Every user that accesses computer or network resources must be authenticated. A secure system must know who is accessing what, and what each user is allowed to access. The Windows NT logon process performs user authentication at the local system level and at the network level. The local system authenticates access to local resources. Authentication for network resources is provided by the Windows NT domain controller.

The Logon dialogue prompts for a username and password. The local systems use this information to authenticate the user and then start the Windows NT graphical user interface (GUI). If the user logs on to a Windows NT system that is part of a domain, the user can choose to logon to the domain. In that case, the local system passes the information from the log on process to the domain controller. The domain controller authenticates the user and grants access to all network resources based on the permission granted to the user in the Security Account Manager (SAM) database.

The Security Accounts Manager is a vital part of the Windows NT authentication process. It contains the usernames and passwords of every user in the NT domain. The master copy of the accounts database resides on the Primary Domain Controller (PDC). Every domain must have one PDC. The critical nature of the accounts database means that is it important to have backup copies of the file. This happens automatically when you create a Backup Domain Controller (BDC). Every domain should ...