Compaq Advanced Server for OpenVMS
Commands Reference Manual


Previous Contents Index


REMOVE USER

Permanently removes a user from a domain's security database.

Be sure you want to remove a user before you do so, because you cannot recover a deleted user account. The server knows every user account by its security identifier (SID), a unique number that identifies it. If you delete a user account and then create another user account with the same name, the new user account will not have any of the permissions that were previously granted to the old user account, because the user accounts have different SID numbers.


Format

REMOVE USER user-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators or Account Operators local group. Only members of the Administrators local group can remove an Administrators privilege account.

Related Commands

ADD USER
COPY USER
MODIFY USER
SHOW USERS

Parameters

user-name

Specifies the name of the user account that you wish to remove.

Qualifiers

/CONFIRM

/NOCONFIRM

Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode.

/DOMAIN=domain-name

Specifies the name of the domain from which to remove the user account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/SERVER=server-name

Specifies the name of a server that is a member of the domain from which to remove the user. Do not specify both /DOMAIN and /SERVER on the same command line.

Example


LANDOFOZ\\TINMAN> REMOVE USER SCARECROW 
 
Each user account is represented by a unique identifier that is 
independent of the user name. Once this user account is deleted, 
even creating an identically named user account in the future will 
not restore access to resources that currently name this user 
account in the access control list. 
 
Remove user "SCARECROW" [YES or NO] (YES) : YES 
%PWRK-S-USERREM, user "SCARECROW" removed from domain "LANDOFOZ" 
      

This example removes the user named SCARECROW from the domain currently being administered (LANDOFOZ). A confirmation is required.


SAVE EVENTS

Saves an event log file to a specified archive file on the server being administered. A saved event log file can later be reopened for display by the SHOW EVENTS command.

Format

SAVE EVENTS log-file-spec [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

CLEAR EVENTS
SHOW EVENTS

Parameters

log-file-spec

A file specification for the archived event log file of the server being administered (which, if the /SERVER qualifier is used, is the server specified with that qualifier). The file specification is local to the server being administered. On a PATHWORKS or Advanced Server for OpenVMS server, if no device or directory is specified, the archived event log is saved to the path pointed to by the logical name PWRK$LMLOGS:.

Qualifiers

/SERVER=server-name

Specifies the name of the Compaq OpenVMS server to be administered. The event log file of the specified server is saved on that server. The default is the server currently being administered.

/TYPE=log-type

Specifies the log file to be saved. The log-type keyword can be one of the following:
Log-type Log File
APPLICATION The application log file
SECURITY The security log file
SYSTEM The system log file (the default)

Example


LANDOFOZ\\TINMAN> SAVE EVENTS SYSTEM.BKP/TYPE=SYSTEM/SERVER=DOROTHY 
%PWRK-S-ELFSAVE, System Event Log from server "DOROTHY" saved 
      

This example saves the system event log file of server DOROTHY to the file PWRK$LMLOGS:SYSTEM.BKP on server DOROTHY.


SEND

Sends a message to one or more computers on the network, or to all or specific users connected to a server. The message appears in a pop-up window on the workstation.

Format

SEND computer-name[,...] [/qualifiers] [message]

SEND/USERS [/qualifiers] [message]

restrictions

The Alerter service must be running on the computer sending the message. Messages can only be received by client computers running the Messenger service. The Messenger service is not supported on the Advanced Server: OpenVMS users on the Advanced Server will not receive messages sent with the SEND command.

Parameters

computer-name

Specifies the computers that are to receive the message --- either a single computer name or a comma-separated list of computer names.

message

Specifies the text of the message to send. The message text must follow all other parameters and qualifiers. To preserve the case of a message, enclose the message in quotation marks. If message is not specified, you are prompted for a multi-line message. When you have finished entering the message, enter Ctrl/Z to terminate the message text.

Qualifiers

/NAME=user-name

Use with the /USERS qualifier to send the message to a specific user. user-name is the name of the user to whom to send the message.

/SERVER=server-name

Specifies the name of the server from which to send the message. If you use the /USERS qualifier, the value of server-name is also used to select the users to which the message is sent. The default is the server currently being administered.

/SHARENAME=share-name

Use with the /USERS qualifier to restrict sending the message to only users connected to the specified share name.

/USERS

If included, the /USERS qualifier must immediately follow the SEND verb and is used to send the message to users connected to a server rather than to specific computers. The default is to send the message to all users connected to the server. However, you can use the /NAME and /SHARENAME qualifiers with the /USERS qualifier to send a message to specific users.

Examples

#1

 LANDOFOZ\\TINMAN> SEND OZ1,OZ2 "Meeting changed to 3 pm." 
      

This example sends the message "Meeting changed to 3 pm." to computers OZ1 and OZ2.

#2

 LANDOFOZ\\TINMAN> SEND/USERS/SERVER=DOROTHY - 
 _LANDOFOZ\\TINMAN> "Server DOROTHY will be going down at 21:00 hours" 
      

This example sends the message "Server DOROTHY will be going down at 21:00 hours" to all users connected to the server DOROTHY.

#3

 LANDOFOZ\\TINMAN> SEND/USERS/SERVER=DOROTHY/SHARENAME=WIZARD - 
 _LANDOFOZ\\TINMAN> "The WIZARD share will be deleted at 6 pm." 
      

This example sends the message "The WIZARD share will be deleted at 6 pm." to all users connected to the share named WIZARD on server DOROTHY.

#4

 LANDOFOZ\\TINMAN> SEND/USERS/NAME=TOTO "Follow the yellow brick road" 
      

This example sends the message "Follow the yellow brick road" to user TOTO connected to the server currently being administered (TINMAN).


SET ACCOUNT POLICY

Sets the account policy, which controls how passwords are used by all user accounts, and whether user accounts are automatically locked out after a series of failed logon attempts.

Format

SET ACCOUNT POLICY [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

SHOW ACCOUNT POLICY

Qualifiers

/DOMAIN=domain-name

Specifies the name of the domain for which to set the account policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/FORCE_DISCONNECT

/NOFORCE_DISCONNECT

Controls whether a user's connections to any server in the domain are forcibly disconnected when the user account exceeds its logon hours. This interacts with the logon hours defined for a user account. /NOFORCE_DISCONNECT, the default, specifies that the user is not to be disconnected, but no new connections from that account will be allowed.

/LOCKOUT=(option[,...])

/NOLOCKOUT

Controls whether users are locked out after a specified number of failed logon attempts. By default, account lockout is disabled. To enable account lockout, you must specify a value for each of the following three option keywords:
Option Description
ATTEMPTS= n Specifies the failed logon count. Account is locked out after the specified number of failed attempts. The value of n can be from 1 to 999.
DURATION= n Specifies the number of minutes before a locked out account is automatically unlocked. The value of n can be FOREVER or a value from 1 to 99999. The value must be greater than, or equal to, the value assigned to the WINDOW keyword.
WINDOW= n Specifies the number of minutes from the most recent failed login attempt before the failed login count is reset to zero. For example, if the WINDOW is set to 30 minutes, then thirty minutes after the most recent failed login attempt, the failed logon count is reset to zero. The value of n can be from 1 to 99999. The value must be less than, or equal to, the value assigned to the DURATION keyword.

The /NOLOCKOUT qualifier specifies that user accounts are never locked out, no matter how many failed logon attempts are made on a user account. This is the default if you do not specify /LOCKOUT.

Administrators can unlock a locked out account using the MODIFY USER/UNLOCK command.

/PASSWORD_POLICY=(option[,...])

Specifies password policies for the domain. The option keyword can be one or more of the following:
Option Description
HISTORY= n Sets the number of new passwords that must be used by a user before an old password can be reused. n specifies the number of passwords to maintain in the password history, from 0 to 24. The default is 0 (equivalent to specifying /PASSWORD_POLICY=NOHISTORY).
NOHISTORY Specifies that no password history should be maintained. This is equivalent to specifying /PASSWORD_POLICY=HISTORY=0.
MAXAGE= n Sets the maximum number of days a user's password can be used before the server requires the user to change it. n specifies the number of days from 1 to 999. The default is 90 days.
NOMAXAGE Specifies that a user's password never expires.
MINAGE= n Sets the minimum number of days a user's password must be used before a user can change it. Do not allow immediate changes if a password history value is set. n is the number of days from 0 to 999. The default is 1.
NOMINAGE Specifies that a user may change his or her password at any time. This is equivalent to specifying /PASSWORD_POLICY=MINAGE=0.
MINLENGTH= n Sets the minimum length of a password. n is the minimum number of characters required in the password and can be from 0 to 14. A value of 0 means that a blank password is permitted. The default is 0, which permits a blank password.

/SERVER=server-name

Specifies the name of a server that is a member of the domain for which to set the account policy. Do not specify both /DOMAIN and /SERVER on the same command line.

Examples

#1

 LANDOFOZ\\TINMAN> SET ACCOUNT POLICY - 
 _LANDOFOZ\\TINMAN> /LOCKOUT=(ATTEMPTS=3,WINDOW=20,DURATION=25) 
 %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" 
      

This example limits users to three failed logon attempts, resets the failed logon count after 20 minutes, and unlocks locked-out accounts after 25 minutes.

#2

 LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/NOLOCKOUT- 
 _LANDOFOZ\\TINMAN> /PASSWORD_POLICY=(NOHISTORY,MINLENGTH=10) 
 %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" 
      

This example disables account lockouts and history checking of passwords, and sets the minimum password length to 10. The account policy is set on the domain currently being administered (LANDOFOZ).


SET ADMINISTRATION

Selects a new default domain or server, or both, to be administered. The command prompt is changed to reflect the new domain and server being administered. The format of the command prompt is DOMAIN\\SERVER>, where DOMAIN is the name of the domain being administered, and SERVER is the name of the server being administered.

Format

SET ADMINISTRATION [/qualifiers]

restrictions

Use of this command does not require special group membership.

Related Commands

SHOW ADMINISTRATION

Qualifiers

/DOMAIN=domain-name

Selects a new default domain to be administered. Initially, the domain name is set to be the domain where you are logged on, or, if you are not logged on, the domain of the local server. A value for domain-name specifies a different domain to be administered. If you omit the domain-name value, then the initial default domain is reset. The domain-name is used as the default domain for any command that operates on a domain. The /DOMAIN qualifier value on an individual command overrides this default value.

If you omit the /SERVER qualifier, the server being administered is set to the local server if the specified domain is the local server's domain; otherwise, it is set to the name of the primary domain controller for the specified domain. If you specify both a domain and a server, the server must be a member of the domain.

You can specify a computer name in place of the domain name, by preceding the computer name with two backslashes (\\). This allows you to manage a computer that maintains its own security database, such as a member server, a Windows NT Workstation, or a Windows NT Server computer that is not a domain controller. If you specify a primary or backup domain controller, the specified computer's domain is selected. The /SERVER qualifier is ignored if you specify a computer name.

Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.

/SERVER=server-name

Selects a new default server to be administered. Initially, the server name is set to be the local server if it is a member of the domain being administered; otherwise, it is set to the primary domain controller of the domain being administered. A value for server-name specifies a different server to be administered. If you omit the server-name value, then the initial default server name is reset.

The server-name is used as the default server name for any command that operates on a server. The /SERVER qualifier value on an individual command overrides this default value. If you do not also specify the /DOMAIN qualifier, the domain being administered is set to the domain of the specified server. If you specify both a domain and a server, the server must be a member of the domain.

Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.


Examples

#1

 LANDOFOZ\\TINMAN> SET ADMINISTRATION/SERVER=OZ3 
 %PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "OZ3" 
 
 LANDOFOZ\\OZ3> 
      

This example sets the default server to be administered to OZ3. Because OZ3 is a member of the LANDOFOZ domain, the default domain remains unchanged. All further commands that operate on a specific server will be performed against server OZ3. The command prompt is changed to reflect the new default.

#2

 LANDOFOZ\\OZ3> SET ADMINISTRATION/DOMAIN=KANSAS 
 %PWRK-S-ADMSET, now administering domain "KANSAS", server "TOPEKA" 
 
 KANSAS\\TOPEKA> 
      

This example sets the default domain to be administered to KANSAS. Because KANSAS is not the domain of the local server, and the /SERVER qualifier was not specified, the default server is set to the primary domain controller for the KANSAS domain, TOPEKA. All further commands will be performed against the new domain and server. The command prompt is changed to reflect the new defaults.

#3

 KANSAS\\TOPEKA> SET ADMINISTRATION/DOMAIN 
 %PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "TINMAN" 
 
 LANDOFOZ\\TINMAN> 
      

This example resets the default domain and server to the initial defaults. The command prompt is changed to reflect the new defaults.


SET AUDIT POLICY

Sets the auditing policy for a domain. A server can track selected activities of users by auditing security events and then placing entries in a server's security log. The server can record a range of security event types, from a systemwide event such as a user logging on, to an attempt by a user to read a specific file. You can audit both successful and failed attempts to perform an action. Use the audit policy to establish the types of security events to log.

When administering domains, the audit policy affects the security logs of the domain controller and of all servers in the domain, because they share the same audit policy.


Format

SET AUDIT POLICY [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

SHOW AUDIT POLICY

Qualifiers

/AUDIT

/NOAUDIT

Controls whether auditing events are logged. /AUDIT enables auditing of the specified events, and /NOAUDIT (the default) disables auditing of the specified events.

/DOMAIN=domain-name

Specifies the name of the domain on which to set the audit policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/FAILURE=(event[,...])

Specifies events whose failure adds an entry to the security log. Precede the event keyword with NO to disable logging of a failed event. The event keyword can be one or more of the following:
Event Description
ALL Selects all possible events.
NONE Deselects all possible events.
[NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing.
[NO]ACCOUNT_MANAGEMENT
  A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.
[NO]LOGONOFF
  A user logged on the domain, logged off, or made a server connection.
[NO]POLICY_CHANGE
  A change was made to the Audit, Trust Relationships, or User Rights policies.
[NO]PROCESS
  Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit.
[NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log.
[NO]USER_RIGHTS
  A user exercised a user right, except rights related to logon or logoff.

/SERVER=server-name

Specifies the name of a server that is a member of the domain on which to set the audit policy. Do not specify both /DOMAIN and /SERVER on the same command line.

/SUCCESS=(event[,...])

Specifies events whose success adds an entry to the security log. Precede the event keyword with NO to disable logging of a successful event. The event keyword can be one or more of the following:
Event Description
ALL Selects all possible events.
NONE Deselects all possible events.
[NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing.
[NO]ACCOUNT_MANAGEMENT
  A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.
[NO]LOGONOFF
  A user logged on, off, or made a network connection.
[NO]POLICY_CHANGE
  A change was made to the Audit, Trust Relationships, or User Rights policies.
[NO]PROCESS
  Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit.
[NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log.
[NO]USER_RIGHTS
  A user exercised a user right, except rights related to logon or logoff.

Example


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=NOLOGONOFF - 
_LANDOFOZ\\TINMAN> /SUCCESS=(ACCESS,POLICY_CHANGE) 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 
      

This example enables logging of audit events, disables auditing of failures to log on or log off, and enables logging of successful attempts to access an object or make policy changes.


Previous Next Contents Index