Previous | Contents | Index |
You create network user accounts on the Advanced Server with the ADD USER
or COPY USER command.
3.1.4.1 Creating a Network User Account
When you create a user account, you must provide all the information relevant to that user. You can use the ADD USER command to create a user account, or the COPY USER command to copy another account and modify it to suit the specific user.
When you display user information, the users are listed alphabetically by user name; you can optionally sort the display based on the full name. Therefore, follow the same conventions for all users when you enter full names; for example, Cowardly Lion or Lion, Cowardly.
Passwords for network user accounts are case sensitive. Passwords entered on the ADMINISTER command line default to all uppercase characters, unless you enclose them in quotation marks. To preserve lowercase letters, spaces, and other nonalphanumeric characters in passwords when you enter ADMINISTER commands, enclose the password in quotation marks, or enter the password in response to the prompt instead of on the command line. The following example shows how to enter a mixed-case password on the command line:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="OverTheRainbow" %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can specify an optional description for the user by including the
/DESCRIPTION qualifier. If the description contains nonalphanumeric
characters, spaces, or lowercase letters, enclose the description in
quotation marks.
3.1.4.1.1 Creating a Global User Account
Use the ADD USER command to create a global user account, as in the following example:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD - _LANDOFOZ\\TINMAN> /DESCRIPTION= "The Straw Man" - _LANDOFOZ\\TINMAN> /FULLNAME="Man, Straw" Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can let Advanced Server prompt you for the user name and the password. The password is not displayed as you enter it. You should always supply a password when you add a user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown. By default, a user account is created with an expired password. The user must enter a new password at first logon. To remove the need for users to reset their passwords at first logon, use the /FLAGS=(NOPWDEXPIRED) qualifier with the ADD USER command.
You can specify additional details about the user account, including an account description, expiration date, a full name, type of account (global or local), a home directory, logon hours, group membership, user profile, logon script, and workstation names, if any. For details on the ADD USER command, refer to the Compaq Advanced Server for OpenVMS Commands Reference Manual.
The ADD USER command does not create an OpenVMS user account. However, if the user also has an OpenVMS account, you can associate the two user accounts. For more information, see Section 3.1.16, User Account Host Mapping.
Users with both a network account and an OpenVMS account have two
passwords: one for each user account. You can enable external
authentication for these users, providing automatic password
synchronization between the OpenVMS password and the network password.
For information about external authentication, see Section 3.1.17, External Authentication.
3.1.4.1.2 Verifying That the User Has Been Added
To verify that the user you created an account for has been added, use the SHOW USERS command. You can display details about a user account with the SHOW USERS/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW USERS SCARECROW/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------------- -------------------- ------ --------------- SCARECROW Man, Straw Global The Straw Man User Profile: Logon Script: Primary Group: Domain Users Member of groups: Domain Users Workstations: No workstation restrictions Logon Flags: Login script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: (All hours) Last Log On: 08/23/00 05:07 PM Password Last Set: 06/30/00 11:03 AM Password Changeable: 06/30/00 11:03 AM Password Expires: 09/11/00 11:03 AM Total of 1 user account LANDOFOZ\\TINMAN> |
A primary group is used when a user logs on using Windows NT Services
for Macintosh, or runs POSIX applications.
3.1.4.1.3 Creating a Local User Account
To create a local user account, use the ADD USER command as shown
previously, and include the /LOCAL qualifier.
3.1.4.2 Creating User Account Templates
You can create a template for user accounts, specifying user account information common to the new user accounts you need to create. Most user account information can be copied from the template to the new user accounts, except for user name and password. For example, you could create a template user account as follows:
LANDOFOZ\\TINMAN> ADD USER TEMPLATE/LOCAL/HOURS=(8-5) - _LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS=MUNCHKINS %PWRK-S-USERADD, user "TEMPLATE" added to domain "LANDOFOZ" |
You can then use the COPY USER command to create many new user accounts
that have these same characteristics. Once you have completed adding
all your new user accounts, you can then delete or disable the TEMPLATE
user account, as described in Section 3.1.15, Disabling and Removing User Accounts.
3.1.4.3 Copying User Accounts
You can use the COPY USER command to create a new user account from an existing account or a template account. Some of the original user account information is copied to the new user account, such as group memberships and logon restrictions. A template account makes it easier to create many similar user accounts with fewer errors than to create them one by one. Some user account information, such as user name and password, is not copied to the new user account. You should always supply a password when you create a new user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown.
Use the /PASSWORD qualifier with the COPY USER command to specify the password for the new user account. For example, to create a new user LION based on a user account template (TEMPLATE), enter the following command:
LANDOFOZ\\TINMAN> COPY USER TEMPLATE LION/PASSWORD="Roaring1"- _LANDOFOZ\\TINMAN> /FULL_NAME="Cowardly Lion" %PWRK-S-USERCOPY, user "TEMPLATE" copied to "LION" in domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
This example copies the TEMPLATE user account information to a new
account for user LION and uses the /FULL_NAME qualifier to provide the
full name for the new user. The /PASSWORD qualifier specifies the
password for the account LION. You can verify that the user is
correctly added, by using the SHOW USERS command.
3.1.5 Specifying Passwords
Users must specify their password when they log on to the domain. The user name and password are validated against the security accounts database.
Advanced Server password characteristics are controlled by the following:
Network users who also have OpenVMS user accounts have two passwords, one for each account. If password synchronization is important, as with external authentication, be careful to observe limitations in password length and characters required by OpenVMS as well as Advanced Server. Network passwords can be up to 14 characters long; OpenVMS passwords can be longer. To help ensure security, select secure passwords using words not found in the dictionary, including numbers or nonalphabetic characters.
When you add a new user or modify the password for an existing user, you specify the password for that user. For example:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="YellowRoad" %PWRK-S-USERADD, user "SCARECROW" added on domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
To preserve case in a password, enclose it in quotation marks. By
default, a password entered on the command line that is not enclosed in
quotation marks is stored in uppercase letters. However, case is
preserved for a password entered in response to a prompt.
3.1.5.1 Changing a User Password
To change a user's password, you can use the SET PASSWORD command or the MODIFY USER/PASSWORD command. For example:
LANDOFOZ\\TINMAN> SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity" %PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
In this example, the user name is SCARECROW, the existing password is
"YellowRoad" and the password is changed to "EmeraldCity."
3.1.6 Specifying Group Membership
Group membership allows you to control multiple user accounts and to grant permissions to use resources to a group of users rather than specifying individual users for resource permissions. By default, all user accounts are included in the special group Everyone. For the purposes of network administration, the user account is also included in the groups Domain Users and Users.
When you create a user account, you can specify membership in additional groups using the ADD GROUP or COPY GROUP command. For example, to include the user SCARECROW in the group MUNCHKINS, add the user account including the /MEMBER_OF_GROUPS qualifier, as follows:
LANDOFOZ\\TINMAN>ADD USER SCARECROW/PASSWORD/MEMBER_OF_GROUPS=(MUNCHKINS) Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain LANDOFOZ" LANDOFOZ\\TINMAN> |
You can restrict the days and hours during which a user can connect to a server. The default is to allow a user to connect at all times. To specify logon hours, use the ADD USER, COPY USER, or MODIFY USER command with the /HOURS qualifier. Specify the hours to be administered as shown in the following table. The /NOHOURS qualifier specifies that the user cannot log on to the server.
Hours are inclusive: if you grant access during a given hour, access extends to the end of that hour; if no hours are specified for a given day, all hours are allowed.
To select... | Use, for example... |
---|---|
A specific hour | /HOURS=(MONDAY=(8)) |
A block of hours | /HOURS=(FRIDAY=(8-12)) |
One entire day | /HOURS=(SUNDAY) |
A specific hour across all seven days |
/HOURS=(SUNDAY=(1),MONDAY=(1),
TUESDAY=(1), WEDNESDAY=(1), THURSDAY=(1),FRIDAY=(1), SATURDAY=(1)) |
All weekdays | /HOURS=(WEEKDAYS) |
The entire week | /HOURS=(EVERYDAY) |
In the following example, a user called MOUSEQUEEN is added to the domain LANDOFOZ with logon capability on Fridays from 8 a.m. to 12 noon.
LANDOFOZ\\TINMAN> ADD USER MOUSEQUEEN/HOURS=(FRIDAY=(8-12)) %PWRK-S-USERADD, user "MOUSEQUEEN" added to domain "LANDOFOZ" |
The following example adds user BLACKCROW to domain LANDOFOZ, with logon capability from Monday through Friday, all hours.
LANDOFOZ\\TINMAN> ADD USER BLACKCROW/HOURS=(WEEKDAYS) %PWRK-S-USERADD, user "BLACKCROW" added to domain "LANDOFOZ" |
For more details on the /HOURS qualifier, see Section 3.1.14, Modifying User Accounts.
3.1.8 Specifying Logon Scripts
You can specify the execution of a logon script when a user logs on. A
logon script is an executable or batch file of commands that runs on
the client. It is typically used to configure the client for a
particular user, performing such tasks as making network connections
and starting applications. Logon scripts can be tailored to the
requirements of individual users. A logon script typically has a .BAT,
.CMD, or .EXE file extension, depending on its function.
3.1.8.1 Setting Up a Logon Script
When a user logs on, Advanced Server checks the user's account on the logon server for the name of a script. Scripts are kept on the primary and backup domain controllers. By default, user scripts on an Advanced Server are stored in the following location:
PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS]
3.1.8.2 Providing User Access to Logon Scripts
For a user to have access to a logon script, the following conditions must be true:
Ensure that permissions on the directory or share where the scripts reside permit access to all users who will be using the scripts. Advanced Server automatically provides Read access to members of the special group Everyone.
When the NetLogon service starts, the Advanced Server shares the scripts directory identified with the share name NETLOGON. For logon scripts to run, do not remove the NETLOGON share. You can display information about the NETLOGON share using the SHOW SHARE NETLOGON/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW SHARE NETLOGON/FULL Shared resources on server "TINMAN": Name Type Description ------------ --------- ------------------------------------------ NETLOGON Directory Logon Scripts Directory Path: PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS] Connections: Current: 0, Maximum: No limit RMS file format: Stream Directory Permissions: System: RWED, Owner: RWED, Group: RWED, World: RE File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R Share Permissions: Everyone Read Total of 1 share LANDOFOZ\\TINMAN> |
Use the /WORKSTATIONS qualifier to restrict the workstations from which users can log on to domain accounts. The default is to allow a user to log on from any workstation, but you can optionally restrict a user's logons to certain workstations. You can specify up to eight workstations for the user account.
To manage logon workstations, use the ADD USER, COPY USER, or MODIFY USER command, with the /WORKSTATION qualifier. For example:
LANDOFOZ\\TINMAN> ADD USER LION /WORKSTATION=(LIONS_DEN) %PWRK-S-USERADD, user "LION" added to domain "LANDOFOZ" |
This command creates the new user account LION and specifies that the
user can log on from the LIONS_DEN workstation.
3.1.10 Specifying Home Directories
A user's home directory is accessible to the user and contains files and programs for that user. When a user logs on at a workstation, a connection can be made to that user's home directory automatically. Depending on the client computer, you may need to specify the home directory in a logon script. The home directory becomes the user's default directory for file access and for all applications that do not have a defined working directory. Home directories can make it easier for an administrator to back up user files because they keep many or all of a user's files in one location.
On a server running Advanced Server software, the default parent directory for user account home directories is:
PWRK$LMROOT:[LANMAN.ACCOUNTS.USERDIRS]
You can specify a home directory as an absolute path name or as a UNC (Universal Naming Convention) path name, which is domain wide. To specify the default parent directory for user account home directories, enter:
\\server\LANMAN\ACCOUNTS\USERDIRS |
If you omit the /HOME qualifier when you create a user account, no home directory is defined for a user.
The Advanced Server home directory is not associated with the OpenVMS SYS$LOGIN directory. |
A home directory can be assigned to a single user or it can be shared by several users. It can be a local directory on a user's workstation or a shared network directory. If you specify a network path for the home directory, an attempt is made to create that home directory. If the directory cannot be created, a message instructs you to create the directory manually.
To specify a home directory, use the ADD USER, COPY USER, or MODIFY USER command, with the /HOME=(PATH=pathname) qualifier. The home directory pathname must be specified in one of the following forms:
\\servername\sharename\directoryname |
For example, to modify user account LION, specifying a home directory on server TINMAN to be associated with drive D, enter the following command:
LANDOFOZ\\TINMAN> MODIFY USER LION/HOME=(PATH=\\TINMAN\USERS\LION,DRIVE=D:) %PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can assign an expiration date for a user account, at which time the account is automatically expired but not removed from the accounts database. You can reactivate an expired account by removing the expiration date or by assigning a new date.
By default, there is no expiration date for a user account. Use the ADD USER, COPY USER, or MODIFY USER command with the /EXPIRATION qualifier to define the account expiration date for a user account.
When an account has an expiration date, the account is disabled at the end of the previous day. When an account expires, a user who is logged on remains logged on, but cannot establish new network connections or log on again after logging off.
For example, to add a user named FRIENDLY to the domain LANDOFOZ and set the account to expire on June 9, 1999, enter the following command:
LANDOFOZ\\TINMAN> ADD USER FRIENDLY/PASSWORD="PotOfGold"- _LANDOFOZ\\TINMAN>/EXPIRATION_DATE=09-JUN-1999 %PWRK-S-USERADD, user "FRIENDLY" added to domain "LANDOFOZ" |
User profiles allow you to set up the user's environment so that it can be downloaded to the user's workstation when the user logs on to the network. The user profile contains configuration information such as:
When the user logs on, the user profile is downloaded and the user's workstation is configured accordingly.
You create user profiles using the Windows NT Server tool User Profile Editor. Refer to your Windows NT Server documentation for more information.
When you add a user, you can specify a profile and its path.
To specify a profile, use the ADD USER or MODIFY USER command with the /PROFILE qualifier. For example, to add user SCARECROW with a profile that is stored on the server TINMAN, enter the following command:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PROFILE="\\TINMAN\PROFILES\SCARECROW.USR" %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
Note that the network path to the profile is enclosed in quotation marks.
Previous | Next | Contents | Index |