You can designate an Advanced Server as the network time server in a domain by having it run the TimeSource service. Client computers on the network can synchronize their time with the time server, which makes it possible to synchronize network events. For OpenVMS servers, the operating system maintains the clock, which cannot be set with Advanced Server commands.

To run the TimeSource service automatically, do one of the following:

• Modify the data associated with the SrvServices server configuration parameter using the PWRK$REGUTL utility described in Section 7.2, Managing Server Configuration Parameters, specifying TIMESOURCE in the data field.
• Run the configuration procedure PWRK$CONFIG.COM, and answer YES to the option "Enable Timesource service."

Then the TimeSource service will start automatically whenever you start the server. To activate the TimeSource service after the server is running, use the START SERVICE TIMESOURCE command.

2.4 Advanced Server in OpenVMS Clusters

Some servers in your network may be configured in an OpenVMS cluster environment. Advanced Servers running in an OpenVMS cluster share the same copy of the user accounts and shares databases and assume a single role, either a primary domain controller or a backup domain controller.

Use the SHOW COMPUTERS command to display a list of all the nodes in the cluster with the server role. Because of the way a Windows NT Server detects the cluster, the information displayed by the Windows NT Server Manager may not reflect the cluster role information accurately when the cluster is a primary domain controller.

2.4.1 About the Advanced Server Cluster Alias

With Advanced Server in an OpenVMS cluster, you must define an alias name that allows the OpenVMS cluster to be addressable by client workstations as a single entity.

Both the Advanced Server cluster alias and the OpenVMS cluster alias represent the set of server nodes running in an OpenVMS cluster environment. The Advanced Server alias is transport independent (recognized by all network protocols), while the OpenVMS cluster alias is unique to either TCP/IP or DECnet, depending on the cluster configuration.

2.4.2 Defining the Advanced Server Cluster Alias

The Advanced Server cluster alias must be unique among domain names and server names, but the OpenVMS cluster alias and the Advanced Server alias can be the same.

Advanced Server clients can access resources on the OpenVMS cluster by connecting to the cluster using the Advanced Server cluster alias. During the initial configuration process (when you run PWRK$CONFIG.COM), you can accept the OpenVMS cluster alias (nodename_ALIAS) as the Advanced Server cluster alias, or you can specify a different Advanced Server alias. Refer to the Advanced Server for OpenVMS Server Installation and Configuration Guide for more information about the PWRK$CONFIG.COM command procedure.

2.4.3 OpenVMS Cluster Load Balancing

The Advanced Server cluster alias provides load balancing. At any given time, only one node in the OpenVMS cluster responds to connection requests sent to the Advanced Server cluster alias. The responding node is the least loaded among the available nodes. This responsibility changes dynamically.

To gain the benefits of load balancing, clients should connect to the OpenVMS cluster using the Advanced Server cluster alias; the client is connected to the least-busy server in the OpenVMS cluster. However, to perform administrative functions on a particular cluster member, you must connect to that node specifically.

When a client connects to a server using the Advanced Server cluster alias, the connection is associated with the network address of the cluster member to which the client is actually connected. Additional connections made from the same client to the Advanced Server alias are made directly to the same cluster member. Once a client is connected, no further load balancing for that client is done.

When the node to which a client is connected using the Advanced Server cluster alias is shut down or crashes, a client reconnect using the Advanced Server alias establishes client connections to the cluster member that is the least loaded.

On OpenVMS, you use Advanced Server ADMINISTER commands to manage network user accounts and groups for domains and computers. You can also use the Windows NT server administration tool, User Manager for Domains, to perform these tasks.

The following topics are described in this chapter:

• Section 3.1, Managing Network User Accounts, describes how to add, modify, disable, enable, delete, rename, and display network user accounts and how to specify passwords, logon hours, scripts, workstations, and other user account information.
• Section 3.2, Managing Advanced Server Groups, describes how to create, copy, modify, delete, and display network groups.

Network user accounts and groups are separate and distinct from OpenVMS user accounts and groups. This guide discusses management of network user accounts and groups using Advanced Server.

3.1 Managing Network User Accounts

A network user account contains all the information that defines an Advanced Server user. This includes user name, password, and group memberships. It can also include information such as the user's full name, the user account description, user profile information, a list of logon workstations, and a schedule of authorized logon hours.

3.1.1 Built-In User Accounts

Two predefined, built-in user accounts are provided when an Advanced Server is installed:

• The Administrator user account is used to manage the server's users, groups, and resources. The Administrator account belongs to the Administrators, Domain Admins, and Domain Users built-in groups.
  You can use the Administrator account to administer a new server or workstation before you have had the opportunity to create an account for yourself. You cannot delete or disable the Administrator account. This ensures that you will never lock yourself out of the computer. When you initially configure the Advanced Server, you are prompted to choose a password for the Administrator account. Always assign a password to the Administrator account to help ensure security.
• The Guest user account belongs to the Domain Guests group and allows logons for users who do not have accounts in the computer's domain, or in a domain trusted by the domain where the Guest account has been enabled. By default, the Guest account is disabled at installation. You can enable it if Guest access is desired.

Every network user account is either a global account or a local account:

• Global user accounts provide access to resources in the domain where the user account is created, and can also provide access to resources in domains that trust the domain where the user account is created.
• Local user accounts are useful for allowing access to resources in the domain currently being administered to users who have user accounts in other domains when no trust relationship has been established between the domains.

The user account identifies the user to Advanced Server. The user account is used to authenticate the user both when the user logs on to the domain and when the user requests access to shared resources.

Each user account must have a unique user name in the domain. When you create a user account, you can specify the user account attributes shown in Table 3-1, User Account Attributes.

Table 3-1 User Account Attributes

Attribute	Contains
User name	The user's account name (up to 20 alphanumeric characters).
Password	The password the user enters to log on to the account (up to 14 uppercase and lowercase alphanumeric characters).
Full name	User's full name, typically more complete than the account name (up to 256 characters).
Description	A brief text string describing the account.
Expiration date	Date when the account expires.
Type	Global or local.
Group names	The names of groups of which the user is a member. Determines privileges and access.
Logon restrictions	Logon hours and valid workstations.
Logon script	A script that is executed when the user logs on.
Home directory	A specified location containing files and programs for the user.
User profile	Setup information for the user's specific environment.

Advanced Server allows you to integrate OpenVMS user accounts with network user accounts. Network user accounts can be linked ("hostmapped") to OpenVMS user accounts, simplifying user account management, ensuring password synchronization, and providing automatic access to network administration functions for OpenVMS system manager and operators. Refer to Section 3.1.16.2, Establishing User Account Host Mapping, for more information.

To set account characteristics across all user accounts, set the account policy, as described in Section 2.2.1, Managing the Account Policy.

User accounts are stored in the the domain's security account management (SAM) database. The SAM database is maintained by the primary domain controller and periodically updated on the backup domain controllers. One of the computers in the domain must be running as a primary domain controller in order for user accounts to be created or modified.

3.1.4 Creating User Accounts

You create network user accounts on the Advanced Server with the ADD USER or COPY USER command.

3.1.4.1 Creating a Network User Account

When you create a user account, you must provide all the information relevant to that user. You can use the ADD USER command to create a user account, or the COPY USER command to copy another account and modify it to suit the specific user.

When you display user information, the users are listed alphabetically by user name; you can optionally sort the display based on the full name. Therefore, follow the same conventions for all users when you enter full names; for example, Cowardly Lion or Lion, Cowardly.

Passwords for network user accounts are case-sensitive. Passwords entered on the ADMINISTER command line default to all uppercase characters, unless you enclose them in quotation marks. To preserve lowercase letters, spaces, and other nonalphanumeric characters in passwords when you enter ADMINISTER commands, enclose the password in quotation marks, or enter the password in response to the prompt instead of on the command line. The following example shows how to enter a mixed-case password on the command line:

LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="OverTheRainbow" %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>

You can specify an optional description for the user by including the /DESCRIPTION qualifier. If the description contains nonalphanumeric characters, spaces, or lowercase letters, enclose the description in quotation marks.

To create a global user account:

Use the ADD USER command. For example:

LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD - _LANDOFOZ\\TINMAN> /DESCRIPTION= "The Straw Man" - _LANDOFOZ\\TINMAN> /FULLNAME="Man, Straw" Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>

You can let Advanced Server prompt you for the user name and the password. The password is not displayed as you enter it. You should always supply a password when you add a user account, or explicitly specify the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown. By default, a user account is created with an expired password. The user must enter a new password at first logon. To remove the need for users to reset their passwords at first logon, use the /FLAGS=(NOPWDEXPIRED) qualifier with the ADD USER command.

You can specify additional details about the user account, including an account description, expiration date, a full name, type of account (global or local), a home directory, logon hours, group membership, user profile, logon script, and workstation names, if any. For details on the ADD USER command, see the Advanced Server for OpenVMS Commands Reference Manual.

The ADD USER command does not create an OpenVMS user account. However, if the user also has an OpenVMS account, you can associate the two user accounts. For more information, see Section 3.1.16, User Account Host Mapping.

Users with both a network account and an OpenVMS account have two passwords: one for each user account. You can enable external authentication for these users, providing automatic password synchronization between the OpenVMS password and the network password. For information about setting up external authentication, see Section 3.1.17, Enabling External Authentication.

To verify that the user has been added:

Use the SHOW USERS command. You can display details about a user account with the SHOW USERS/FULL command. For example:

LANDOFOZ\\TINMAN> SHOW USERS SCARECROW/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------------- -------------------- ------ --------------- SCARECROW Man, Straw Global The Straw Man User Profile: Logon Script: Primary Group: Domain Users Member of groups: Domain Users Workstations: No workstation restrictions Logon Flags: Login script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: (All hours) Total of 1 user account LANDOFOZ\\TINMAN>

To create a local user account:

Use the ADD USER command as shown above, and include the /LOCAL qualifier.

3.1.4.2 Creating User Account Templates

You can create a template for user accounts, specifying user account information common to the new user accounts you need to create. Most user account information can be copied from the template to the new user accounts, except for user name and password. For example, you could create a template user account as follows:

LANDOFOZ\\TINMAN> ADD USER TEMPLATE/LOCAL/HOURS=(8-5) - _LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS=MUNCHKINS %PWRK-S-USERADD, user "TEMPLATE" added to domain "LANDOFOZ"

You can then use the COPY USER command to create many new user accounts that have these same characteristics. Once you have completed adding all your new user accounts, you can then delete or disable the TEMPLATE user account, as described in Section 3.1.15, Disabling and Removing User Accounts.

3.1.4.3 Copying User Accounts

You can use the COPY USER command to create a new user account from an existing account or a template account. Some of the original user account information is copied to the new user account, such as group memberships and logon restrictions. A template account makes it easier to create many similar user accounts with fewer errors than to create them one by one. Some user account information, such as user name and passwords, is not copied to the new user account. You should always supply a password when you create a new user account, or explicitly specify the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown.

To copy an existing user account:

Use the COPY USER command. Use the /PASSWORD qualifier to specify the password for the new user account. For example, to create a new user LION based on a user account template (TEMPLATE), enter the following command:

LANDOFOZ\\TINMAN> COPY USER TEMPLATE LION/PASSWORD="Roaring1"- _LANDOFOZ\\TINMAN> /FULL_NAME="Cowardly Lion" %PWRK-S-USERCOPY, user "TEMPLATE" copied to "LION" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>

This example copies the TEMPLATE user account information to a new account for user LION and uses the /FULL_NAME qualifier to provide the full name for the new user. The /PASSWORD qualifier specifies the password for the account LION. You can verify that the user is correctly added, by using the SHOW USERS command.

3.1.5 Specifying Passwords

Users must specify their password when they log on to the domain. The user name and password are validated against the user accounts database.

Advanced Server password characteristics are controlled by the following:

• The /FLAGS qualifier to the ADD USER, COPY USER, and MODIFY USER commands. For example, use ADD USER/FLAGS=(keyword) to specify password characteristics when you create a user account. The keywords that control the password characteristics are:
  • [NO]DISPWDEXPIRATION, which prevents the password from expiring.
  • [NO]PWDEXPIRED, which specifies whether the password is initially expired. This forces the user to specify a new password when they log on the first time.
  • [NO]PWDLOCKED, which specifies whether the user is allowed to change the password.
  
  For more information about these commands and qualifiers, refer to the Advanced Server for OpenVMS Commands Reference Manual.
• The SET ACCOUNT POLICY/PASSWORD_POLICY command. This command sets domain-wide account policy characteristics that pertain to all passwords, where the options include:
  • [NO]HISTORY=n, which specifies the number of new passwords that must be used before an old password can be reused.
  • [NO]MAXAGE=n, which specifies the maximum number of days a user's password can be used before the server requires the user to change it.
  • [NO]MINAGE=n, which specifies the minimum number of days a user's password must be used before the user can change it.
  • MINLENGTH=n, which specifies the minimum length of a password.
• The account policy can also specify how to handle failed attempts to logon to the network. Using the SET ACCOUNT POLICY command with the /LOCKOUT and /NOLOCKOUT qualifiers, you can specify:
  • ATTEMPTS=n, where n specifies the logon count; that is, the number of failed attempts to allow before locking the user account.
  • WINDOW=n, where n specifies the number of minutes to wait after a user account has been locked out, before resetting the logon count.
  • DURATION=n, where n specifies the number of minutes before a locked account is automatically unlocked.
  
  To unlock a user account that has been locked, use the MODIFY USER command with the /UNLOCK qualifier.
  For more information about setting the account policy, refer to Section 2.2, Managing Security Policies.

Network users who also have OpenVMS user accounts have two passwords, one for each account. If password synchronization is important, as with external authentication, be careful to observe limitations in password length and characters required by OpenVMS as well as Advanced Server. Network passwords can be up to 14 characters long; OpenVMS passwords can be longer. To help ensure security, select secure passwords using words not found in the dictionary, including numbers or nonalphabetic characters.

When you add a new user or modify the password for an existing user, you specify the password for that user. For example:

LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="YellowRoad" %PWRK-S-USERADD, user "SCARECROW" added on domain "LANDOFOZ" LANDOFOZ\\TINMAN>

To preserve case in a password, enclose it in quotation marks. By default, a password entered on the command line that is not enclosed in quotation marks is stored in uppercase letters. However, case is preserved for a password entered in response to a prompt.

To change a user password:

To change a user's password, you can use the SET PASSWORD command or the MODIFY USER/PASSWORD command. For example:

LANDOFOZ\\TINMAN> SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity" %PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>

In this example, the user name is SCARECROW, the existing password is "YellowRoad" and the password is changed to "EmeraldCity."

3.1.6 Specifying Group Membership

Group membership allows you to control multiple user accounts and to grant permissions to use resources to a group of users rather than specifying individual users for resource permissions. By default, all user accounts are included in the special group Everyone. For the purposes of network administration, the user account is also included in the groups Domain Users and Users.

When you create a user account, you can specify membership in additional groups using the ADD GROUP or COPY GROUP command. For example, to include the user SCARECROW in the group MUNCHKINS, add the user account including the /MEMBER_OF_GROUPS qualifier, as follows:

LANDOFOZ\\TINMAN>ADD USER SCARECROW/PASSWORD/MEMBER_OF_GROUPS=(MUNCHKINS) Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain LANDOFOZ" LANDOFOZ\\TINMAN>