[an error occurred while processing this directive]
HP OpenVMS Systems |
HP Advanced Server for OpenVMS
|
Previous | Contents | Index |
As mentioned previously, member servers do not maintain or manage the domain-wide security accounts database and cannot manage or display certain objects, such as global groups, primary groups, and trusts. Table 2-1, Disallowed or Restricted Commands When Administering a Member Server's Local Database, lists the commands that are not allowed, or are restricted when, administering the member server's local domain database. If you attempt to use these commands in such circumstances, the following error message will be displayed:
%PWRK-E-DCONLY, operation is only valid to a Domain Controller |
The affected commands are categorized by each of the following management objects: COMPUTER, GROUP, TRUST, and USER.
Object | Command | Restriction |
---|---|---|
COMPUTER | ADD | Not allowed |
REMOVE | Not allowed | |
SET | Not allowed with the /ACCOUNT_SYNCHRONIZE or /ROLE= qualifiers | |
SHOW | When you do not specify a computer name with the command, it displays information about the member server only (the computer you are managing) rather than about all the computers in the domain; note that the display symbol for a member server is [SV] | |
GROUP | ADD, COPY, MODIFY, REMOVE, SHOW | Do not use for global groups, or with the /GLOBAL or /PRIMARY_GROUP qualifiers; GROUP commands manage local groups only |
TRUST | ADD, REMOVE, SHOW | Not allowed |
USER | ADD, COPY, MODIFY | Do not use with the /PRIMARY_GROUP qualifier; the ADD USER command adds the user to the Users local group; these commands manage memberships in local groups only |
REMOVE, SHOW | These commands manage memberships in local groups only; the SHOW USERS command does not display the primary group or memberships in global groups |
Some of your network users may be designated as Account Operators, Print Operators, or Server Operators. These users have limited administrative or operator privileges that enable them to perform specific tasks. If you have different operators responsible for parts of your network and you do not want to assign them full administrative privileges, then make them members of groups only at the server being administered.
Required privileges are included in the command descriptions in this
manual.
2.1.4 Understanding Command Syntax
In this manual, command syntax for ADMINISTER commands is denoted as follows:
In general, the ADMINISTER command syntax conforms to the OpenVMS DCL
command conventions. Refer to the OpenVMS DCL Dictionary for more information.
2.1.5 Case Sensitivity
Due to the behavior of OpenVMS, all parameters and qualifier values entered on the command line are converted to uppercase characters when they are processed by the user interface. If you wish to preserve case, or you wish to enter any value that contains blanks (spaces) or any nonalphanumeric characters, you must enclose the value in quotation marks. This is not necessary, however, if you are prompted for additional information after entering a command.
For further information, refer to your Server Administrator's Guide.
2.1.6 Using Passwords with Commands
Some commands require you to enter a password. You can provide a
password with a command by typing the password on the same line as the
command. For example, to log on as the user named JIM using the
password KAHUNA, you type:
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON JIM KAHUNA The server \\TINMAN successfully logged you on as JIM. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 10/08/01 07:48 PM LANDOFOZ\\TINMAN> |
Because passwords are case sensitive in most cases, pay careful attention when entering them on a command line. If they are to contain any lowercase letters, blanks (spaces), or nonalphanumeric characters, be sure to enclose them in quotation marks.
You can also have the user interface prompt you for the password. For example, to log on to the network, type:
$ ADMINISTER LANDOFOZ\\TINMAN> LOGON JIM Password: The server \\TINMAN successfully logged you on as JIM. Your privilege level on domain LANDOFOZ is ADMIN. The last time you logged on was 10/08/01 07:48 PM LANDOFOZ\\TINMAN> |
When you enter a password when prompted, as in the second example, the password does not appear on the screen as you type. This helps you keep your password confidential, providing added security. In addition, you need not use quotation marks if the password contains lowercase letters, blanks (spaces), or nonalphanumeric characters (as you do when entering the password on the command line).
If you forget to enter a password for a command that requires one, the software prompts you for it. Depending on the command that you type, the software may also prompt you for other required information, such as your user name.
Although the software may prompt for required parameters, do not rely
on the software to prompt you for all required information. Be sure to
enter all required information, except for passwords, on the command
line.
2.1.7 Using Abbreviations
In general, the command descriptions in this manual include full command names, command options, and service names. However, the software recognizes abbreviations. Note that abbreviations are not recommended for use in batch jobs and command procedures.
You can abbreviate any command option by typing enough letters to distinguish it from other command options. The following is an example of the SET AUDIT POLICY command:
$ ADMINISTER LANDOFOZ\\TINMAN> SET AUD POLI /FAILURE=(LOGONOFF,PROCESS) - _LANDOFOZ\\TINMAN>/AUDIT/SUCCESS=(ALL) %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
Note the use of the continuation character (-) to enter this long command string.
You can abbreviate options and qualifiers as illustrated in the following example:
$ ADMIN LANDOFOZ\\TINMAN> SET AUD POLICY/FAIL=(LOG,PROC)/AUD/SUCCESS=(ALL) %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can manage a server with batch jobs that you set up. The .COM files can contain the ADMINISTER commands you would otherwise enter interactively. The following example (EVT_CLEANUP.COM) saves an event log, then clears it:
$ TYPE EVT_CLEANUP.COM $ ADMINISTER SAVE EVENTS/TYPE=SECURITY SYS$BACKUP:PW-SECURITY.EVT $ ADMINISTER CLEAR EVENTS/TYPE=SECURITY/NOCONFIRM $ EXIT |
For commands that have confirmation responses (selectable using
/CONFIRM and /NOCONFIRM qualifiers), the default in batch mode is to
not ask for confirmation. In other words, /NOCONFIRM is the default
action for batch jobs.
2.1.9 Universal Naming Convention (UNC) for Path Names
When using the Universal Naming Convention (UNC) for specifying the path to a shared directory or file, the UNC path has the form
\\server-name\share-name\path
where:
server-name | is the name of the server where the directory or file resides. |
share-name | is the name of the shared resource containing the directory or file. |
path | specifies the path to the directory or file within the shared resource. |
The server-name portion of the UNC, if omitted, defaults to the server currently being administered (the server to which commands are directed). You can omit the backslash before the share-name if you omit the server-name.
Except for the TAKE FILE OWNERSHIP command, you can use standard DOS
wildcards within file names, but not for directories. The TAKE FILE
OWNERSHIP command does not accept wildcards for the UNC path.
2.1.10 Parameter Restrictions
The ADMINISTER command parameters listed in Table 2-2, ADMINISTER Command Parameter Restrictions, cannot contain the following characters:
" / \ [ ] : ; | = , + * ? < >
When using ADMINISTER commands, note the parameter restrictions listed in Table 2-2, ADMINISTER Command Parameter Restrictions:
Parameter | Restriction |
---|---|
[domain-name\] server-user-name | |
Specifies the Advanced Server user name to be mapped to a HP OpenVMS server name. An Advanced Server user can be mapped to only one OpenVMS user. Optionally, you can specify a network user in a trusted domain. To specify a network user, include the domain name ( domain-name\) with the user name, as in KANSAS\DOLE, where KANSAS is the trusted domain in which the network user account resides, and DOLE is the user name of the user account in the trusted domain. | |
host-user-name | Specifies the OpenVMS user name to which the Advanced Server user name is to be mapped. More than one Advanced Server user can be mapped to the same OpenVMS user. |
computer-name |
Specifies a computer name as a name that identifies the computer on the
network. The
computer-name must be unique in the network.
The maximum number of characters is 15. |
domain-name |
Specifies the name of the domain. Except where noted, the default is
the domain currently being administered.
The maximum number of characters is 15. |
server-name |
Specifies the name of a server that is a member of the domain. The
default is the server currently being administered.
The maximum number of characters is 15. |
full-user-name |
Specifies the full, or complete, name for the user. Enclose the
full-user-name in quotation marks if it contains lowercase
letters, blanks (spaces) or other nonalphanumeric characters.
The maximum number of characters is 256. |
group-name |
Specifies the name of an Advanced Server group. A group name cannot be
identical to any other group or user name of the domain or computer
being administered.
The maximum number of characters is 20. |
[domain-name\] member-name | |
Specifies the users or groups as members of the group. Enclose the
member-name in quotation marks if it contains blanks (spaces)
or other nonalphanumeric characters.
When adding members to, or removing members from, a local group, you can specify user accounts or global groups from the domain being administered and from domains it trusts. To specify a user account or global group in a trusted domain, enter a domain-qualified name in the format domain-name\member-name, such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. The maximum number of characters is 20. |
|
password |
Specifies the password for the user. Passwords are case sensitive.
Enclose the
password in quotation marks if it contains lowercase letters,
blanks (spaces) or other nonalphanumeric characters. If you enter
/PASSWORD with no value or an asterisk (*), you are prompted for the
password and its confirmation; the password is not echoed on your
terminal. When you are prompted, you need not use quotation marks.
The maximum number of characters is 14. The default minimum is 0. |
old-password |
Specifies the current password for the user account. Passwords are case
sensitive. Enclose the
old-password in quotation marks if it contains lowercase
letters, blanks (spaces) or other nonalphanumeric characters. If you do
not specify
old-password, or specify it as an asterisk (*), you are
prompted for the password, which is not echoed on your terminal. When
you are prompted, you need not include quotation marks.
The maximum number of characters is 14. |
queue-name | Specifies the name of the queue. The maximum number of characters is 12, where the characters are any uppercase and lowercase letters, digits, the underscore (_), and dollar sign ($). |
share-name |
The name of the share. If MS-DOS computers will connect to the share,
the
share-name can be up to 8 characters long, optionally followed
by a period and up to 3 more characters.
The maximum number of characters is 12. |
string |
Specifies descriptive information. Enclose the
string in quotation marks if it contains lowercase letters,
blanks (spaces) or other nonalphanumeric characters.
The maximum number of characters is 256. |
user-name |
Specifies the name of the user to be added. The
user-name must be unique within the domain or computer being
administered.
The maximum number of characters is 20. |
new-user-name |
Specifies the user name for the new user account.
The maximum number of characters is 20. |
workstation-name |
Specifies a workstation from which the user can log on to the domain.
The
workstation-name is the name of a workstation, or an asterisk
(*), to specify all workstations.
The maximum number of characters is 15. |
Adds a computer account to a domain's security database (the domain-wide user accounts database). Before a computer can join a domain, a computer account must be added to the domain's security database.The ADD COMPUTER command is useful only if you do not wish to give out the user name and password of an Administrator account in your domain to the administrator of the computer that will join your domain. If you do not wish to supply this information, use the ADD COMPUTER command to add the computer account to your domain before the computer's administrator joins the domain. If you supply password information to the administrator of the other computer, the administrator can use it when joining and the computer account will be added to the domain automatically.
The ADD COMPUTER command is not necessary for the primary domain controller; that computer is added automatically.
Note that until the intended computer account actually joins the domain, it is possible for a malicious user to give a different computer that computer name, and then have it join the domain using the computer account you have just created. If the added computer is a backup domain controller when it joins, it receives a copy of the domain's security database.
ADD COMPUTER computer-name [/qualifiers]
Use of this command requires membership in the Administrators local group.
REMOVE COMPUTER
SET COMPUTER
SHOW COMPUTERS
computer-name
Specifies a 1 to 15 character name for the computer account to be added to the domain. The specified name cannot be the same as any other computer or domain name in the network.
/DOMAIN=domain-name
Specifies the name of the domain to which to add the computer account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./ROLE=role-type
Specifies the computer's role in the network. (Note that to change the role of a backup domain controller to a primary domain controller, or vice versa, use the SET COMPUTER/ROLE command. To change the role of an Advanced Server domain controller to a member server, or of an Advanced Server member server to a domain controller, you must use the SYS$UPDATE:PWRK$CONFIG command procedure. ) The role-type keyword can be one of the following:
Role-Type Specify if the computer is: BACKUP_DOMAIN_CONTROLLER A Windows NT or compatible backup domain controller. SERVER Windows NT or compatible server, but not a primary or backup domain controller. WORKSTATION A Windows NT Workstation. This is the default. /SERVER=server-name
Specifies the name of a server that is a member of the domain to which to add the computer account. Do not specify both /DOMAIN and /SERVER on the same command line.
LANDOFOZ\\TINMAN> ADD COMPUTER DOROTHY/ROLE=SERVER %PWRK-S-COMPADD, computer "DOROTHY" added to domain "LANDOFOZ" |
This example adds the computer named DOROTHY to the default domain (LANDOFOZ), as a Windows NT compatible server.
Adds a local or global group to a domain's security database, and optionally adds members to the group.
ADD GROUP group-name [/qualifiers]
Use of this command requires membership in the Administrators or Account Operators local group.
COPY GROUP
MODIFY GROUP
REMOVE GROUP
SHOW GROUPS
group-name
Specifies a 1 to 20 character name for the group to be added. A group name cannot be identical to any other group or user name of the domain or server being administered. It can contain any uppercase or lowercase characters except for the following:" / \ [ ] : ; | = , + * ? < >
/DESCRIPTION="string"
/NODESCRIPTION
Specifies a string of up to 256 characters used to provide descriptive information about the group. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. /NODESCRIPTION, the default, indicates that the description is to be blank./DOMAIN=domain-name
Specifies the name of the domain to which to add the group. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./GLOBAL
Indicates that the specified group is to be added as a global group. This is the default if neither /GLOBAL nor /LOCAL are specified. Do not specify both /GLOBAL and /LOCAL on the same command line./LOCAL
Indicates that the specified group is to be added as a local group. By default, a group is added as a global group. Do not specify both /GLOBAL and /LOCAL on the same command line./MEMBERS=([domain-name]\member-name[,...])
Adds the specified members to the membership list of the group. If the group being added is a local group, you can add user accounts and global groups from the domain being administered and from domains it trusts.To specify a user account or global group in a trusted domain, enter a domain-qualified name (domain-name\member-name), such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. If you omit a domain name, the user or group is assumed to be defined in the domain being administered.
If the group being added is a global group, you can add user accounts only from the domain being administered.
/SERVER=server-name
Specifies the name of a server that is a member of the domain to which to add the group. Do not specify both /DOMAIN and /SERVER on the same command line.
#1 |
---|
LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/MEMBERS=(SCARECROW,STRAWMAN) %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" |
This example adds the global group named MUNCHKINS to the default domain being administered (LANDOFOZ). The group will contain as members, the users named SCARECROW and STRAWMAN. The group is added as a global group because neither the /GLOBAL nor /LOCAL qualifiers were specified, and /GLOBAL is the default.
#2 |
---|
LANDOFOZ\\TINMAN> ADD GROUP WINKIES/LOCAL - _LANDOFOZ\\TINMAN> /MEMBERS=(MUNCHKINS,KANSAS\WIZARD) %PWRK-S-GROUPADD, group "WINKIES" added to domain "LANDOFOZ" |
This example adds the local group named WINKIES to the default domain being administered (LANDOFOZ). The group will contain as members, the global group MUNCHKINS from the LANDOFOZ domain, and the user WIZARD from the trusted domain KANSAS.
Previous | Next | Contents | Index |