HP OpenVMS Systems

HP Advanced Server for OpenVMS
Server Administrator's Guide

To simplify administration of access permissions, you define groups of users. The members of a group are users and other groups. Groups provide an easy way to grant common capabilities to several users; group permissions are provided to all its members.

A group can be either global or local. A global group is a collection of user accounts allowed to access resources in one domain. It can also be assigned permissions to use resources in a trusting domain. A global group:

• Can be used to assign permissions and rights within the domain
• Cannot contain other groups as members
• Cannot contain users from another domain
• Cannot contain groups from another domain

A local group can include users and global groups from its own domain and from trusted domains. Thus, it provides access to resources in its domain to users in its domain and in trusted domains.

If a trust relationship has been established between two domains, you can grant access to resources for groups from the trusted domain. To grant permissions to the members of a group from another domain, include the domain name when you specify the group name.

For more information about groups, see Chapter 3, Managing Users and Groups.

1.2.5 Logon Validation

The Advanced Server can validate requests of users to log on to the network. Logon validation is provided by the NetLogon service and allows the following:

• A single, domainwide security accounts database
• Single domainwide logon, which lets a user access resources on any server in the domain and on servers that trust the domain

You create the master security accounts database for the domain when you configure the primary domain controller. This database is automatically copied to the backup domain controllers in the domain that are running the NetLogon service. You do not have to create user accounts separately on each server. All the servers in the domain that run the NetLogon service use identical copies of the same domainwide security accounts database.

Through external authentication, specified OpenVMS users are automatically validated on the network when they log in to the OpenVMS system running the Advanced Server. This pass-through style of authentication ensures password synchronization between OpenVMS user accounts and their corresponding Advanced Server network account. It eliminates the need for users to maintain a separate password for their OpenVMS and domain (network) user accounts. For more information about external authentication, see Section 3.1.17, External Authentication.

1.2.6 Logon Scripts

As the network administrator, you can use logon scripts to configure the working environments of your users by allowing them to automatically make network connections and start applications. The network administrator can create logon scripts and then assign a different logon script to each user, or create a logon script for multiple users. A logon script runs automatically whenever a user logs on at a workstation running Windows NT, Windows XP or Windows 2000.

1.2.7 Home Directories

As the network administrator, you may want to assign a user a home directory on a server. Users can store private data in their home directories and have access control over these directories to restrict or grant access to other users. If users have home directories on computers other than their own, connections can be made automatically to home directories whenever users log on. Depending on the client operating system, you may need to specify the home directory in a logon script. For information about how to specify a logon script and home directory for a user account, see Section 3.1.3, User Account Attributes.

1.2.8 Advanced Server Licensing

To access the Advanced Server, clients must be properly licensed with a valid Client Access license. A client may obtain a client-based license to access an unlimited number of HP Advanced Servers, or an unlicensed client may be assigned a server-based license while accessing resources on a single HP Advanced Server. The Advanced Server includes the Advanced Server License Server, which distributes client-based licenses to clients during client startup. The Advanced Server License Registrar validates client-based licenses when the client establishes a session, and it allocates server-based licenses. The HP Advanced Server for OpenVMS Server Installation and Configuration Guide describes how to install the License Server. Refer to the HP Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses for more information about Advanced Server licensing.

1.3 Resource Sharing

Sharing is the process of making resources (printers, directories, and files) available to users. As the network administrator, you make a resource available to clients who access the printer or directory, by specifying a share name and permissions to control access to the share.

Users gain access to a shared resource by:

1. Logging on to the domain or a trusted domain
2. Connecting to the share

As the network administrator, you define which resources to share, which users and groups can access them, and the type of access each user and group can have.

1.3.1 Disk Directories

The Advanced Server automatically shares the root directory of all disk devices connected to the server that are mounted when you start the server process. This type of share is called an autoshare. It is accessible by Administrators only.

Advanced Server lets you audit user attempts to access shared files or directories. You specify the types of access attempts to be audited. When one of those events occurs, the Advanced Server records an entry in the Security event log.

For information about setting permissions and auditing for individual files and directories, see Chapter 4, Managing Directory and File Sharing.

The OpenVMS system supports two file systems:

• On ODS-2 disk volumes, the traditional file system (RMS). This file system is useful for OpenVMS system files, layered products, and applications.
• On ODS-5 disk volumes, the Extended File System (EFS). This file system is useful for storing directories and files from network clients, providing greater compatibility with the Windows NT, Windows 2000, Windows XP, and Windows 2003 file systems. For information about setting up EFS, refer to the OpenVMS Guide to Extended File Specifications. Management of ODS-5 disk volumes in the network environment is described in Section 4.5, Using ODS-5 Disk Volumes in the Advanced Server Environment.

The Advanced Server lets you share printers connected to the network. With Advanced Server, you can:

• Create Advanced Server print queues.
• Share print queues and set print queue permissions to restrict access to the queue. By default, a print share is available to all users.
• Manage print queues, print shares, and print jobs.

By default, you manage Advanced Server printers and print shares on the server using the ADMINISTER command interface. However, you can configure the server so that you can manage its printers remotely with a Windows NT system.

For information about managing print shares and queues, see Chapter 5, Managing Printers, Print Queues, and Print Shares.

1.4 Monitoring Events and Troubleshooting

The Advanced Server provides log files for monitoring server resource use and for recording client and server problems.

The event log records client and server events. It contains the following information about each event:

• Nature of the event
• Event type
• Date and time when the event occurred

You can establish an audit policy for event types on a server and set auditing for individual directories or files. The audit policy defines the types of events to be logged. Auditing also allows you to record server resource use. It can provide the following information about each access attempt:

• Name of the server resource accessed
• Operation performed or attempted
• Date and time of the operation
• User name of the user requesting access

For information about setting auditing for specific events and about troubleshooting server problems, see Chapter 6, Monitoring Events and Troubleshooting.

1.5 Network Administration Interfaces

You can administer the Advanced Server, another server, or a workstation in the network, from either a HP OpenVMS server or from another computer, using one of the interfaces listed in Table 1-1, Network Administration Interfaces.

You can control most aspects of the Advanced Server using the Advanced Server ADMINISTER command-line interface. You invoke the Advanced Server ADMINISTER command-line interface by entering the ADMINISTER command at the OpenVMS system prompt. The Advanced Server command-line interface prompts you with the name of the domain and the name of the server you are currently administering. For example:

$ ADMINISTER
LANDOFOZ\\TINMAN>

In this example, you are managing a domain called LANDOFOZ and a server called TINMAN. You can enter ADMINISTER commands at the prompt.

You can also execute ADMINISTER commands on the DCL command line in the following way:

$ ADMINISTER SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity"
%PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain
"LANDOFOZ"

$

In this example, the command-line interface executes a single command and returns to the OpenVMS system prompt.

The ADMINISTER command-line interface prompts you for any required information that you did not supply on the command line. For example, you can log on to the network using the LOGON command, as follows. Note that the password is required, so the software prompts you for it. When type the password, it is not displayed on the screen.

$ ADMINISTER
LANDOFOZ\\TINMAN> LOGON ADMINISTRATOR
Password:
The server \\TINMAN successfully logged you on as Administrator.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 07/19/00 06:41 PM.

LANDOFOZ\\TINMAN>

The Advanced Server ADMINISTER command-line interface has online help that describes command syntax, options, and qualifiers. It also explains each command and gives examples of command use. The Help facility for the ADMINISTER command-line interface has the same structure as OpenVMS DCL help.

To use online help, enter one of the following commands at the DCL prompt ($):

For complete information about ADMINISTER commands and their syntax, refer to the HP Advanced Server for OpenVMS Commands Reference Manual or to the ADMINISTER command-line interface help.

1.6.2 Administering Domains and Servers

There are two types of Advanced Server ADMINISTER commands:

• Commands that operate on a domain
  These commands allow you to administer users, groups, or account policies, audit policies, and trust relationships, and to add, delete, or display computers. All such ADMINISTER commands can include the /DOMAIN qualifier to specify a domain other than the one currently being administered. If you specify the /DOMAIN qualifier, you cannot use the /SERVER qualifier with these commands; the commands are executed on the primary domain controller of the specified domain.
  A member server does not store or maintain the domainwide security accounts database; only domain controllers do. When you administer the member server's local security accounts database, certain ADMINISTER commands are disallowed or restricted. For information about managing a member server's local database, see Section 2.1.5, Member Servers and Domain Management.
• Commands that operate on a specific server
  These commands allow you to administer shared resources, services, and server operation; they operate directly on either the default server or on the server you specify using the /SERVER qualifier. You cannot use the /DOMAIN qualifier with server-specific commands.

By default, you are set up to administer the local server and the domain to which it belongs. The default domain remains in effect for the duration of the current OpenVMS login session, or until you log off the domain or change the default domain. Commands are executed on the domain and server indicated by the ADMINISTER command-line interface prompt. For example, the following prompt indicates that the domain currently being administered is LANDOFOZ, and the server is TINMAN:

LANDOFOZ\\TINMAN>

For administering other (remote) domains and servers with the ADMINISTER command-line interface, you have these options:

• SET ADMINISTRATION command --- You specify the domain or server, or both, and all subsequent commands affect the specified domain or server.
• TELL command --- You specify the server and a single command that is directed to that server. For example, you can use the TELL command to direct commands to a down-level server (a server such as the PATHWORKS LAN Manager server, which runs an earlier network operating system than that of the Advanced Server).
• LOGON command --- You specify the domain, and all subsequent commands affect the specified domain. The server name is set to the local server if the local server is a member of that domain. It is set to the name of the primary domain controller of the specified domain if the local server is not a member of the specified domain.
• /SERVER or /DOMAIN qualifier --- Commands that support these qualifier allow you to specify the server or domain to be affected by the specified command.

You can use the SET ADMINISTRATION command to administer resources, services, and server operation in another domain or server, if you have been validated for a user account that is a member of the Administrators group. For more information, see Section 2.1.4, Administering Another Domain.

If you have OpenVMS system management privileges SYSLCK and OPER on the system, you can execute any server-related ADMINISTER commands on the local server without logging on to the network, except commands that require operations with other servers. If your local server is a primary domain controller, you can also execute any domain-related commands that do not require operations with other servers. When you have these OpenVMS privileges, you are treated as if you had logged on to the network as Administrator. If you do not have these OpenVMS privileges, or if you want to manage a server other than your local server, you must log on to a network user account that is a member of the Administrators local group (for example, the Administrator user account).

To log on to the network, use the LOGON command. For example:

LANDOFOZ\\TINMAN> LOGON
Username: ADMINISTRATOR
Password:
The server \\TINMAN successfully logged you on as Administrator.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 09/19/00 06:41 PM.

LANDOFOZ\\TINMAN>

You are prompted for your user name and password. The password is not displayed as you enter it. Once you log on to the domain, you remain logged on after you exit from the ADMINISTER command interface. To log off the domain, use the LOGOFF command before exiting.

You can administer another server using the TELL command. TELL sends the command to be executed to the specified server. In the following example, the server currently being administered is TINMAN, and the other server is WOODMAN. The command to be executed on server WOODMAN is SHOW COMPUTERS.

LANDOFOZ\\TINMAN> TELL WOODMAN SHOW COMPUTERS

%PWRK-I-SRVINFO, the server type is: Advanced Server for OpenVMS

Computers in domain "LANDOFOZ":

Computer              Type                       Description
--------------------  -------------------------  --------------------------
[PD] TINMAN           OpenVMS (NT 4.0) Primary   Advanced Server V7.3B
                                                 for OpenVMS

[BD] WOODMAN          OpenVMS (NT 4.0) Backup    Advanced Server V7.3B
                                                 for OpenVMS

Total of 2 computers

LANDOFOZ\\TINMAN>

Be sure to use the proper command syntax for the server you are administering. For example, to administer a server running PATHWORKS V5 for OpenVMS (LAN Manager), use LAN Manager NET commands. In the following example, the PATHWORKS V5 for OpenVMS (LAN Manager) server name is QUEEN.

LANDOFOZ\\TINMAN> TELL QUEEN NET SHARE
%PWRK-I-SRVINFO, the server type is: LAN Manager 2.2 for OpenVMS

Sharename        Resource                  Remark
---------------------------------------------------------------------------
ADMIN$                                     Remote Admin
C$               USERS:[PWRK$ROOT]         PATHWORKS share
IPC$                                       Remote IPC
USERS$           _QUEEN$DUA1:              ODS-2 volume USERS:
VAXVMSV0.55$     _QUEEN$DUA2               ODS-2 volume VAXVMSV0.55:
NETLOGON                                   Logon Users Directory
PWUTIL           C:[LANMAN.SHARES.WIN]     Adv. Srv. Client-based Utilities
RONNIE           USERS:[RONNIE]
RPL              C:[LANMAN.RPL]            Remoteboot server share
RPLFILES         C:[LANMAN.RPL.RPLFILES]   Remoteboot server share
USERS                                      Logon Users Directory
The command completed successfully

LANDOFOZ\\TINMAN>

Some of your network users may be designated as members of administrative groups, such as account operators, print operators, server operators, or administrators. These users have administrative or operator privileges that enable them to perform specific tasks, as described in Table 1-2, Administrative Groups.

If you have different operators responsible for different parts of your network and you do not want to assign them full administrative privileges, make them members of the Server Operators group only at the server they can administer.