Advanced Server can validate requests of users to log on to the network. Logon validation, provided by the NetLogon service, allows the following:

• A single, domain-wide user accounts database
• Single domain-wide logon, which lets a user access resources on any server in the domain and on servers that trust the domain

You create the master user accounts database for the domain when you configure the primary domain controller. This database is automatically copied to the backup domain controllers in the domain that are running the NetLogon service. You do not have to create user accounts separately on each server. All the servers in the domain that run the NetLogon service use identical copies of the same domain-wide user accounts database. The user accounts database is part of the Security Account Management (SAM) database.

Through external authentication, specified OpenVMS users can be automatically validated on the network when they log in to the OpenVMS system running Advanced Server. This pass-through style of authentication ensures password synchronization and simplifies user access to the Advanced Server management functions. For more information about external authentication, refer to Section 3.1.17, Enabling External Authentication.

1.2.6 Logon Scripts

As the network administrator, you can use logon scripts to configure the working environments of your users by allowing them to automatically make network connections and start applications. The network administrator can create logon scripts and then assign a different logon script to each user, or create a logon script for multiple users. A logon script runs automatically whenever a user logs on at a workstation running Windows NT, Windows for Workgroups, Windows 95, or Windows 98.

1.2.7 Home Directories

As the network administrator, you may want to assign a user a home directory on a server. Users can store private data in their home directories and have access control over these directories to restrict or grant access to other users. If users have home directories on computers other than their own, connections can be made automatically to home directories whenever users log on. Depending on the client operating system, you may need to specify the home directory in a logon script. For information about how to specify a logon script and home directory for a user account, see Section 3.1.3, User Account Attributes.

1.2.8 Advanced Server Licensing

To access the Advanced Server, clients must be properly licensed with a valid Client Access license. Advanced Server includes the Advanced Server license server, which distributes licenses to clients before the first connection to a network resource. The Advanced Server License Registrar validates licenses before subsequent connections and distributes server-based licenses. The Advanced Server for OpenVMS Server Installation and Configuration Guide describes how to install the license server. Refer to the Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses for more information about Advanced Server licensing.

1.3 Resource Sharing

Sharing is the process of making resources (printers, directories, and files) available to users. As the network administrator, you make a resource available to clients who access the printer or directory, by specifying a share name and permissions to control access to the share.

Users gain access to a shared resource by:

1. Logging on to the domain or a trusted domain
2. Connecting to the share

As the network administrator, you define which resources to share, which users and groups can access them, and the type of access each user and group can have.

1.3.1 Sharing Disk Directories

The Advanced Server automatically shares the root directory of all disk devices connected to the server that are mounted when you start the server process. This type of share is called an autoshare. It is accessible by Administrators only.

Advanced Server lets you audit user attempts to access shared files or directories. You specify the types of access attempts to be audited. When one of those events occurs, Advanced Server records an entry in the Security event log.

For information about setting permissions and auditing for individual files and directories, see Chapter 4, Managing Directory and File Sharing.

The OpenVMS system supports two file systems:

• On ODS-2 disk volumes, the traditional file system (RMS). This file system is useful for OpenVMS system files, layered products, and applications.
• On ODS-5 disk volumes, the Extended File System (EFS). This file system is useful for storing directories and files from network clients, providing greater compatibility with the Windows 98, Windows 95, and Windows NT file systems. For information about setting up EFS, refer to the OpenVMS Guide to Extended File Specifications. Management of ODS-5 disk volumes in the network environment is described in Section 4.4, Using ODS-5 Disk Volumes in the Advanced Server Environment.

Advanced Server lets you share printers connected to the servers in a domain. With Advanced Server, you can:

• Create Advanced Server print queues.
• Share print queues and set print queue permissions to restrict access to the queue. By default, a print share is available to all users.
• Manage print queues, print shares, and print jobs.

For information about managing print shares and queues, see Chapter 5, Managing Shared Printers.

1.4 Monitoring Events and Troubleshooting

Advanced Server provides log files for monitoring server resource use and for recording client and server problems.

Auditing allows you to record server resource use. It can provide the following information about each access attempt:

• Name of the server resource accessed
• Operation performed or attempted
• Date and time of the operation
• User name of the user requesting access

The event log records client and server events. It contains the following information about each event:

• Nature of the event
• Event type
• Date and time when the event occurred

For information about setting auditing for specific events and about troubleshooting server problems, see Chapter 6, Monitoring Events and Troubleshooting.

1.5 Network Administration Interfaces

You can administer Advanced Server, another server, or a workstation in the network, from either the OpenVMS server or from another computer, using one of the interfaces listed in Table 1-1, Network Administration Interfaces.

Table 1-1 Network Administration Interfaces

Computer Type	Interface
Advanced Server for OpenVMS and PATHWORKS V6 for OpenVMS (Advanced Server)	Includes the following: Advanced Server ADMINISTER commands (a command line interface) -- to administer servers, domains, and shares. The complete command set is described in the Advanced Server for OpenVMS Commands Reference Manual. Advanced Server Configuration Manager (a character-cell interface) -- to manage the server configuration. This is described in Chapter 7, Managing Your Configuration. Advanced Server License Manager (a character-cell interface) -- to manage the Advanced Server licenses and license server. For more information about the License Manager, refer to the Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses. PWRK$REGUTL (a command-line interface) -- to manage the server configuration parameters stored in the OpenVMS Registry. For more information, see Section 7.2, Managing Server Configuration Parameters.
Windows NT Server	Windows NT server administration tools (Windows-based interfaces, including Server Manager, Print Manager, User Manager for Domains, and Event Viewer).
PATHWORKS V5 for OpenVMS (LAN Manager)	ADMIN/PATH utility (a character-cell user interface), or Net commands (a command-line interface).
LAN Manager V2. x (retail) servers	Net commands (a command-line interface), or NET ADMIN (a character-cell interface).
Advanced Server for DIGITAL UNIX	pwadmin commands (a command-line interface), or net commands (limited functions).
DOS client	Net commands (a command-line interface).
Windows, Windows NT, Windows 95, or Windows 98 client	MS-DOS Net interface (a command-line-interface), Windows NT server administration tools (Windows- based user interfaces).

1.6 The Advanced Server ADMINISTER Command Line Interface

You can control most aspects of the Advanced Server using the Advanced Server ADMINISTER command line interface. You invoke the Advanced Server ADMINISTER command line interface by entering the ADMINISTER command in response to the OpenVMS system prompt. The Advanced Server command line interface prompts you with the name of the domain and the name of the server you are currently administering. For example:

$ ADMINISTER LANDOFOZ\\TINMAN>

In this example, you are managing a domain called LANDOFOZ and a server called TINMAN. Once you have invoked the command line interface, you can enter any number of ADMINISTER commands.

You can also execute ADMINISTER commands on the DCL command line in the following way:

$ ADMINISTER SHOW SHARES Shared resources on server "TINMAN": Name Type Description ------------ --------- ------------------------------------------ DICK Printer Dick's print share EXAMPLE Directory NETLOGON Directory Logon Scripts Directory PWLICENSE Directory PATHWORKS Client License Software PWLIC Directory PATHWORKS Client License Software PWUTIL Directory PATHWORKS Client-based Utilities USERS Directory Users Directory Total of 7 shares $

In this example, the command line interface executes a single command and returns to the OpenVMS system prompt.

The ADMINISTER command line interface will prompt you for information required for a given command if you do not supply it on the command line. For example, you can log on to the network using the LOGON command, as follows. Note that the password is required, so the software prompts you for it. (The password is not displayed as you enter it.)

$ ADMINISTER LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 07/19/98 06:41 PM. LANDOFOZ\\TINMAN>

1.6.1 Getting Help on ADMINISTER Commands

The Advanced Server command line interface has online help that describes command syntax, options, and qualifiers. It also explains each command and gives examples of command use.

To use online help, enter one of the following commands:

Syntax	Information Provided
$ ADMINISTER HELP
	A list of help topics
$ ADMINISTER HELP command
	The description, syntax, qualifiers, and examples for the specified ADMINISTER command
$ ADMINISTER domain\\ server> HELP
	A list of help topics

The Help file for the Advanced Server ADMINISTER command line interface has the same structure as an OpenVMS DCL Help file.

For complete information on ADMINISTER commands and their syntax, see the Advanced Server for OpenVMS Commands Reference Manual or the ADMINISTER command line interface Help file.

1.6.2 Administering Domains and Servers

There are two types of Advanced Server ADMINISTER commands:

• Commands that operate on a domain
  These commands allow you to administer users, groups, or account policies, audit policies, and trust relationships, and to add, delete, or display computers. All such ADMINISTER commands can include the /DOMAIN qualifier to specify a domain other than the one currently being administered. You cannot use the /SERVER qualifier on these commands; the commands are executed on the primary domain controller of the specified domain.
• Commands that operate on a specific server
  These commands allow you to administer shared resources, services, and server operation; they operate directly on either the default server or on the server you specify using the /SERVER qualifier. You cannot use the /DOMAIN qualifier on server-specific commands.

By default, commands are executed on the domain and server indicated by the ADMINISTER command line interface prompt. For example, the following prompt indicates the domain currently being administered is LANDOFOZ, and the server is TINMAN:

LANDOFOZ//TINMAN>

You can use the SET ADMINISTRATION command to administer resources, services, and server operation in another domain or server, if you have been validated for a user account that is a member of the Administrators group. For more information. see Section 2.1.2, Administering Another Domain.

If you have OpenVMS system management privileges SYSPRV and OPER on the system, you can execute any ADMINISTER command on the local server without logging on to the network. In this case, you are treated as if you had logged on to the network as Administrator. If you do not have these OpenVMS privileges, or if you wish to manage a server other than your local server, you must log on to a user account that is a member of the Administrators local group (for example, the Administrator user account).

To log on to the network, use the LOGON command. For example:

LANDOFOZ\\TINMAN> LOGON Username: ADMINISTRATOR Password: The server \\TINMAN successfully logged you on as Administrator. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 09/19/98 06:41 PM. LANDOFOZ\\TINMAN>

You are prompted for your user name and password. The password is not displayed as you enter it. Once you log on to the domain, you remain logged on after you exit from the ADMINISTER command interface. To log off the domain, use the LOGOFF command.

You can administer another server using the TELL command. TELL sends the command to be executed to the specified server. In the following example, the server currently being administered is TINMAN, and the other server is WOODMAN. The command to be executed on server WOODMAN is SHOW COMPUTERS.

LANDOFOZ//TINMAN> TELL WOODMAN SHOW COMPUTERS %PWRK-I-SRVINFO, the server type is: Advanced Server 3.51 for OpenVMS Computers in domain "LANDOFOZ": Computer Type Description -------------------- ------------------------- -------------------------- [PD] TINMAN OpenVMS 3.51 Primary Advanced Server V7.2 for OpenVMS [BD] WOODMAN OpenVMS 3.51 Backup Advanced Server V7.2 for OpenVMS Total of 2 computers LANDOFOZ//TINMAN>

Be sure to use the proper command sytax for the server you are administering. For example, to administer a server running PATHWORKS V5 for OpenVMS (LAN Manager), use LAN Manager NET commands. In the following example, the PATHWORKS V5 for OpenVMS (LAN Manager) server name is QUEEN.

LANDOFOZ//TINMAN> TELL QUEEN NET SHARE %PWRK-I-SRVINFO, the server type is: LAN Manager 2.2 for OpenVMS Sharename Resource Remark --------------------------------------------------------------------------- ADMIN$ Remote Admin C$ USERS:[PWRK$ROOT] PATHWORKS share IPC$ Remote IPC USERS$ _QUEEN$DUA1: ODS-2 volume USERS: VAXVMSV0.55$ _QUEEN$DUA2 ODS-2 volume VAXVMSV0.55: NETLOGON Logon Users Directory PWUTIL C:[LANMAN.SHARES.WIN] PATHWORKS Client-based Utilities RONNIE USERS:[RONNIE] RPL C:[LANMAN.RPL] Remoteboot server share RPLFILES C:[LANMAN.RPL.RPLFILES] Remoteboot server share USERS Logon Users Directory The command completed successfully LANDOFOZ//TINMAN>

1.6.3 Administrative Groups

Some of your network users may be designated as members of administrative groups, such as account operators, print operators, server operators, or administrators. These users have administrative or operator privileges that enable them to perform specific tasks, as described in Table 1-2, Administrative Groups.

Table 1-2 Administrative Groups

Group Name	Tasks
Account Operators	Create and manage user accounts and global and local groups.
Administrators	Access servers and computers from the network, take ownership of files, manage auditing and security logs, perform all account operator tasks, assign use rights, create groups, keep a local profile, share and stop sharing directories, files, and printers.
Print Operators	Keep a local profile; share and stop sharing printers.
Server Operators	Access servers and computers from network, take ownership of files, manage auditing and security logs, share and stop sharing directories, files, and printers.

If you have different operators responsible for different parts of your network and you do not want to assign them full administrative privileges, make them members of Server Operator groups only at the server they can administer.