Previous | Contents | Index |
You can restrict the days and hours during which a user can connect to a server. The default is to allow a user to connect at all times.
Use the ADD USER, COPY USER, or MODIFY USER command with the /HOURS qualifier. Specify the hours to be administered as shown in the following table. The /NOHOURS qualifier specifies that the user cannot log on to the server.
Hours are inclusive: if you grant access during a given hour, access extends to the end of that hour; if no hours are specified for a given day, all hours are allowed.
To select... | Use, for example... |
---|---|
A specific hour | /HOURS=(MONDAY=(8)) |
A block of hours | /HOURS=(FRIDAY=(8-12)) |
One entire day | /HOURS=(SUNDAY) |
A specific hour across all seven days | /HOURS=(SUNDAY=(1),MONDAY=(1),TUESDAY=(1), WEDNESDAY=(1),THURSDAY=(1),FRIDAY=(1), SATURDAY=(1)) |
All weekdays | /HOURS=(WEEKDAYS) |
The entire week | /HOURS=(EVERYDAY) |
For more details on the /HOURS qualifier, see Section 3.3.10, Modifying User Accounts.
In the following example, a user called MOUSEQUEEN is added to the domain LANDOFOZ with logon capability on Fridays from 8 a.m. to 12 noon.
LANDOFOZ\\TINMAN> ADD USER MOUSEQUEEN/HOURS=(FRIDAY=(8-12)) %PWRK-S-USERADD, user "MOUSEQUEEN" added to domain "LANDOFOZ" |
The following example adds user BLACKCROW to domain LANDOFOZ, with logon capability from Monday through Friday, all hours.
LANDOFOZ\\TINMAN> ADD USER BLACKCROW/HOURS=(WEEKDAYS) %PWRK-S-USERADD, user "BLACKCROW" added to domain "LANDOFOZ" |
You can specify the execution of a logon script when a user logs on. A
logon script is an executable or batch file of commands that runs on
the client. It is typically used to configure the client for a
particular user, performing such tasks as making network connections
and starting applications. Logon scripts can be tailored to the
requirements of individual users. A logon script typically has a .BAT,
.CMD, or .EXE file extension, depending on its function.
3.3.4.1 Setting Up a Logon Script
When a user logs on, PATHWORKS Advanced Server checks the user's account on the logon server for the name of a script. Scripts are kept on the primary and backup domain controllers. By default, user scripts on a PATHWORKS Advanced Server are stored in the following location:
PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS]
3.3.4.2 Controlling User Access to Logon Scripts
For a user to have access to a logon script, the following conditions must be true:
Ensure that permissions on the directory or share where the scripts reside permit access to all users who will be using the scripts. PATHWORKS Advanced Server automatically provides Read access to members of the special group Everyone.
When the NetLogon service starts, PATHWORKS Advanced Server shares the scripts directory identified with the share name NETLOGON. For logon scripts to run, do not remove the NETLOGON share. You can display information about the NETLOGON share using the SHOW SHARE NETLOGON/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW SHARE NETLOGON/FULL Shared resources on server "TINMAN": Name Type Description ------------ --------- ------------------------------------------ NETLOGON Directory Logon Scripts Directory Path: PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS] Connections: Current: 0, Maximum: No limit RMS file format: Stream Directory Permissions: System: RWED, Owner: RWED, Group: RWED,World: RE File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R Share Permissions: Everyone Read Total of 1 share LANDOFOZ\\TINMAN> |
Use the /WORKSTATIONS qualifier to restrict the workstations from which users can log on to domain accounts. The default is to allow a user to log on from any workstation, but you can optionally restrict a user's logons to certain workstations. You can specify up to eight workstations for the user account.
Use the ADD USER, COPY USER, or MODIFY USER command, with the /WORKSTATION qualifier, as shown in the following table.
To specify that the ... | Use ... |
---|---|
User can log on to all workstations |
The default, which is all workstations. For example:
ADD USER LION |
User can log on only to certain workstations |
Up to 8 workstations with names (up to 15-characters long) listed in
the /WORKSTATIONS qualifier. For example:
ADD USER LION/WORKSTATION=(LIONS_DEN) |
A user's home directory is accessible to the user and contains files and programs for that user. When a user logs on at a workstation, a connection can be made to that user's home directory automatically. Depending on the client computer, you may need to specify the home directory in a logon script. The home directory becomes the user's default directory for file access and for all applications that do not have a defined working directory. Home directories can make it easier for an administrator to back up user files because they keep many or all of a user's files in one location.
On a server running PATHWORKS Advanced Server software, the default parent directory for user account home directories is:
PWRK$LMROOT:[LANMAN.ACCOUNTS.USERDIRS]
You can specify a home directory as an absolute path name or as a UNC (Universal Naming Convention) path name, which is domain wide. By default, if you omit the /HOME qualifier when you create a user account, no home directory is defined for a user.
The PATHWORKS Advanced Server home directory is not associated with the OpenVMS SYS$LOGIN directory. |
A home directory can be assigned to a single user or it can be shared by several users. It can be a local directory on a user's workstation or a shared network directory. If you specify a network path for the home directory, an attempt is made to create that home directory. If the directory cannot be created, a message instructs you to create the directory manually.
Use the ADD USER, COPY USER, or MODIFY USER command, with the /HOME=(PATH=pathname) qualifier. The home directory pathname must be the absolute path of a directory local to the user's workstation, or the UNC path for a shared network directory. (The UNC path is \\servername\sharename\directoryna me). If you specify a UNC path, you must also specify a drive letter that is not already assigned on the user's workstation, to be assigned to the path when the user logs on. For example:
LANDOFOZ\\TINMAN> MODIFY USER LION/HOME=(PATH=\\TINMAN\USERS\LION,DRIVE=D:) %PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW USER LION/ACCOUNT/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description ---------- --------------- ------ ------------------- LION Lion, Cowardly Global Cowardly Lion User profile: Logon script: Home Path: D: Path: \\TINMAN\USERS\LION Primary Group: Domain Users Member of groups: Domain Users Workstations: No workstation restrictions Logon Flags: Logon script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: (All hours) Total of 1 user account LANDOFOZ\\TINMAN> |
You can assign an expiration date for a user account, at which time the account is automatically expired but not removed from the accounts database. You can reactivate an expired account by removing the expiration date or by assigning a new date.
By default, there is no expiration date for a user account. Use the ADD USER, COPY USER, or MODIFY USER command with the /EXPIRATION qualifier to define the account expiration date for a user account.
When an account has an expiration date, the account is disabled at the
end of the previous day. When an account expires, a user who is logged
on remains logged on, but cannot establish new network connections or
log on again after logging off.
3.3.8 Specifying User Profiles
User profiles contain the specific user settings for the server
environment. They can be stored on a server or on the user's
workstation. For more information on user profiles, refer to the
Advanced Server for OpenVMS Concepts and Planning Guide.
3.3.9 Displaying User Accounts
To display information about user accounts, use the SHOW USERS command. For example:
LANDOFOZ\\TINMAN> SHOW USERS User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------- ----------- ------ ------------------------ Administrator Global Built-in account for administering the domain Guest Global Built-in account for guest access to the domain LION Lion,Cowardly Global Cowardly Lion Total of 3 user accounts LANDOFOZ\\TINMAN> |
To sort the display by user full name:
Use the SHOW USERS/SORT=FULLNAME command. For example:
LANDOFOZ\\TINMAN> SHOW USERS/SORT=FULLNAME User accounts in domain "LANDOFOZ:" Full Name User Name Type Description -------------- ------------- ------ --------------------------- Administrator Global Built-in account for administering the domain Guest Global Built-in account for guest access to the domain Lion, Cowardly LION Global Cowardly Lion Man, Straw SCARECROW Global The Straw Man Total of 4 user accounts LANDOFOZ\\TINMAN> |
To review user account settings for a specific user:
Use the SHOW USERS/FULL command. For example, the following display shows the settings for user LION.
LANDOFOZ\\TINMAN> SHOW USERS LION/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description --------------- --------------- ------- ------------- LION Lion, Cowardly Global Cowardly Lion User profile: Logon script: Home Path: D: Path: \\TINMAN\USERS\LION Primary Group: Domain Users Member of groups: Domain Users, MUNCHKINS Workstations: No workstation restrictions Logon Flags: Logon script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours (All hours) Total of 1 user account LANDOFOZ\\TINMAN> |
Use the MODIFY USER command to change the attributes of an existing user account. You can:
To add an existing user to a group:
Use the MODIFY USER/ADD_TO_GROUPS command. For example:
LANDOFOZ\\TINMAN> MODIFY USER SCARECROW/ADD_TO_GROUPS=MUNCHKINS %PWRK-S-USERMOD, user "SCARECROW" modified on domain "LANDOFOZ" |
You can then enter the SHOW GROUPS/FULL command to see that the group MUNCHKINS now includes the user SCARECROW:
LANDOFOZ\\TINMAN> SHOW GROUPS MUNCHKINS/FULL Groups in domain "LANDOFOZ": Group Name Type Description -------------------- ------ ------------------------------------ MUNCHKINS Global Users in the Land of Oz Members: [US]LION, [US]SCARECROW) Total of 1 group LANDOFOZ\\TINMAN> |
To change a user's logon hours:
To change the hours when a user can log on, use the MODIFY USER/HOURS command. For example, to restrict a user to logging on only on Monday from 8 a.m. to 9 a.m. and from 3 p.m. to 8 p.m., specify /HOURS=(MON=(8-9,15-20)).
For example, to modify LION's logon hours, use the MODIFY USER command, as follows.
LANDOFOZ\\TINMAN> MODIFY USER LION/HOURS=(MON=(8-9,15-20)) %PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can verify that the change was made correctly using the SHOW USERS/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW USERS LION/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description --------------- --------------- ------- ------------- LION Lion, Cowardly Global Cowardly Lion User profile: Logon script: Home Path: D: Path: \\TINMAN\USERS\LION Primary Group: Domain Users Member of groups: Domain Users, MUNCHKINS Workstations: No workstation restrictions Logon Flags: Logon script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 Sunday: - - - - - - - - - - - - - - - - - - - - - - - - Monday: - - - - - - - - X X - - - - - X X X X X X - - - Tuesday: - - - - - - - - - - - - - - - - - - - - - - - - Wednesday: - - - - - - - - - - - - - - - - - - - - - - - - Thursday: - - - - - - - - - - - - - - - - - - - - - - - - Friday: - - - - - - - - - - - - - - - - - - - - - - - - Saturday: - - - - - - - - - - - - - - - - - - - - - - - - Total of 1 user account LANDOFOZ\\TINMAN> |
A user's ability to log on can be rescinded by either disabling or removing the user account. A disabled user account still exists, but the user is not permitted to log on. It continues to appear in the user accounts list. It can be restored to enabled status at any time. A removed account is permanently removed and cannot be recreated with the same security settings.
Each user in a domain is identified by a unique security identifier (SID). The SID is created when a user account is created and is used when assigning permissions to a resource. Because a SID is unique to an account, a new account, even with the same user name, is assigned a new SID. Therefore, if you delete a user account and then need to create another user account for the same user with the same user name, the new user account will not have the rights or permissions that previously were granted to the old user account, because the user account will have a different SID. To avoid problems, first disable a user account you want to remove and then remove it after a reasonable time.
Set the account to Disabled, using the MODIFY USER/FLAGS=(DISUSER) command. (See Section 3.3.10, Modifying User Accounts.)
A deleted user account is removed from the user accounts list and cannot be restored or recreated. Make sure that you want to delete a user account before doing so.
To delete a user account, use the REMOVE USER command. You are prompted for confirmation before the command executes. For example:
LANDOFOZ\\TINMAN> REMOVE USER LION Each user account is represented by a unique identifier which is independent of the user name. Once this user account is deleted, even creating an identically named user account in the future will not restore access to resources which currently name this user account in the access control list. Remove user "LION" [YES or NO] (YES): YES %PWRK-S-USERREM, user "LION" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
PATHWORKS Advanced Server provides user account host mapping, which
associates a PATHWORKS Advanced Server user account with an OpenVMS
user account, simplifying the management of both user accounts. Host
mapping is required for users who are externally authenticated. (See
Section 3.3.13, Enabling PATHWORKS External Authentication.)
3.3.12.1 Establishing User Account Host Mapping
By default, if a user name for a PATHWORKS Advanced Server user account is identical to the user name for an OpenVMS user account, the user accounts are host mapped. Files created by the PATHWORKS Advanced Server user are automatically designated with the OpenVMS owner setting. This feature is controlled by a LANMAN.INI parameter, HOSTMAPUSEVMSNAMES. By default, this feature is enabled. (See Appendix A, The LANMAN.INI File in this guide for more information.)
You can explicitly map a PATHWORKS Advanced Server user account to an OpenVMS user account, using the ADD HOSTMAP command. By default, if host mapping is enabled and a PATHWORKS Advanced Server user has no associated OpenVMS user account, the PATHWORKS Advanced Server user account is mapped to the OpenVMS user account PWRK$DEFAULT.
When a user creates a file or directory using PATHWORKS Advanced Server, the resource is assigned the OpenVMS ownership associated with the user's mapped account. The mapped account is used for OpenVMS resource ownership, if the Advanced Server and OpenVMS Security model is enabled. (For more information about enabling this security model, see Chapter 7, Managing Your Configuration.)
Use the ADD HOSTMAP command, as follows:
ADD HOSTMAP PATHWORKS-user-name OpenVMS-user-name
In the following example, the PATHWORKS Advanced Server user account for SCARECROW is host mapped to the user's OpenVMS user account STRAWMAN. If SCARECROW creates a file, the file is assigned the RMS ownership attributes associated with the OpenVMS account STRAWMAN.
LANDOFOZ\\TINMAN> ADD HOSTMAP SCARECROW STRAWMAN %PWRK-S-HOSTMAPADD, user "SCARECROW" mapped to host user "STRAWMAN" LANDOFOZ\\TINMAN> |
Use the SHOW HOSTMAP command. For example:
LANDOFOZ\\TINMAN> SHOW HOSTMAP Host Mappings for server "TINMAN": User Name Host Name ------------------------- --------- Guest PWRK$GUEST SCARECROW STRAWMAN LION CLION Total of 3 host mappings LANDOFOZ\\TINMAN> |
PATHWORKS external authentication allows the OpenVMS system manager to set up an OpenVMS user account for which login authentication is verified by the PATHWORKS Advanced Server domain security. External authentication allows PATHWORKS Advanced Server to do the user authentication for both PATHWORKS Advanced Server and OpenVMS user accounts.
External authentication is an option for users who have both OpenVMS and PATHWORKS Advanced Server user accounts. It is not required. User host mapping provides the link between these two accounts. (See Section 3.3.12, User Account Host Mapping.)
With external authentication, users get automatic password synchronization between their OpenVMS account and their corresponding PATHWORKS Advanced Server account. Externally authenticated users are considered to have a single password and are not subject to OpenVMS password policies, such as password expiration, password history, and minimum and maximum password length restrictions. Users are, however, subject to the PATHWORKS Advanced Server account policy that is defined. All other OpenVMS account restrictions remain in effect, such as disabled accounts, time restrictions, and quotas. For more information about setting up the server for PATHWORKS external authentication, refer to the PATHWORKS for OpenVMS Server Installation and Configuration Guide.
If PATHWORKS Advanced Server is not running, OpenVMS user logins for externally authenticated users will fail. |
To enable external authentication for a user, set the EXTAUTH flag on the user's OpenVMS user account. When set, the EXTAUTH flag specifies that the user is to be externally authenticated at OpenVMS logon. You modify this flag using the OpenVMS AUTHORIZE utility, as described below.
Refer to the OpenVMS System Management Utilities Reference Manual for more information about the AUTHORIZE utility.
To create an OpenVMS user account with external authentication:
Use the AUTHORIZE utility and enter the ADD command, including the EXTAUTH option to the /FLAG qualifier. For example:
$ MCR AUTHORIZE UAF> ADD SCARECROW/FLAG=(EXTAUTH,NODISUSER) /UIC=[200,201] %UAF-I-ADDMSG, user record successfully added %UAF-I-RDBADDMSGU, identifier SCARECROW value [000200,000201] added to rights database UAF> EXIT %UAF-I-DONEMSG, system authorization file modified %UAF-I-RDBDONEMSG, rights database modified |
To modify an existing OpenVMS user account:
Use the AUTHORIZE utility and enter the MODIFY command with the /FLAG=EXTAUTH qualifier. Use the SHOW command to display the OpenVMS user account settings. For example:
$ MCR AUTHORIZE UAF> MODIFY LION/FLAG=EXTAUTH %UAF-I-MDFYMSG, user record(s) updated UAF> SHOW LION Username: LION Owner: Account: UIC: [200,201] ([LION]) CLI: DCL Default: [USER] LGICMD: Flags: ExtAuth Primary days: Mon Tue Wed Thu Fri . . . UAF> EXIT %UAF-I-DONEMSG, system authorization file modified %UAF-I-RDBNOMODS, no modifications made to rights database |
After an OpenVMS user account is set for external authentication, use the SHOW HOSTMAP command to ensure that host mapping for the corresponding PATHWORKS Advanced Server user account is correctly set.
Previous | Next | Contents | Index |