is, when you use the logon UI from Vista/Windows 7, it does “see” the domain it just joined and sets it up for you by default as your default domain (there’s no more pull down domain lists).

image

Notice the part where it says “Log on to: BEAUTISEC”? Well, BEAUTISEC is my domain and you can skip the BEAUTISEC\username way of logging on and just go with username. If you want to log on to other than BEAUTISEC domain, do/see this …

image

So, lets say I've got a domain called MSFT, i would need to do the MSFT\domain user  and log on that way. But since i am in my primary domain i.e. BEAUTISEC, i don’t have to, i just logon.

I log on user sanjay and my password just like that works. But, when i log on as administrator, it doesn’t. Here’s why:

For administrator accounts

In the above scenario, local administrator logons will take precedence unless you specify the domain preceding the logon name like BEAUTISEC\administrator which is your domain administrator account. Then you get to logon as the domain “administrator” account.

See this screen below when i key in administrator (NOTE: The administrator here is the default built in administrator user for that PC, it could be renamed as admin or papasmurf and the effect below is still the same)

image

The “Log on to” value is automatically set to BEAUTIFULPC, which is the local PC name i.e logon locally. This “feature” can also help someone figure out what is the local built in admin account even before logging on, but yea..moving on..

For regular accounts

Domain logons will always take precedence unless you specify BEAUTIFULPC\<username> to log on to local accounts or in other words, other than the built-in administrator account. (See my note above about the local admin account)

image

The Log on to value automatically changes to my domain BEAUTISEC.

SIDE NOTE: You can’t change to classic logon interface for Vista/Windows 7 machines like how you see in XP for machines that are part of the domain. But you can enable the Interactive Logon: Do not display last username directive through registry or GPO (or GPEDIT locally). That shall let you enter your username manually but still no domain pulldowns… like in old days. ):

No comments: