Access Keys:
Skip to content (Access Key - 0)

Windows Server Platforms at MIT - End-User Help


WIN, shorthand for, is the MIT centrally-maintained Windows Domain.

Log On Procedure

The WIN login screen is a standard Windows login screen. A user must press the Ctrl Alt and Del keys at the same time to access the logon screen.

In the logon screen which appears a user must enter their Athena username and password and select ATHENA.MIT.EDU (Kerberos Realm) from the Log on to: drop-down box.

  • It is important to note that a Windows machine that does not display both WIN and ATHENA.MIT.EDU (Kerberos Realm) in the third field of the logon dialog box is not a succesfully-joined member in the WIN Domain. You should not log in to a non-WIN Windows machine using your Athena Kerberos username and password.
  • Users may also skip the "Log on to:" control by entering their username and realm information in the "User name:" field. For example joeuser@ATHENA.MIT.EDU.
  • Users can alternatively log on locally to the machine by selecting the name of that machine from the Log on to: drop-down box.
  • By default, users cannot authenticate directly to WIN because the account passwords in WIN are randomly-generated and are unknown to any user. All authentication within the WIN Domain will use cross realm authentication with the Athena Kerberos realm.
  • Users who have not changed their Athena passwords since December 2000 will not be able to authenticate. They will need to use an Athena workstation, Macintosh, or non-WIN machine to change their passwords. Once they have changed their Kerberos password in the Athena realm since then, they should be able to log into WIN machines.

WIN Notes for Users

Windows versions of common Athena commands:

[Sample vbs to map drives and create shortcuts|Windows Server Platforms at MIT - Containers

What runs where:
Certain software packages and applications may be run directly from AFS.

WIN Dos and Don'ts


Remember that MIT does not have a site license for Windows.
We must keep track of our institutional licenses.

Protect your account.
This requires securing your password, profile and quota. See Managing User Profiles.

Keep large files off your Desktop.
They belong in your folder, or directory, named "My Documents." If you want to use the Desktop to provide easy access to data files and applications you are welcome to do so. However, you should put only short cuts to the actual data files and applications on your Desktop.


Remote install a WIN machine unless you have preserved all boot drive contents.
This applies to any partition of the drive. WIN uses RIS (Remote Installation Service), a Microsoft technology that enables Windows to be installed onto a machine over the network. The process uses a combination of DHCP, PXE, TFTP, NTLM, and CIFS to install a new image of W2K Pro on to a machine. During the process the client machine drive is reformatted and the machine is joined to WIN.

Divulge the RIS password.
At this time we are trying to control the growth of WIN - the domain is still in its early stages of deployment. The RIS user name and password is not given out lightly at this time. If you know the user name/password for the RIS service you should not pass it on to others. There are also licensing concerns (see above, first Do. The RIS service must not be abused as a method to freely distribute illegal copies of Windows to machines on the MIT campus.

Expect Win32 to correctly see UNIX-permitted filenames.
Generally, WIN uses AFS to access remote filesystems which have filenames that are illegal to the local OS, and the local machine has to decide what to do with the illegal names.

For example, if your home directory in AFS has a subdirectory named "...", Windows Explorer shows this directory name when viewing the home directory, but is unable to navigate into it or show you files inside it. The standard file selection dialog boxes are similarly unable to navigate into "...".

The most common related error message is "H:\... is not accessible. The specified path is invalid."

From testing a number of abusive filenames, it appears that there are certain names which Explorer simply refuses to display to the user. ( '\', ';', '?', ':', '|', and '+' are some of these names.) If Explorer cannot cope with "...", it should probably to treat it the same way it treats other illegal names, but does not.

User FAQ

How do I log directly into the WIN domain?
The default user cannot log directly into WIN. See however, the WIN Domain Password Change Page (MIT only).

How do I obtain my password?
WIN passwords are generated by a random generator and are not available.

How do I know that Windows is using Kerberos and not NTLM?
Windows machines that are part of WIN use only Kerberos, since they authenticate through the MIT central KDC. NTLM is not used.

It is important for the user to see the ATHENA realm on the login screen. If the ATHENA realm does not appear on a machine, do not enter your Athena password, since you will not be able to authenticate to the WIN domain.

It is also important for users not to use their Kerberos password for any local accounts.

How can I log in as Administrator?
By default you can use the Administrator account and password, that can be found by using the tellme command on an Athena workstation. The container administrator may change this default machine setting.

Someone has locked the screen, how do I log him or her out so I can use the machine?
An authenticated user can lock a computer by pressing Ctrl-Alt-Del and selecting "Lock Computer". The locked computer displays the message box:

This computer is in use and has been locked.
Only ATHENA.MIT.EDU\username or an administrator can unlock this computer.
Press Ctrl-Alt-Del to unlock this computer.

You can unlock and log-off a previous user in the process by using the local administrator account and password. Please note that this will terminate all processes that the previous user might have left running on the computer, and any unsaved user data will be lost.

To unlock the computer:

  1. Press Ctrl+Alt+Del
  2. Click Options and select "computername (this computer)" in the Log on to: window.
  3. Use the administrator account and password to log off the previous user.

What is the default ticket lifetime?
Ten hours. At the moment the tickets in the Microsoft cache are renewable for twenty days. This is a major contrast to Athena. We strongly recommend that users log out nightly, or daily.

How do I get new tickets if mine expire?
As on Athena, use the renew command at the command prompt. Alternatively, type the following commands:


How do I get new AFS tokens if my tokens expire or get deleted?
User renew. Alternatively, aklog will work but obtains tokens only for the same cell that contains your home directory. If you need tokens for other cells use aklog with the '-c' command line option.

How do I repair or modify a user profile so that it does not generate a temporary one?
Sometimes a user's profile cannot be loaded when logging into a machine, causing a temporary profile to be generated for the duration of the session. Some containers may have a Group Policy which prevents login with a temporary profile. However, a user profile can be repaired or modified so that they can once again login without generating a temporary profile.

Related Links

The Domain
Windows Server Platforms

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

March 03, 2016

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
enduser enduser Delete
end-userhelp end-userhelp Delete
helpingend-users helpingend-users Delete
m-hermes m-hermes Delete
windowsdomain windowsdomain Delete
serverservices serverservices Delete
c-win-mit-edu c-win-mit-edu Delete
next-gen-review next-gen-review Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
This product/service is:
Easy to use
Difficult to use

This article is:
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki