Microsoft KB Archive/102608

= Differences in Security: Windows NT and LAN Manager =

PSS ID Number: 102608

Article Last Modified on 8/8/2001

-

The information in this article applies to:


 * Microsoft Windows NT Advanced Server 3.1

-



This article was previously published under Q102608



Some of the major differences in security schemes between Windows NT Advanced Server and Microsoft LAN Manager are:


 * Under Windows NT Advanced Server, user and group permissions are cumulative. Deny access takes precedence over grant access. Under LAN Manager, individual user permissions take precedence over group permissions.

NOTE: When Windows NT Advanced Server checks permissions, it does so in one pass, not discriminating between users and groups. As soon as a "deny access" permission is reached, the search is terminated and access to the resource is denied. However, LAN Manager makes two passes when it checks resource permissions: a user pass and a group pass. Because of this, LAN Manager could deny a user access, but then grant that user access if the user belongs to a group that has access to a resource.
 * A Windows NT Advanced Server domain contains only domain controllers and servers. All servers are considered backup domain controllers. A LAN Manager domain includes a primary domain controller, backup controllers, and stand-alone servers.

NOTE: LAN Manager servers in a Windows NT Advanced Server domains cannot act as domain controllers, nor can they validate logon attempts by Windows NT or Windows NT Advanced Server computers. LAN Manager servers can validate LAN Manager server and client logons in a mixed domain of LAN Manager and Windows NT computers.
 * Under Windows NT Advanced Server, you must logon to any local computer with an account and password. Local computer security is optional under LAN Manager, only on computers configured to be servers.

NOTE: Users from outside a domain with both Windows NT Advanced Server and LAN Manager computers cannot access LAN Manager domain resources unless a local account is created in Windows NT Advanced Server. This is because LAN Manager servers do not recognize global groups or trust relationships.
 * Windows NT Advanced Server supports trust relationships between domains and a single network for all trusted domains. LAN Manager does not support trust relationships and requires that users log onto each domain separately.
 * Any user account can own a file under Windows NT Advanced Server. Owners can grant and deny access to the files they own. This concept is not supported under LAN Manager.
 * Windows NT Advanced Server allows you to deny access to resources not owned by administrative accounts. Ownership may be taken later, but an auditing trail is created. LAN Manager allows all administrative accounts to access all resources.
 * Windows NT Advanced Server protects setting system functions (such as setting the system time and formatting the hard disk.) System functions are not protected under LAN Manager.
 * Local and global groups are recognized by Windows NT Advanced Server. LAN Manager does not recognize local groups.
 * Windows NT Advanced Server allows only Windows NT computers to administrate other Windows NT computers. LAN Manager computers can be administrated from any MS-DOS, UNIX, or OS/2 computer running LAN Manager, or from a Windows NT computer.
 * File and directory permissions apply to local and network users under Windows NT Advanced Server. Permissions apply only to network users, unless local security is enabled on LAN Manager servers.

Additional query words: prodnt

Keywords: kbnetwork KB102608

Technology: kbWinNT310Search kbWinNTAdvSerSearch kbWinNTAdvServ310 kbWinNTsearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.