The Administrators local group is the most powerful group in the domain. Members of this group have more control over the domain than do any other users. They manage the overall configuration of the domain and the domain's servers. The built-in Administrator user account is a member of the Administrators local group and cannot be removed. By default, the Domain Admins global group is a member of this local group, but it can be removed.

In the Advanced Server, the user right "Access this computer from the Network" cannot be revoked from the Administrators local group.

Unlike administrators in LAN Manager servers, Advanced Server administrators do not automatically have access to every file in the domain. If a file's permissions do not grant access, the administrator cannot access the file. If needed, an administrator can take ownership of a file and thus have access to it. But if the administrator does so, this event is recorded in the security log (if auditing of files is turned on) and the administrator cannot give ownership back to the original owner. For more information about ownership of files and directories, see Chapter 6, Managing Network Shares, in this guide.

4.7.1.2 Server Operators

Members of the built-in Server Operators local group have many of the same abilities as built-in Administrators; however, they cannot manage security on the server. Specifically, Server Operators can share and stop sharing a server's files and printers, and they can start, stop, pause, and continue selected services.

4.7.1.3 Account Operators

Members of the built-in Account Operators local group can manage the server's user and group accounts. An Account Operator can create, delete, and modify most user accounts, global groups, and local groups. However, the Account Operators cannot modify the user accounts of Administrators, nor can they modify the Administrators, Server Operators, Account Operators, Print Operators, or Backup Operators local groups. They also cannot assign user rights.

4.7.1.4 Print Operators

Members of the built-in Print Operators local group can manage shared printers.

If you want a domain's Print Operators to administer printers managed by Windows NT workstation computers in the domain, as well as printers managed by the domain's servers, you must perform the following steps:

1. Create a Domain Print Operators global group in the domain. Make this global group a member of the domain's Print Operators local group.
2. Add the user account of each print operator to the Domain Print Operators group.
3. On each workstation that manages printers, place the Domain Print Operators global group in the workstation's Power Users local group.

Members of the built-in Backup Operators local group have specific rights on any Windows NT Server in the domain, but no specific rights on Advanced Server.

4.7.1.6 Users

Membership in the Users local group provides the abilities most users need to perform normal tasks.

By default, the Domain Users global group is a member of the Users built-in local group, but it can be removed.

4.7.1.7 Guests

Differences between the rights granted to the Guests built-in local group and to the Users local group are minimal; both groups have the right to access the server over the network. For information on the built-in Guest account, see Section 3.4.2, Guest Account.

4.7.1.8 Using the Operators Local Groups

As an example of how to use operators local groups, consider a medium-sized department that is deciding how to assign its technical staff to the various administrator and operator groups.

At least one user must be an administrator. Members of the Administrators group have several unique abilities. These include taking ownership of files and managing auditing. Because of their unique abilities, members of the Administrators group are responsible for planning and maintaining network security for the department. They also can be allowed to administer Windows NT workstation computers.

If there is someone in the group who is responsible for helping new employees get started, it may be wise to make this person a member of the Account Operators group. This account operator then can create domain accounts for new employees and place these accounts in the appropriate groups.

If the domain's Administrators group has only a few members, you should assign at least one additional person to the Server Operators group. The basic function of the Server Operators group is to keep the domain servers running. This goal is reflected in their abilities to share directories and printers on servers. If possible, at least one member of either the Administrators or Server Operators group should be present at all hours during which people are using the network.

If the ability to print documents quickly is important to your group, you should add several people to the Print Operators group to ensure that printer problems can be addressed quickly.

4.7.1.9 Setting Up a Universal Operators Group

If your network has multiple domains, each containing computers with shared printers, and you have a single group of Print Operators who need the ability to administer printers in all domains, use a universal operators group (a combination of global groups and local groups) to set this up. By doing so, you ensure that your Print Operators group is easy to maintain as your network evolves, as print operators come and go, and as new computers or domains are added.

Follow these steps to establish a universal operators group:

1. In each domain where accounts of Print Operators are located, create a global group called Domain PrintOps and make all of the Print Operators in the domain members of this group.
2. In each domain where printers are to be administered, modify the Print Operators local group by adding the Domain PrintOps global groups to it. Be sure to make this change to the Print Operators local group in every domain.

After you complete these steps, every Print Operator has the ability to administer all printers.

If you also need to administer printers on Windows NT workstation computers, you will need to go a step further, because a domain's local groups (such as Print Operators) cannot be used by Windows NT workstation computers --- even Windows NT workstation computers participating in that domain. To each Windows NT workstation computer with printers to administer, add all of the Domain PrintOps global groups to the workstation's Power Users local group.

4.7.2 Built-In Global Groups

Three global groups are built in:

• Domain Admins --- The Domain Admins built-in group initially contains the Administrator account. When you create accounts for the administrators of your domain, you should add these accounts to the Domain Admins global group, which is already a member of the Administrators local group.
• Domain Users --- The Domain Users built-in group initially contains the Administrator account. Administrators and Account Operators can modify these groups. Every user account you subsequently add to this domain is put automatically in the Domain Users global group.
• Domain Guests --- The Domain Guests built-in group initially contains the Guest account. Administrators and Account Operators can modify the Domain Guests built-in group.

Table 4-5 lists the types of built-in global groups, their initial contents, and who can modify them.

Table 4-5 Built-In Global Groups

Global Group	Initial Contents	Who Can Modify
Domain Admins	Administrator	Administrators
Domain Users	Administrator	Administrators, Account Operators
Domain Guests	Guest	Administrators, Account Operators

The following sections further explain the built-in global groups and how to use them.

4.7.2.1 Domain Admins

The Domain Admins global group is a member of the Administrators local group for the domain and of the Administrators local group for every Windows NT workstation computer in the domain. The built-in Administrator user account is a member of the Domain Admins global group.

Because of these memberships, a user logged on to the Administrator account can administer the domain, the primary and backup domain controllers, the member servers, and all of the Windows NT workstation computers in the domain. (However, Domain Admins users can be prevented from administering a particular workstation by removing the Domain Admins global group from that workstation's Administrators group.)

To provide administrative abilities to a new account, make the new account a member of the Domain Admins global group. This allows that user to administer the domain, the workstations of the domain, and the trusted domains that have added the Domain Admins global group from this domain to their Administrators local group.

4.7.2.2 Domain Users

By default, all domain user accounts belong to the Domain Users group, including the built-in Administrator account and any new accounts that are created.

The Domain Users global group is by default a member of the Users local group for the domain and of the Users local group for every Windows NT workstation computer in the domain. Domain Users is the default group for each user.

Because of these memberships, users of the domain have normal user access to and abilities in the domain and the Windows NT workstation computers of the domain. (However, domain users can be prevented from being granted this access for a particular workstation by removing the Domain Users global group from that workstation's Users group.)

4.7.2.3 Domain Guests

The Domain Guests global group initially contains the domain's built-in Guest user account. If you add user accounts that are intended to have more limited rights and permissions than typical domain user accounts, you may want to add those accounts to the Domain Guests group and remove them from the Domain Users group.

The Domain Guests global group is a member of the domain's Guests local group.

4.8 Server-Specific Groups

In addition to the built-in groups mentioned, server-specific groups are created by the system and are used for special purposes. You cannot delete these special groups and should not modify them. When you administer a computer and are presented with a list of groups, these server-specific groups sometimes appear in the list. For example, they can appear when assigning permissions to directories, files, shared network directories, or printers.

Table 4-6 lists the server-specific groups provided and the purpose of each.

Table 4-6 Server-Specific Groups

Group	Refers to
EVERYONE	Anyone using the computer. This includes all local and remote users; that is, the INTERACTIVE and NETWORK groups combined. In a domain, members of EVERYONE can access the network, connect to a server's shared network directories, and print to a server's printers.
INTERACTIVE	Anyone using a computer locally.
NETWORK	All users connected over the network to a computer.
SYSTEM	The operating system.

4.9 Using Built-In Global and Local Groups

Use built-in global and local groups the same way you use global and local groups. The Administrators local group and Domain Admins global groups serve as examples.

Membership in an Administrators local group is what makes an account an administrator in an Advanced Server domain. However, when you create an account on an Advanced Server domain, you have two alternate ways of making that account an administrator account: You can place it directly into the Administrators local group, or you can put it in the Domain Admins global group, which is a member of the Administrators local group.

You should always use the second method, putting the account in the Domain Admins global group. In this way, you have a global group that represents all administrators in the domain. This global group can then be put in the Administrators local group of any other domain or Windows NT workstation computer that this domain's administrators need to administer. (When you set up a Windows NT workstation computer to participate in a domain, that domain's Domain Admins global group is added automatically to the workstation's Administrators local group. This allows the domain administrators to manage the workstations in the domain.)

Every domain also has a Domain Users global group. All the user accounts you create in the domain are placed in this group by default; you do not have to remember to add accounts to this group. A Domain Users global group is automatically a member of the Users local group in the same domain and is also a member of the Users local group on all Windows NT workstation computers participating in the domain.

Every domain also has a Domain Guests global group, which is a member of the domain's Guests local group. The Domain Guests global group initially contains the Guest user account.

Domain Admins, Domain Users, and Domain Guests are the only built-in global groups that correspond to built-in local groups. You can create other global groups that correspond to local groups if you want to use the same strategies for the users in the global and local groups.

The way in which you organize the domains on your network is critical. If you set up your domains properly, you can simplify network administration significantly and ensure that users have access to the entire network.

You can manage user security by setting up user accounts, organizing users into groups, and controlling user capabilities. Through user accounts, you can assign user rights and passwords, grant user permissions for network file sharing, and audit users through the security event log. The server's security settings define the rules for changing user account passwords, sharing resources on the server, and handling logons that occur outside specified logon hours.

The Advanced Server accommodates both the Advanced Server user-level security model and the OpenVMS security model. This chapter describes both models and explains security integration considerations. It also includes the following examples that illustrate how Advanced Server network security works within domains:

• Single domain model
• Master domain model
• Multiple master domain model
• Complete trust model

You can use these examples as models as you plan and organize your network. You can follow the examples exactly, modify them, or mix and match them among various parts of your network to create the security configuration you want.

5.1 The Advanced Server Security Model

The Advanced Server employs a user-level security model. User-level security provides precise control over access to shared resources, including disk devices, directories, and printers. Security is based on users and collections of users, or groups. Each user is protected or secured by a password. Advanced Server user-level security takes advantage of the following features:

• User accounts --- A user account consists of a user name, a password, and other attributes that define the user. An account determines when a user can log on, what workstations a user can log on from, and what groups an account belongs to (and therefore what the user's privileges are). Users who need infrequent or temporary access to a resource may be allowed to log on through a guest account.
• Groups --- To simplify administration of user accounts, you can set up a group (or multiple groups) of users and assign access permissions to resources by group. When you change access permissions for a resource, such as group access permissions for a shared printer, you affect all users belonging to the group. You do not have to apply modifications individually to each of the group's members.
  For more information about global and local groups, see Chapter 4, Groups, in this guide.
• User authentication --- Advanced Server uses logon security to allow server or domain access to users with valid accounts.
• Privileges --- Privileges determine what range of actions a user can perform on the network. Advanced Server privileges are assigned based on group membership. For example, a user in the Administrators group can perform administrative functions.
• Access permissions --- Permissions define the extent to which each user can employ a resource. You can assign access permissions to shares, directories, and files. You can tailor access to resources by assigning a set of permissions for each user or for groups of users. You can also use OpenVMS security features to further protect resources. (For more information on OpenVMS security features, see Section 5.2, OpenVMS Security, in this guide.) The interaction of these two security models is described in the Security Integration Considerations section in this guide.

You can use the ADMINISTER commands to define the Advanced Server security settings. Security settings made on a domain's primary domain controller are copied to the domain's backup domain controllers, just as user accounts and groups are.

The Advanced Server security settings are shown in Table 5-1.

Table 5-1 Advanced Server Security Settings

Security Setting	Description	Values
Minimum password length	Specifies the minimum number of characters for a password.	The default value is 6. The range of values is from 1 to 14 characters.
Password uniqueness	Prevents a user from reusing old passwords. The value you enter specifies the number of previously used passwords that are forbidden. For example, if you set a value of 3, users are prevented from reusing any of their last three passwords.	The default value is 0. The range of values is from 1 to 8 passwords.
Minimum password age	Specifies the minimum number of days that must elapse between password changes by a user. This restriction does not apply to administrators, who can change the password of a user at any time. Users must log on to change their passwords.	The default is 1. The range of values is from 1 to 999 days.
Maximum password age	Specifies the maximum number of days that a user is allowed to use the same password without changing it.	The default is 90 days. The range of values is from 1 to 999 days or never.
Force disconnect	Determines what happens if users have a connection to a server when their logon hours or accounts expire. You can specify that the server will terminate the session immediately or never.	The default is never. The values are immediately or never.
Lockout accounts	Specifies the number of failed logon attempts users are allowed before their accounts are disabled. A failed logon attempt occurs when the user supplies an incorrect password when logging on.	The default is never. The range of values is from 1 to 999 invalid attempts or never.

In a domain or network with only one server, you do not need to set up a domain-wide security accounts database for use by different servers. You maintain security in a single-server domain by setting up the server as the primary domain controller, taking advantage of the full range of Advanced Server features and preparing the server for possible future expansion of the network.

5.2 OpenVMS Security

The Advanced Server provides support for security features of the OpenVMS operating system. The degree to which these features are integrated with Advanced Server security varies, as discussed in Section 5.5, Security Integration Considerations, in this guide.

An OpenVMS account identifies a user to the OpenVMS operating system. An account includes the user's name, a password, privileges, and access to directories and files associated with the account. (See Chapter 3, User Accounts, for more information.)

The OpenVMS operating system provides the following methods of assigning protection to files and directories:

• RMS protection
• Access control lists (ACLs)

The Record Management Service (RMS) sets protection on files and directories based on user identification codes (UICs). A UIC consists of a group code and a user code assigned to every user by the system administrator. For example, UIC [320, 450] represents user number 450 in group 320. A UIC determines which of the following categories a user belongs to:

• System (S) includes users with system privileges (the OpenVMS privilege SYSPRV) or users with designated low group numbers in their UICs as specified by the system manager.
• Owner (O) includes only the owner of a file or directory. The user code of the UIC associated with the file or directory matches the user code of a user's UIC.
• Group (G) includes all users who have the same group code in their UICs.
• World (W) includes all users regardless of UIC.

RMS assigns file protections for each of these categories according to the following format:

• R for read access
• W for write access
• E for execute access
• D for delete access

The default protection is:

(System:RWED, Owner:RWED, Group:, World:)

This default RMS protection allows read, write, execute, and delete access to the system administrator and to the owner of the file; group and world UICs have no access to the file.