Advanced Server for OpenVMS
Concepts and Planning Guide


Previous Contents Index

6.4 Auditing Directories and Files

By auditing files and directories on a server, you can track their use and identify any attempted security violations. You can identify who took various types of actions with files and directories and hold those users accountable for their actions.

When a file or directory is audited, audit events are generated and written to the Advanced Server security log for all failed and successful attempts to perform the activities you want to audit.

Through the audit policy you set up, you can enable auditing on the server or domain for the types of directory and file access listed in Table 6-1.

Table 6-1 Audit Events for Directory and File Activities
Types of Directory Access Types of File Access
Displaying contents of the directory Displaying data in the file
Displaying directory attributes Displaying file attributes
Changing directory attributes Displaying the file owner and permissions
Creating subdirectories and files Changing the file
Going to the directory's subdirectories Changing file attributes
Displaying the directory owner and permissions Running the file
Deleting the directory Deleting the file
Changing directory owner and permissions Changing the file owner and permissions


Chapter 7
Sharing Printers

This chapter offers guidelines on how to set up and share printers in an Advanced Server domain. By planning printer access, you can maximize use of each printer and at the same time avoid printing delays.

Advanced Server printing offers the following features:

7.1 Planning Your Printing Operations

Because every network user has occasion to print, network print operations must be efficient and cost effective. The choices that you need to make may include the following:

7.2 Choosing Computers to be Print Servers

A computer can act simultaneously as a print server and a file server. The decision to combine print and file servers may depend on security concerns. Although printers should always be available to their users, you may want to locate a file server in a secure place.

On a network of any size, you will most likely concentrate printer installation at a few select computers. The only special hardware requirement for print servers is that if you are using parallel or serial printers, the print servers must have the correct output ports.

7.3 Print Shares

The Advanced Server makes printers available to network users through print shares. Generally, each print share points to a single print queue with the same name as the share. Permissions that you assign to the share are applied automatically to the associated print queue. A share can be accessed over the network by users who have the appropriate permissions, like any other shared resource. Four types of permissions apply to print shares: Print (the default), None (no access), Manage Documents, and Full (full control). For more information, see the section, Section 7.5, Ensuring Print Share Security.

For detailed information about creating, modifying, and managing print shares, see your Server Administrator's Guide.

7.4 OpenVMS Print Queues

A queue allows users to submit jobs for printing, and in the Advanced Server, access to print queues is through associated print shares. Because the Advanced Server is based on OpenVMS, the print queues associated with Advanced Server print shares are OpenVMS print queues.

OpenVMS print queues include both generic and execution queues. Every OpenVMS printer is associated with one execution queue. In addition, you can use a generic queue when several like printers are available to the user. A generic queue can point to several execution queues and is used to distribute printer workload among several like printers (called a printer pool) by routing a print job to the first available printer through that printer's execution queue. In the Advanced Server, a queue that works like an OpenVMS generic queue is called a routing queue, and a queue that works like an OpenVMS execution queue is called a print queue.

A queue stores print jobs as users submit them. When a printer associated with the queue becomes available, the Advanced Server routes a job to that printer. Printers can be connected directly to the server by a serial or parallel port or directly to the network with a network adapter card. The server's queuing system, providing OpenVMS system information for handling print jobs, mediates between the Advanced Server and the printer so that print jobs can execute while users perform other tasks at their client workstations.

Figure 7-1 shows examples of the share and queue configurations you can create for Advanced Server.

Figure 7-1 Print Shares and Print Queue Configurations


You can share existing OpenVMS queues or create and share new ones. Be aware that Windows NT clients require that a share name and queue name be the same. If you cannot create a share name that equals the OpenVMS queue name (for example, the OpenVMS queue name is more than 12 characters long), you can define a shorter system logical name that equates to the name of the OpenVMS queue, then create a share using the logical name of the queue.

For detailed information about OpenVMS print queues, see the OpenVMS documentation. For information on sharing queues and printers, see your Server Administrator's Guide.

7.4.1 Network-Interface Printers

Unlike parallel and serial devices, printers with built-in network adapter cards do not have to be adjacent to the print server. Network-interface printers are attached to the network through a built-in adapter card. The location of this type of printer has no effect on printing performance, providing that users and printers are not on opposite sides of a network bridge. An Advanced Server print server can control a virtually unlimited number of network-interface printers.

Figure 7-2 shows a network-interface printer configuration.

Figure 7-2 Configuring Network-Interface Printers


7.4.2 How a Shared Print Queue Operates

When a user sends a print job to a print queue through a print share, the shared print queue sends the print job to the server's queuing subsystem, which forwards the job to the appropriate printers.

The Advanced Server sends a message to the user indicating the share name and the job ID. The Advanced Server also notifies the user if there are problems with print jobs (if the printer is capable of such notification) or if there are changes in the status of print jobs (such as a pause in the queue).

The Advanced Server lets you create simple print shares that send print jobs to one printer and more sophisticated print shares associated with multiple queues or multiple printers of the same type. When setting up a print share, you should consider the following options:

7.4.3 Types of Shared Print Queue Configurations

You can configure print shares associated with print queues in a number of ways. In order of increasing complexity, these include:

You can control permissions on the print shares.

The following sections provide illustrations of the listed print share configurations.

7.4.3.1 Single Print Share and Print Queue --- Single Printer

The simplest print configuration is one that sends print jobs through a single print share and execution queue to a single printer, as shown in Figure 7-3. To create such a configuration, you must add the print queue, then add a share that allows users to connect to the queue. You specify the same name for the share and for the queue that it points to. (Windows NT requires that the share and queue names be the same.)

The name of a share can be different from the name of the queue it points to in only one situation. If your only printing requirement is to allow users to submit print jobs from non-Windows NT clients, the names of shares and the queues they point to can be different.

Figure 7-3 Single Print Share and Print Queue --- Single Printer


7.4.3.2 Single Print Share with a Single Queue --- Multiple Printers

When print jobs are submitted through a share to a generic or routing queue associated with multiple printers, The Advanced Server searches for an available printer and automatically routes a print job to the execution or print queue of the first available printer. This is an efficient way to share a group of printers of the same type (a printer pool). The Alerter service sends a message to the user indicating when and on which printer the job was printed.

To create a configuration that includes a generic or routing queue associated with multiple printers, you add a queue and a share with identical names and point the queue to a series of printers.

Figure 7-4 illustrates a single generic or routing queue associated with multiple printers.

Figure 7-4 Single Print Share with a Single Queue --- Multiple Printers


For information on how to share remote printers, see your Server Administrator's Guide.

7.4.3.3 Multiple Shared Queues --- Multiple Printers

You can assign two or more print shares and queues to the same printer or group of printers. This approach is especially useful if you configure the queues differently. For example, you can assign different permissions to different shares.

In the configuration shown in Figure 7-5, Queue A sends jobs to Printers X, Y, and Z; Queue B sends jobs only to Printer Y; and Queue C sends jobs to Printers Y and Z. This configuration offers flexibility and convenience both to the administrator who needs to set up different shares and queues for different purposes and to users who need a share and queue that routes jobs to the next available printer.

Figure 7-5 Multiple Shared Queues --- Multiple Printers


7.5 Ensuring Print Share Security

You can control printer usage through the Advanced Server by setting permissions for each print share. When you add or modify a print share, you specify the users or groups allowed to access the share. The permissions that you set on a share apply automatically to the queue that the share points to. Any changes later made to share permissions automatically affect the permissions on the associated queue.

By default, all the print shares you create are available to every network user (Everyone). Restricting access to a print share requires altering the share's permission settings for a particular group or user. To change permissions on a print share, you must have Full permission.

Four types of permissions apply to print shares:

Permissions granted directly to a user account and those granted by a user's membership in one or more groups are cumulative; that is, restrictions filter requests, and the most restrictive permissions apply. The None (no access) permission overrides all other permissions.

7.6 Setting Up OpenVMS Printers

If a printer is on the network, you must set it up like any OpenVMS printer. For information on setting up OpenVMS printers, see the OpenVMS documentation.

7.7 Printing from MS-DOS Computers

Workstations running MS-DOS or versions of Windows for MS-DOS can access Advanced Server printers by redirecting their output ports to the correct \\server\sharename.

If you are sharing printers with MS-DOS workstations, share names must be no more than eight characters, optionally followed by a period and one to three characters.

7.8 Managing Print Queues and Print Jobs

The Advanced Server lets you display a single share, a single queue, a list of all of the server's print queues, or the print jobs in each queue. These capabilities are useful because you may need to stop sharing a print share or queue under any of the following circumstances:

In addition, the Advanced Server has the following capabilities for managing printers and print jobs:

For more information on how to control print jobs, see your Server Administrator's Guide.


Appendix A
Differences Between Advanced Server and Windows NT Server

This appendix discusses the basic differences you will encounter between the Advanced Server and Windows NT Server in day-to-day management of a network that includes both types of servers. These differences include how individuals are assigned as administrators and operators, how security works, and how resources permissions map between the systems.

A.1 Management Tools

The Advanced Server provides the Windows NT server administration tools for managing the network. Using these tools, you can administer the Advanced Server from a Windows 95, Windows 98, or Windows for Workgroups client. You can also administer the Advanced Server from a Windows NT workstation computer that has the Windows NT server administration tools installed, and from a Windows NT Server computer. The tools can also be used to manage Windows NT Server.

Installable versions of the Windows NT server administration tools are shared automatically by the Advanced Server.

A.1.1 User Account Information

User accounts in Advanced Server domains maintain the same user account information as Windows NT Server accounts.

A.2 Services

The Advanced Server supports most Windows NT Server services. Table A-1 describes the Windows NT Server services that run on the Advanced Server.

Table A-1 Services Common to Advanced Server and Windows NT Server
Service Description
Alerter Notifies selected users and computers of administrative alerts on a computer. Used by the server and other services. Starts by default.
EventLog Records system, security, and application events in the event logs, and enables remote access to those logs. Starts by default.
Net Logon Verifies the user name and password of each person who attempts to log on to the network or gain access to the server. Starts by default.
Server Provides file, print, and named pipe sharing, and support for remote procedure calls. Starts by default.
Time Source Identifies a server as the domain time source.

A.3 Resource Permissions

This section compares the user-level permission settings available in Windows NT Server with the security settings that are available in the Advanced Server, including file, directory, printer, and named pipe settings. The Advanced Server does not support communication queues.

A.3.1 File and Directory Permissions

Advanced Server file and directory permissions are identical to Windows NT Server file and directory permissions. Both are typically applied in predefined sets, such as Full Control, Read, or Change.

The Advanced Server enhances the file and directory permissions on Windows NT Server by offering the additional option of enforcing OpenVMS security.

A.3.2 Printer Permissions

The Advanced Server and Windows NT Server implement identical printer security. Permissions are assigned to print shares, through which the user accesses print queues. The available printer permissions are Print, None, Manage Documents, and Full on Advanced Servers; these permissions correspond to Print, No Access, Manage Documents, and Full Control on Windows NT Server.

A.4 Disk Resources Shared by Default

With Windows NT Server and Advanced Server, you can share directories and specify which users can access them. To share a directory, assign a share name to it.

Table A-2 shows share names (or disk resources) that typically are set up automatically in Windows NT Server and Advanced Server. The number of shared resources on your server will vary depending on your implementation.

Table A-2 Share Names
Windows NT Server Advanced Server Description
ADMIN$ ADMIN$ A special administrative resource for remote administration. All share names that end in a dollar sign ($) are hidden; they do not normally appear when a user displays server resources.
C$ C$ A connection to the root of the file system. On Windows NT Server, this is the local C device. On the Advanced Server, this is PWRK$LMROOT:[LANMAN].
d$ device$ An administrative share. On Windows NT Server, a single letter from D to Z followed by $ identifies the drive letter; on OpenVMS, the name of the disk device or directory followed by $ identifies the disk.
IPC$ IPC$ Supports interprocess communication.
LIB N/A Contains header files and link-time libraries needed to create applications. Not supported by Advanced Server.
NETLOGON NETLOGON Shares the directory specified by scripts with the share name NETLOGON.
REPL$ N/A On Windows NT Server, this directory is associated with the Directory Replicator service. It is available when the Directory Replicator service is active on the export server. Not supported by Advanced Server.
USERS USERS Contains user home directories.


Previous Next Contents Index