User Search Order

Restriction: This topic applies only when the Enterprise Server feature is enabled.

The OS ESM module uses the Windows LogonUser function to verify a user's credentials (username and password), in the following manner:

  1. Try LogonUser with the username and password, and the domain parameter set to ".", which means to search the local system.
  2. If that fails, call LookupAccountName to try to find the domain in which the user is defined. According to Microsoft's documentation, this will first search well-known names, then local accounts, then the primary domain, then other trusted domains, and then (for Windows 2000 and later) the domain forest.
  3. If LookupAccountName succeeds, try LogonUser again with the domain returned by LookupAccountName.

If a user is defined in multiple places on that search list, the OS ESM module only tries to authenticate the user in the first one it finds. Normally this will have the expected behavior (much like logging on to Windows conventionally), but in a complex domain configuration situation it could produce confusing results.

The initial domain to search can be changed from "." to any single domain name with this setting in the configuration text area for the Security Manager:

[Operation]
Domain=name