WIN, shorthand for win.mit.edu, is the MIT centrally-maintained Windows Domain.
The WIN login screen is a standard Windows login screen. A user must press the Ctrl Alt and Del keys at the same time to access the logon screen.
In the logon screen which appears a user must enter their Athena username and password and select ATHENA.MIT.EDU (Kerberos Realm) from the Log on to: drop-down box.
- It is important to note that a Windows machine that does not display both WIN and ATHENA.MIT.EDU (Kerberos Realm) in the third field of the logon dialog box is not a succesfully-joined member in the WIN Domain. You should not log in to a non-WIN Windows machine using your Athena Kerberos username and password.
- Users may also skip the "Log on to:" control by entering their username and realm information in the "User name:" field. For example joeuser@ATHENA.MIT.EDU.
- Users can alternatively log on locally to the machine by selecting the name of that machine from the Log on to: drop-down box.
- By default, users cannot authenticate directly to WIN because the account passwords in WIN are randomly-generated and are unknown to any user. All authentication within the WIN Domain will use cross realm authentication with the Athena Kerberos realm.
- Users who have not changed their Athena passwords since December 2000 will not be able to authenticate. They will need to use an Athena workstation, Macintosh, or non-WIN machine to change their passwords. Once they have changed their Kerberos password in the Athena realm since then, they should be able to log into WIN machines.
Windows versions of common Athena commands:
[Sample vbs to map drives and create shortcuts|Windows Server Platforms at MIT - Containers
What runs where:
Certain software packages and applications may be run directly from AFS.
Remember that MIT does not have a site license for Windows.
We must keep track of our institutional licenses.
Protect your account.
This requires securing your password, profile and quota. See Managing User Profiles.
Keep large files off your Desktop.
They belong in your folder, or directory, named "My Documents." If you want to use the Desktop to provide easy access to data files and applications you are welcome to do so. However, you should put only short cuts to the actual data files and applications on your Desktop.
Remote install a WIN machine unless you have preserved all boot drive contents.
This applies to any partition of the drive. WIN uses RIS (Remote Installation Service), a Microsoft technology that enables Windows to be installed onto a machine over the network. The process uses a combination of DHCP, PXE, TFTP, NTLM, and CIFS to install a new image of W2K Pro on to a machine. During the process the client machine drive is reformatted and the machine is joined to WIN.
Divulge the RIS password.
At this time we are trying to control the growth of WIN - the domain is still in its early stages of deployment. The RIS user name and password is not given out lightly at this time. If you know the user name/password for the RIS service you should not pass it on to others. There are also licensing concerns (see above, first Do. The RIS service must not be abused as a method to freely distribute illegal copies of Windows to machines on the MIT campus.
Expect Win32 to correctly see UNIX-permitted filenames.
Generally, WIN uses AFS to access remote filesystems which have filenames that are illegal to the local OS, and the local machine has to decide what to do with the illegal names.
For example, if your home directory in AFS has a subdirectory named "...", Windows Explorer shows this directory name when viewing the home directory, but is unable to navigate into it or show you files inside it. The standard file selection dialog boxes are similarly unable to navigate into "...".
The most common related error message is "H:\... is not accessible. The specified path is invalid."
From testing a number of abusive filenames, it appears that there are certain names which Explorer simply refuses to display to the user. ( '\', ';', '?', ':', '|', and '+' are some of these names.) If Explorer cannot cope with "...", it should probably to treat it the same way it treats other illegal names, but does not.
- ist:How do I log directly into the WIN domain?
- ist:How do I obtain my win.mit.edu password?
- ist:How do I know that Windows is using Kerberos and not NTLM?
- ist:How can I log in as Administrator?
- ist:Someone has locked the screen, how do I log him or her out so I can use the machine?
- ist:What is the default ticket lifetime?
- ist:How do I get new tickets if mine expire?
- ist:How do I get new AFS tokens if my tokens expire or get deleted?
- ist:How do I repair or modify a user profile?
How do I log directly into the WIN domain?
The default user cannot log directly into WIN. See however, the WIN Domain Password Change Page (MIT only).
It is important for the user to see the ATHENA realm on the login screen. If the ATHENA realm does not appear on a machine, do not enter your Athena password, since you will not be able to authenticate to the WIN domain.
It is also important for users not to use their Kerberos password for any local accounts.
How can I log in as Administrator?
By default you can use the Administrator account and password, that can be found by using the tellme command on an Athena workstation. The container administrator may change this default machine setting.
Someone has locked the screen, how do I log him or her out so I can use the machine?
An authenticated user can lock a computer by pressing Ctrl-Alt-Del and selecting "Lock Computer". The locked computer displays the message box:
To unlock the computer:
- Press Ctrl+Alt+Del
- Click Options and select "computername (this computer)" in the Log on to: window.
- Use the administrator account and password to log off the previous user.
What is the default ticket lifetime?
Ten hours. At the moment the tickets in the Microsoft cache are renewable for twenty days. This is a major contrast to Athena. We strongly recommend that users log out nightly, or daily.
How do I get new AFS tokens if my tokens expire or get deleted?
User renew. Alternatively, aklog will work but obtains tokens only for the same cell that contains your home directory. If you need tokens for other cells use aklog with the '-c' command line option.
How do I repair or modify a user profile so that it does not generate a temporary one?
Sometimes a user's profile cannot be loaded when logging into a machine, causing a temporary profile to be generated for the duration of the session. Some containers may have a Group Policy which prevents login with a temporary profile. However, a user profile can be repaired or modified so that they can once again login without generating a temporary profile.