[an error occurred while processing this directive]

HP OpenVMS Systems
Content starts here

HP Advanced Server for OpenVMS
Commands Reference Manual

Previous Contents Index

2.1.2.2 ADMINISTER Command Variances on Member Servers

As mentioned previously, member servers do not maintain or manage the domain-wide security accounts database and cannot manage or display certain objects, such as global groups, primary groups, and trusts. Table 2-1, Disallowed or Restricted Commands When Administering a Member Server's Local Database, lists the commands that are not allowed, or are restricted when, administering the member server's local domain database. If you attempt to use these commands in such circumstances, the following error message will be displayed: 


%PWRK-E-DCONLY, operation is only valid to a Domain Controller

The affected commands are categorized by each of the following management objects: COMPUTER, GROUP, TRUST, and USER.

Table 2-1 Disallowed or Restricted Commands When Administering a Member Server's Local Database
Object Command Restriction
COMPUTER ADD Not allowed
  REMOVE Not allowed
  SET Not allowed with the /ACCOUNT_SYNCHRONIZE or /ROLE= qualifiers
  SHOW When you do not specify a computer name with the command, it displays information about the member server only (the computer you are managing) rather than about all the computers in the domain; note that the display symbol for a member server is [SV]
GROUP ADD, COPY, MODIFY, REMOVE, SHOW Do not use for global groups, or with the /GLOBAL or /PRIMARY_GROUP qualifiers; GROUP commands manage local groups only
TRUST ADD, REMOVE, SHOW Not allowed
USER ADD, COPY, MODIFY Do not use with the /PRIMARY_GROUP qualifier; the ADD USER command adds the user to the Users local group; these commands manage memberships in local groups only
  REMOVE, SHOW These commands manage memberships in local groups only; the SHOW USERS command does not display the primary group or memberships in global groups

2.1.3 Privileges Required

Some of your network users may be designated as Account Operators, Print Operators, or Server Operators. These users have limited administrative or operator privileges that enable them to perform specific tasks. If you have different operators responsible for parts of your network and you do not want to assign them full administrative privileges, then make them members of groups only at the server being administered.

Required privileges are included in the command descriptions in this manual.

2.1.4 Understanding Command Syntax

In this manual, command syntax for ADMINISTER commands is denoted as follows:

  • An option enclosed in braces ({ }) is required. For example, {YES | NO} indicates that you must specify either YES or NO when using the command.
  • An option enclosed in brackets ([ ]) is optional. For example, [password] indicates that a password can be used with the command if desired, but it is not required.
  • When a vertical bar (|) separates items within braces or brackets, select only one option. For example, the following list indicates that you must select only one of the options:
    {/HOLD | /RELEASE | /DELETE}
  • When an ellipsis (...) appears in a syntax statement, you can repeat the previous item. For example, /FLAGS=(option, ...) indicates that you can specify more than one option, with a comma between the flag options.
  • Be sure to type slashes (/), backslashes (\), commas (,), double quotes ("), equal signs (=), colons (:), parentheses ( ), semicolons (;), spaces ( ), and asterisks (*) as they are shown.
  • When you finish typing a command, press Return or Enter.
  • If you are typing a long command string, do not press Return when your cursor gets to the edge of your screen; the cursor wraps around and continues on the next line of your screen. Press Return only after you finish typing the entire command string. Or, enter multiple line command strings; use a hyphen (-) at the end of the line as the continuation character.

In general, the ADMINISTER command syntax conforms to the OpenVMS DCL command conventions. Refer to the OpenVMS DCL Dictionary for more information.

2.1.5 Case Sensitivity

Due to the behavior of OpenVMS, all parameters and qualifier values entered on the command line are converted to uppercase characters when they are processed by the user interface. If you wish to preserve case, or you wish to enter any value that contains blanks (spaces) or any nonalphanumeric characters, you must enclose the value in quotation marks. This is not necessary, however, if you are prompted for additional information after entering a command.

For further information, refer to your Server Administrator's Guide.

2.1.6 Using Passwords with Commands

Some commands require you to enter a password. You can provide a password with a command by typing the password on the same line as the command. For example, to log on as the user named JIM using the password KAHUNA, you type: 



$ ADMINISTER
LANDOFOZ\\TINMAN> LOGON JIM KAHUNA
The server \\TINMAN successfully logged you on as JIM.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 10/08/01 07:48 PM

LANDOFOZ\\TINMAN>

Because passwords are case sensitive in most cases, pay careful attention when entering them on a command line. If they are to contain any lowercase letters, blanks (spaces), or nonalphanumeric characters, be sure to enclose them in quotation marks.

You can also have the user interface prompt you for the password. For example, to log on to the network, type: 


$ ADMINISTER
LANDOFOZ\\TINMAN> LOGON JIM
Password:
The server \\TINMAN successfully logged you on as JIM.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 10/08/01 07:48 PM

LANDOFOZ\\TINMAN>

When you enter a password when prompted, as in the second example, the password does not appear on the screen as you type. This helps you keep your password confidential, providing added security. In addition, you need not use quotation marks if the password contains lowercase letters, blanks (spaces), or nonalphanumeric characters (as you do when entering the password on the command line).

If you forget to enter a password for a command that requires one, the software prompts you for it. Depending on the command that you type, the software may also prompt you for other required information, such as your user name.

Although the software may prompt for required parameters, do not rely on the software to prompt you for all required information. Be sure to enter all required information, except for passwords, on the command line.

2.1.7 Using Abbreviations

In general, the command descriptions in this manual include full command names, command options, and service names. However, the software recognizes abbreviations. Note that abbreviations are not recommended for use in batch jobs and command procedures.

You can abbreviate any command option by typing enough letters to distinguish it from other command options. The following is an example of the SET AUDIT POLICY command: 


$ ADMINISTER
LANDOFOZ\\TINMAN> SET AUD POLI /FAILURE=(LOGONOFF,PROCESS) -
_LANDOFOZ\\TINMAN>/AUDIT/SUCCESS=(ALL)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

Note the use of the continuation character (-) to enter this long command string.

You can abbreviate options and qualifiers as illustrated in the following example: 


$ ADMIN
LANDOFOZ\\TINMAN> SET AUD POLICY/FAIL=(LOG,PROC)/AUD/SUCCESS=(ALL)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

2.1.8 Administering the Advanced Server Using Batch Jobs

You can manage a server with batch jobs that you set up. The .COM files can contain the ADMINISTER commands you would otherwise enter interactively. The following example (EVT_CLEANUP.COM) saves an event log, then clears it: 


$ TYPE EVT_CLEANUP.COM
$ ADMINISTER SAVE EVENTS/TYPE=SECURITY SYS$BACKUP:PW-SECURITY.EVT
$ ADMINISTER CLEAR EVENTS/TYPE=SECURITY/NOCONFIRM
$ EXIT

For commands that have confirmation responses (selectable using /CONFIRM and /NOCONFIRM qualifiers), the default in batch mode is to not ask for confirmation. In other words, /NOCONFIRM is the default action for batch jobs.

2.1.9 Universal Naming Convention (UNC) for Path Names

When using the Universal Naming Convention (UNC) for specifying the path to a shared directory or file, the UNC path has the form

\\server-name\share-name\path

where:

server-name is the name of the server where the directory or file resides.
share-name is the name of the shared resource containing the directory or file.
path specifies the path to the directory or file within the shared resource.

The server-name portion of the UNC, if omitted, defaults to the server currently being administered (the server to which commands are directed). You can omit the backslash before the share-name if you omit the server-name.

Except for the TAKE FILE OWNERSHIP command, you can use standard DOS wildcards within file names, but not for directories. The TAKE FILE OWNERSHIP command does not accept wildcards for the UNC path.

2.1.10 Parameter Restrictions

The ADMINISTER command parameters listed in Table 2-2, ADMINISTER Command Parameter Restrictions, cannot contain the following characters:

" / \ [ ] : ; | = , + * ? < >

When using ADMINISTER commands, note the parameter restrictions listed in Table 2-2, ADMINISTER Command Parameter Restrictions:

Table 2-2 ADMINISTER Command Parameter Restrictions
Parameter Restriction
[domain-name\] server-user-name
  Specifies the Advanced Server user name to be mapped to a HP OpenVMS server name. An Advanced Server user can be mapped to only one OpenVMS user. Optionally, you can specify a network user in a trusted domain. To specify a network user, include the domain name ( domain-name\) with the user name, as in KANSAS\DOLE, where KANSAS is the trusted domain in which the network user account resides, and DOLE is the user name of the user account in the trusted domain.
host-user-name Specifies the OpenVMS user name to which the Advanced Server user name is to be mapped. More than one Advanced Server user can be mapped to the same OpenVMS user.
computer-name Specifies a computer name as a name that identifies the computer on the network. The computer-name must be unique in the network.

The maximum number of characters is 15.

domain-name Specifies the name of the domain. Except where noted, the default is the domain currently being administered.

The maximum number of characters is 15.

server-name Specifies the name of a server that is a member of the domain. The default is the server currently being administered.

The maximum number of characters is 15.

full-user-name Specifies the full, or complete, name for the user. Enclose the full-user-name in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters.

The maximum number of characters is 256.

group-name Specifies the name of an Advanced Server group. A group name cannot be identical to any other group or user name of the domain or computer being administered.

The maximum number of characters is 20.

[domain-name\] member-name
  Specifies the users or groups as members of the group. Enclose the member-name in quotation marks if it contains blanks (spaces) or other nonalphanumeric characters.

When adding members to, or removing members from, a local group, you can specify user accounts or global groups from the domain being administered and from domains it trusts. To specify a user account or global group in a trusted domain, enter a domain-qualified name in the format domain-name\member-name, such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain.

The maximum number of characters is 20.

password Specifies the password for the user. Passwords are case sensitive. Enclose the password in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. If you enter /PASSWORD with no value or an asterisk (*), you are prompted for the password and its confirmation; the password is not echoed on your terminal. When you are prompted, you need not use quotation marks.

The maximum number of characters is 14. The default minimum is 0.

old-password Specifies the current password for the user account. Passwords are case sensitive. Enclose the old-password in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. If you do not specify old-password, or specify it as an asterisk (*), you are prompted for the password, which is not echoed on your terminal. When you are prompted, you need not include quotation marks.

The maximum number of characters is 14.

queue-name Specifies the name of the queue. The maximum number of characters is 12, where the characters are any uppercase and lowercase letters, digits, the underscore (_), and dollar sign ($).
share-name The name of the share. If MS-DOS computers will connect to the share, the share-name can be up to 8 characters long, optionally followed by a period and up to 3 more characters.

The maximum number of characters is 12.

string Specifies descriptive information. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters.

The maximum number of characters is 256.

user-name Specifies the name of the user to be added. The user-name must be unique within the domain or computer being administered.

The maximum number of characters is 20.

new-user-name Specifies the user name for the new user account.

The maximum number of characters is 20.

workstation-name Specifies a workstation from which the user can log on to the domain. The workstation-name is the name of a workstation, or an asterisk (*), to specify all workstations.

The maximum number of characters is 15.

ADD COMPUTER

Adds a computer account to a domain's security database (the domain-wide user accounts database). Before a computer can join a domain, a computer account must be added to the domain's security database.

The ADD COMPUTER command is useful only if you do not wish to give out the user name and password of an Administrator account in your domain to the administrator of the computer that will join your domain. If you do not wish to supply this information, use the ADD COMPUTER command to add the computer account to your domain before the computer's administrator joins the domain. If you supply password information to the administrator of the other computer, the administrator can use it when joining and the computer account will be added to the domain automatically.

The ADD COMPUTER command is not necessary for the primary domain controller; that computer is added automatically.

Note that until the intended computer account actually joins the domain, it is possible for a malicious user to give a different computer that computer name, and then have it join the domain using the computer account you have just created. If the added computer is a backup domain controller when it joins, it receives a copy of the domain's security database.

Format

ADD COMPUTER computer-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

REMOVE COMPUTER
SET COMPUTER
SHOW COMPUTERS

Parameters

computer-name

Specifies a 1 to 15 character name for the computer account to be added to the domain. The specified name cannot be the same as any other computer or domain name in the network.

Qualifiers

/DOMAIN=domain-name

Specifies the name of the domain to which to add the computer account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/ROLE=role-type

Specifies the computer's role in the network. (Note that to change the role of a backup domain controller to a primary domain controller, or vice versa, use the SET COMPUTER/ROLE command. To change the role of an Advanced Server domain controller to a member server, or of an Advanced Server member server to a domain controller, you must use the SYS$UPDATE:PWRK$CONFIG command procedure. ) The role-type keyword can be one of the following:
Role-Type Specify if the computer is:
BACKUP_DOMAIN_CONTROLLER
  A Windows NT or compatible backup domain controller.
SERVER Windows NT or compatible server, but not a primary or backup domain controller.
WORKSTATION A Windows NT Workstation. This is the default.

/SERVER=server-name

Specifies the name of a server that is a member of the domain to which to add the computer account. Do not specify both /DOMAIN and /SERVER on the same command line.

Example


LANDOFOZ\\TINMAN> ADD COMPUTER DOROTHY/ROLE=SERVER
%PWRK-S-COMPADD, computer "DOROTHY" added to domain "LANDOFOZ"

This example adds the computer named DOROTHY to the default domain (LANDOFOZ), as a Windows NT compatible server.

ADD GROUP

Adds a local or global group to a domain's security database, and optionally adds members to the group.

Format

ADD GROUP group-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators or Account Operators local group.

Related Commands

COPY GROUP
MODIFY GROUP
REMOVE GROUP
SHOW GROUPS

Parameters

group-name

Specifies a 1 to 20 character name for the group to be added. A group name cannot be identical to any other group or user name of the domain or server being administered. It can contain any uppercase or lowercase characters except for the following:

" / \ [ ] : ; | = , + * ? < >

Qualifiers

/DESCRIPTION="string"

/NODESCRIPTION

Specifies a string of up to 256 characters used to provide descriptive information about the group. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. /NODESCRIPTION, the default, indicates that the description is to be blank.

/DOMAIN=domain-name

Specifies the name of the domain to which to add the group. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/GLOBAL

Indicates that the specified group is to be added as a global group. This is the default if neither /GLOBAL nor /LOCAL are specified. Do not specify both /GLOBAL and /LOCAL on the same command line.

/LOCAL

Indicates that the specified group is to be added as a local group. By default, a group is added as a global group. Do not specify both /GLOBAL and /LOCAL on the same command line.

/MEMBERS=([domain-name]\member-name[,...])

Adds the specified members to the membership list of the group. If the group being added is a local group, you can add user accounts and global groups from the domain being administered and from domains it trusts.

To specify a user account or global group in a trusted domain, enter a domain-qualified name (domain-name\member-name), such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. If you omit a domain name, the user or group is assumed to be defined in the domain being administered.

If the group being added is a global group, you can add user accounts only from the domain being administered.

/SERVER=server-name

Specifies the name of a server that is a member of the domain to which to add the group. Do not specify both /DOMAIN and /SERVER on the same command line.

Examples

#1 

 LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/MEMBERS=(SCARECROW,STRAWMAN)
 %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ"

This example adds the global group named MUNCHKINS to the default domain being administered (LANDOFOZ). The group will contain as members, the users named SCARECROW and STRAWMAN. The group is added as a global group because neither the /GLOBAL nor /LOCAL qualifiers were specified, and /GLOBAL is the default.

#2 

 LANDOFOZ\\TINMAN> ADD GROUP WINKIES/LOCAL -
 _LANDOFOZ\\TINMAN> /MEMBERS=(MUNCHKINS,KANSAS\WIZARD)
 %PWRK-S-GROUPADD, group "WINKIES" added to domain "LANDOFOZ"

This example adds the local group named WINKIES to the default domain being administered (LANDOFOZ). The group will contain as members, the global group MUNCHKINS from the LANDOFOZ domain, and the user WIZARD from the trusted domain KANSAS.

Previous Next Contents Index