I'm a consultant. I travel from client network to client network, sometimes within the same day. My job involves interacting with various corporate servers using my trusty laptop, solve real-life business problems, and then move on to the next gig. It's not practical for me to have my computer join a Windows Domain only to have to do it again and again with each new environment that I visit. This is also not feasible because I cannot have my different clients become administrators on my company-provided laptop or have domain policies pushed down to my laptop, which is a byproduct of joining a domain.
So, as a result, I'm forced to log onto my laptop as a local user. This proved not to be a problem with Windows XP because I could set up a password rule (within the User Accounts control panel) to associate a username and password to use for each distinct domain that I access.
But, beginning with Windows Vista, Microsoft's security model became what can only described as bi-polar. If your machine was domain-connected, then everything worked fine. But, if your machine was not domain-connected, then a different set of rules seemed to apply, and it suddenly became a frusterating chore to perform simple tasks against domain-protected resources.
Part of the problem stemmed from an apparent bug in the "Manage Network Passwords" interface that would seemingly not accept domain wildcards, either in the classic format (DOMAIN\*) or the FQDN format (*.DOMAIN.COM). So, there was no way to instruct Windows to use a particular set of credentials for "any resource on this domain". The best that you could do was save a password for each individual resource (server) that you needed to access.
I've been experimenting with Windows 7 for a couple of weeks now to see how well it fits into the life of a consultant working within an enterprise environment. I'm happy to report that the "Manage Network Passwords" bug appears to be fixed (using the FQDN wildcard format), so my network password list is not littered with scores of entries. However, other things still remain broken or impossible to do.
As an example, one of the tools that I use the most is SQL Server Management Studio (SSMS). Out of the box, relying on a password rule to connect to a SQL Server protected by domain security simply does not work, and there is no other way to specify a Windows username/password as part of the Connect dialog. I have to resort to using custom RUNAS shortcuts for each environment that I'm in (I previously blogged about this under Vista).
Also, anything that uses Kerberos (i.e., for delegated authentication from a web application to a secondary server) simply does not work if your computer is not domain-connected. Though, to be fair, I think that this was an issue for Windows XP machines that were not domain-connected as well, and is the result of how Microsoft implemented Kerberos security (their design assumes that all of the participating machines are domain members).
Overall, the experience of using a standalone Windows 7 machine as a consultant within a corporate environment has proven to be better than Vista. But, it's still not as good of an experience as XP was, and I totally blame this on the "enhancements" that were made to the underlying security model. This is particularly disheartening because I'm in love with Windows 7 as an operating system and actually want to use it for my day-to-day tasks.
I welcome commentary from the OS team about what can be done to improve this experience!