Using an Andrew Windows configured PC

Andrew Windows is the term given to a PC that is configured as a member of the campus’s Microsoft domain called “andrew.ad.cmu.edu”.  A Microsoft domain is a group of computers that can be managed collectively, such as sharing accounts and deploying and updating software in an automated way.  Andrew Windows PCs are sometimes also referred to as “domain-member PCs”, “managed PCs”, “Active Directory PCs”, and “Orpheus PCs”.

 

Local vs. Network accounts

Andrew Windows PCs have three login fields: User name, Password, and a “Log on to” field.  If the third field doesn’t appear, click the Options button.  The “Log on to” field allows you to specify whether you’re using a “local” account or a “network” account.  

 

Local accounts are those that exist only on that computer.  Although a local account might have been created on a particular computer with the same user name and password as your Andrew account (ie: the one you use for reading email), they’re actually separate accounts- changing the password on one will not automatically change the password on the other.  Also, changing a local account password on one computer will not change the local account password on any other computers.

 

Network accounts are stored on a central server.  Using network accounts enables centralized account management- accounts don’t have to be created separately on every desktop computer, and a changed password is effective from all computers.  Andrew Windows PCs can use your Andrew account as well as accounts in a few separate campus Microsoft domains, which you will see listed in the “Log on to” pulldown menu.  One of those Microsoft domains is called ‘Andrew’, which although named the same, is not for your Andrew account.  Your Andrew account is part of the non-Microsoft domain called “andrew.cmu.edu”.  Andrew Windows PCs have modified logon software which recognizes this non-Microsoft domain and displays it as “andrew.cmu.edu (Kerberos Realm)”.

 

Microsoft domains also use Kerberos for authentication and have domain named based on DNS.  The Microsoft domains ‘Andrew’ and ‘AD’ are short for ‘andrew.ad.cmu.edu’ and ‘ad.cmu.edu’.  Every Andrew user also has an account in the Microsoft domain andrew.ad.cmu.edu (a script runs hourly to synchronize the two account databases).  There is a trust relationship between the Microsoft domain andrew.ad.cmu.edu and the non-Microsoft domain andrew.cmu.edu.  When you use your Andrew account to log in, the modified login software uses the trust relationship to also get you a ticket (an authentication) in the Microsoft andrew.ad.cmu.edu domain, even if your Microsoft password is different than your Andrew password.  This ticket makes it possible to access other computers in the andrew.ad.cmu.edu domain, like Chemserv, without having to provide a separate password.  If you’re using a non-Andrew Windows PC to contact an Andrew Windows PC over the network, such as Chemserv or your desktop computer from home, you’ll need to use your Microsoft andrew.ad.cmu.edu password directly, since Andrew Windows PCs are really members of that domain and there’s no way of specifying the trusted andrew.cmu.edu domain when using a network login.  To set your Microsoft password, see http://www.cmu.edu/computing/andrew-windows.  Also see the Chemserv link at http://support.chem.cmu.edu for syntax information on specifying domain names when accessing machines over the network.

 

Logging on with your Andrew ID

Use the pulldown arrow to set the “Log on to” field to “Andrew.cmu.edu (Kerberos Realm)”.  Enter your Andrew ID in the User name field and your Andrew password (ie: the one you use for email) in the Password field.  For example:

 

 

Most Andrew Windows machines are configured to allow any valid Andrew ID to log in, but can be configured to restrict access to only certain Andrew IDs.  Each user gets its own Desktop folder and My Documents folder, and does not have access to other people’s folders.

 

By default all Andrew ID accounts are ‘limited access’ accounts that do not have access to install new software or change operating system settings.  This is a very powerful way to protect the machine from spyware and viruses.  For more information, see the ‘Preventing Spyware’ link at http://support.chem.cmu.edu.

 

Logging on with a local administrator account

Every computer has a local account called ‘administrator’.  For many departmental machines, this password is set and used only by the departmental computer administrator, and a separate local account called ‘admin’ has been created for use by the machine’s owner.  By default this account has no password.

Use the pulldown arrow to set the “Log on to” field to the setting has the name of the computer with the text “(this computer)” at the end.  Enter ‘admin’ as the User name and leave the Password field blank.  For example:

 

 

In Windows XP, accounts with blank passwords can not be used remotely.  Ie: there’s no risk of someone hacking into your computer using an account with a blank password.  However, someone could still log in at the actual keyboard, so it’s recommended that you create a password for all accounts.  For guidance on selecting a secure password, see http://www.cmu.edu/computing/documentation/faq_secure/SecurityFAQ.html#choose

 

Accessing “MyFiles” space using the W: drive

Computing Services provides 1GB of secure PC storage space for every Andrew account, called MyFiles.  Andrew Windows machines are configured to map the drive W: to this space.  Other users do not have access to your space, and the space can be accessed from any PC, including non-Andrew Windows PCs.  For more information on MyFiles, see http://www.cmu.edu/computing/documentation/faq_roaming/faq_roaming.html