HP OpenVMS Systems
HP Advanced Server for OpenVMS
On OpenVMS, you use Advanced Server ADMINISTER commands to manage network user accounts and groups for domains and computers. You can also use the Windows NT server administration tool, User Manager for Domains, to perform these tasks.
The following topics are discussed in this chapter:
Network user accounts and groups are separate and distinct from OpenVMS
user accounts and groups. This guide discusses management of network
user accounts and groups using Advanced Server.
3.1 Managing Network User Accounts
A network user account contains all the information that defines an
Advanced Server user. This includes user name, password, and group
memberships. It can also include information such as the user's full
name, the user account description, user profile information, a list of
logon workstations, and a schedule of authorized logon hours.
3.1.1 Built-In User Accounts
Guest users should not create files in their default directory that they do not want other users to access, because all users logged on as Guest access the same default directory.
The user account identifies the user to Advanced Server. The user account is used to authenticate the user both when the user logs on to the domain and when the user requests access to shared resources.
Each user account must have a unique user name in the domain. When you create a user account, you can specify the user account attributes shown in Table 3-1, User Account Attributes.
|User name||The user's account name (up to 20 alphanumeric characters).|
|Password||The password the user enters to log on to the account (up to 14 uppercase and lowercase alphanumeric characters). Passwords entered on ADMINISTER command lines are converted to uppercase unless enclosed within quotation marks.|
|Full name||User's full name, typically more complete than the account name (up to 256 characters).|
|Description||A brief text string describing the account.|
|Expiration date||Date when the account expires.|
|Type||Global or local.|
|Group names||The names of groups of which the user is a member. Determines privileges and access.|
|Logon restrictions||Logon hours and valid workstations.|
|Logon script||A script that is executed when the user logs on.|
|Home directory||A specified location containing files and programs for the user.|
|User profile||Setup information for the user's specific environment.|
Advanced Server allows you to integrate OpenVMS user accounts with network user accounts. Network user accounts can be linked (host mapped) to OpenVMS user accounts, simplifying user account management, ensuring password synchronization, and providing automatic access to network administration functions for OpenVMS system manager and operators. See Section 220.127.116.11, Establishing User Account Host Mapping, for more information.
To set account characteristics across all network user accounts, set the account policy, as described in Section 2.2.1, Managing the Account Policy.
User accounts are stored in the domain's Security Account Manager (SAM)
database. The SAM database is maintained by the primary domain
controller and periodically updated on the backup domain controllers.
One of the computers in the domain must be running as a primary domain
controller in order for user accounts to be created or modified.
3.1.4 Creating User Accounts
You create network user accounts on the Advanced Server with the ADD USER
or COPY USER command.
18.104.22.168 Creating a Network User Account
When you create a user account, you must provide all the information relevant to that user. You can use the ADD USER command to create a user account, or the COPY USER command to copy another account and modify it to suit the specific user.
When you display user information, the users are listed alphabetically by user name; you can optionally sort the display based on the full name. Therefore, follow the same conventions for all users when you enter full names; for example, Cowardly Lion or Lion, Cowardly.
Passwords for network user accounts are case sensitive. Passwords entered on the ADMINISTER command line default to all uppercase characters, unless you enclose them in quotation marks. To preserve lowercase letters, spaces, and other nonalphanumeric characters in passwords when you enter ADMINISTER commands, enclose the password in quotation marks, or enter the password in response to the prompt instead of on the command line. The following example shows how to enter a mixed-case password on the command line:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="OverTheRainbow" %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>
You can specify an optional description for the user by including the
/DESCRIPTION qualifier. If the description contains nonalphanumeric
characters, spaces, or lowercase letters, enclose the description in
22.214.171.124.1 Creating a Global User Account
Use the ADD USER command to create a global user account, as in the following example:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD - _LANDOFOZ\\TINMAN> /DESCRIPTION= "The Straw Man" - _LANDOFOZ\\TINMAN> /FULLNAME="Man, Straw" Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>
You can let Advanced Server prompt you for the user name and the password. The password is not displayed as you enter it. You should always supply a password when you add a user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown. By default, a user account is created with an expired password. The user must enter a new password at first logon. To remove the need for users to reset their passwords at first logon, use the /FLAGS=(NOPWDEXPIRED) qualifier with the ADD USER command.
You can specify additional details about the user account, including an account description, expiration date, a full name, type of account (global or local), a home directory, logon hours, group membership, user profile, logon script, and workstation names, if any. For details on the ADD USER command, refer to the HP Advanced Server for OpenVMS Commands Reference Manual.
The ADD USER command does not create an OpenVMS user account. However, if the user also has an OpenVMS account, you can associate the two user accounts. For more information, see Section 3.1.16, User Account Host Mapping.
Users with both a network account and an OpenVMS account have two
passwords: one for each user account. You can enable external
authentication for these users, providing automatic password
synchronization between the OpenVMS password and the network password.
For information about external authentication, see Section 3.1.17, External Authentication.
126.96.36.199.2 Verifying That the User Has Been Added
LANDOFOZ\\TINMAN> SHOW USERS SCARECROW/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------------- -------------------- ------ --------------- SCARECROW Man, Straw Global The Straw Man User Profile: Logon Script: Primary Group: Domain Users Member of groups: Domain Users Workstations: No workstation restrictions Logon Flags: Login script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: (All hours) Last Log On: 08/23/00 05:07 PM Password Last Set: 06/30/00 11:03 AM Password Changeable: 06/30/00 11:03 AM Password Expires: 09/11/00 11:03 AM Total of 1 user account LANDOFOZ\\TINMAN>
A primary group is used when a user logs on using Windows NT Services
for Macintosh, or runs POSIX applications.
188.8.131.52.3 Creating a Local User Account
To create a local user account, use the ADD USER command as shown
previously, and include the /LOCAL qualifier.
184.108.40.206 Creating User Account Templates
You can create a template for user accounts, specifying user account information common to the new user accounts you need to create. Most user account information can be copied from the template to the new user accounts, except for user name and password. For example, you could create a template user account as follows:
LANDOFOZ\\TINMAN> ADD USER TEMPLATE/LOCAL/HOURS=(8-5) - _LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS=MUNCHKINS %PWRK-S-USERADD, user "TEMPLATE" added to domain "LANDOFOZ"
You can then use the COPY USER command to create many new user accounts
that have these same characteristics. Once you have completed adding
all your new user accounts, you can then delete or disable the TEMPLATE
user account, as described in Section 3.1.15, Disabling and Removing User Accounts.
220.127.116.11 Copying User Accounts
You can use the COPY USER command to create a new user account from an existing account or a template account. Some of the original user account information is copied to the new user account, such as group memberships and logon restrictions. A template account makes it easier to create many similar user accounts with fewer errors than to create them one by one. Some user account information, such as user name and password, is not copied to the new user account. You should always supply a password when you create a new user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown.
Use the /PASSWORD qualifier with the COPY USER command to specify the password for the new user account. For example, to create a new user LION based on a user account template (TEMPLATE), enter the following command:
LANDOFOZ\\TINMAN> COPY USER TEMPLATE LION/PASSWORD="Roaring1" - _LANDOFOZ\\TINMAN> /FULL_NAME="Cowardly Lion" %PWRK-S-USERCOPY, user "TEMPLATE" copied to "LION" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>
This example copies the TEMPLATE user account information to a new
account for user LION and uses the /FULL_NAME qualifier to provide the
full name for the new user. The /PASSWORD qualifier specifies the
password for the account LION. You can verify that the user is
correctly added, by using the SHOW USERS command.
3.1.5 Specifying Passwords
Network users who also have OpenVMS user accounts have two passwords, one for each account. If password synchronization is important, as with external authentication, be careful to observe limitations in password length and characters required by OpenVMS as well as Advanced Server. Network passwords can be up to 14 characters long; OpenVMS passwords can be longer. To help ensure security, select secure passwords using words not found in the dictionary, including numbers or nonalphabetic characters.
When you add a new user or modify the password for an existing user, you specify the password for that user. For example:
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="YellowRoad" %PWRK-S-USERADD, user "SCARECROW" added on domain "LANDOFOZ" LANDOFOZ\\TINMAN>
To preserve case in a password, enclose it in quotation marks. By
default, a password entered on the command line that is not enclosed in
quotation marks is stored in uppercase letters. However, case is
preserved for a password entered in response to a prompt.
18.104.22.168 Changing a User Password
LANDOFOZ\\TINMAN> SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity" %PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>
In this example, the user name is SCARECROW, the existing password is
"YellowRoad" and the password is changed to "EmeraldCity."
3.1.6 Specifying Group Membership
Group membership allows you to control multiple user accounts and to grant permissions to use resources to a group of users rather than specifying individual users for resource permissions. By default, all user accounts are included in the special group Everyone. For the purposes of network administration, the user account is also included in the groups Domain Users and Users.
When you create a user account, you can specify membership in additional groups using the ADD GROUP or COPY GROUP command. For example, to include the user SCARECROW in the group MUNCHKINS, add the user account including the /MEMBER_OF_GROUPS qualifier, as follows:
LANDOFOZ\\TINMAN>ADD USER SCARECROW/PASSWORD/MEMBER_OF_GROUPS=(MUNCHKINS) Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain LANDOFOZ" LANDOFOZ\\TINMAN>
You can restrict the days and hours during which a user can connect to a server. The default is to allow a user to connect at all times. To specify logon hours, use the ADD USER, COPY USER, or MODIFY USER command with the /HOURS qualifier. Specify the hours to be administered as shown in Table 3-2, Specifying Logon Hours. The /NOHOURS qualifier specifies that the user cannot log on to the server.
Hours are inclusive: if you grant access during a given hour, access extends to the end of that hour; if no hours are specified for a given day, all hours are allowed.
|Hours to Specify||Example Specification|
|A specific hour||/HOURS=(MONDAY=(8))|
|A block of hours||/HOURS=(FRIDAY=(8-12))|
|One entire day||/HOURS=(SUNDAY)|
|A specific hour across all seven days||
|The entire week||/HOURS=(EVERYDAY)|
In the following example, a user called MOUSEQUEEN is added to the domain LANDOFOZ with logon capability on Fridays from 8 a.m. to 12 noon.
LANDOFOZ\\TINMAN> ADD USER MOUSEQUEEN/HOURS=(FRIDAY=(8-12)) %PWRK-S-USERADD, user "MOUSEQUEEN" added to domain "LANDOFOZ"
The following example adds user BLACKCROW to domain LANDOFOZ, with logon capability from Monday through Friday, all hours.
LANDOFOZ\\TINMAN> ADD USER BLACKCROW/HOURS=(WEEKDAYS) %PWRK-S-USERADD, user "BLACKCROW" added to domain "LANDOFOZ"
You can specify the execution of a logon script when a user logs on. A
logon script is an executable or batch file of commands that runs on
the client. It is typically used to configure the client for a
particular user, performing such tasks as making network connections
and starting applications. Logon scripts can be tailored to the
requirements of individual users. A logon script typically has a .BAT,
.CMD, or .EXE file extension, depending on its function.
22.214.171.124 Setting Up a Logon Script
When a user logs on, Advanced Server checks the user's account on the logon server for the name of a script. Scripts are kept on the primary and backup domain controllers. By default, user scripts on an Advanced Server are stored in the following location:
126.96.36.199 Providing User Access to Logon Scripts
Ensure that permissions on the directory or share where the scripts reside permit access to all users who will be using the scripts. Advanced Server automatically provides Read access to members of the special group Everyone.
When the NetLogon service starts, the Advanced Server shares the scripts directory identified with the share name NETLOGON. For logon scripts to run, do not remove the NETLOGON share. You can display information about the NETLOGON share using the SHOW SHARE NETLOGON/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW SHARE NETLOGON/FULL Shared resources on server "TINMAN": Name Type Description ------------ --------- ------------------------------------------ NETLOGON Directory Logon Scripts Directory Path: PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS] Connections: Current: 0, Maximum: No limit RMS file format: Stream Directory Permissions: System: RWED, Owner: RWED, Group: RWED, World: RE File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R Share Permissions: Everyone Read Total of 1 share LANDOFOZ\\TINMAN>