[an error occurred while processing this directive]
HP OpenVMS Systems |
HP Advanced Server for OpenVMS
|
Previous | Contents | Index |
Adds the specified domain to either the list of domains this domain trusts or to the list of domains that are allowed to trust this domain.A trust relationship is a link between two server domains, where one domain honors the users of another domain, trusting the logon authentications performed by that other domain for its own users. User accounts and global groups defined in a trusted domain can be granted rights, resource permissions, and local group memberships at a trusting domain and its member computers, even though those accounts do not exist in the trusting domain's security database. When trust relationships are properly established between all the domains in a network, they allow a user to have only one user account and one password in one domain, yet have access to the resources anywhere in the network.
Establishing a trust relationship requires two steps in two different domains: first one domain must permit a second domain to trust it, and then the second domain must be set to trust the first domain. Establishing a two-way trust relationship (where each domain trusts the other) requires that both steps be performed in both domains.
ADD TRUST trust-domain [password] {/PERMITTED | /TRUSTED} [/qualifiers]
Use of this command requires membership in the Administrators local group.
REMOVE TRUST
SHOW TRUSTS
trust-domain
Specifies the 1 to 15 character name of the domain with which to set up a trust relationship.password
Specifies the password used to establish the trust. The password is case sensitive, and can be up to 14 characters in length. Passwords entered on the command line are converted to uppercase unless enclosed within quotation marks. If the password you specify contains lowercase letters, enclose it in quotation marks, unless you enter the password in response to the password prompt.If you do not enter a value for the password, or enter it as an asterisk (*), you are prompted for a password and a confirmation. The password is not displayed as it is entered.
When setting up to trust another domain (using the /TRUSTED qualifier), this password must match the password given on the other domain when it was set up to permit this domain to trust it. When setting up to permit another domain to trust this domain (using the /PERMITTED qualifier), this password must be used on the other domain when it is set up to trust this domain.
Once a trust relationship is established, the password used to establish the trust is changed by the system. Because of this, you cannot remove one side of an established trust relationship, and then later reestablish that trust using the original password. You must always remove both sides of a trust relationship, and then completely reestablish it.
/CONFIRM
/NOCONFIRM
Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode./DOMAIN=domain-name
Specifies that the trust relationship is to be added to the domain called domain-name. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./PERMITTED
Specifies that the domain is to be added to the list of domains permitted to trust this domain. Once the domain is added, you must set up the other domain to trust this domain in order to establish the trust relationship. You must specify either the /PERMITTED or /TRUSTED qualifier, but not both./SERVER=server-name
Specifies the name of a server that is a member of the domain to which to add the trust relationship. Do not specify both /DOMAIN and /SERVER on the same command line./TRUSTED
Specifies that the domain is to be added to the list of domains that this domain trusts. To properly establish the trust relationship, the specified domain should already have permitted this domain to trust it. You must specify either the /PERMITTED or /TRUSTED qualifier, but not both.
The following two examples together show how to establish a one-way trust relationship between the domain currently being administered (LANDOFOZ) and the domain called KANSAS. After this trust relationship has been established, users in the KANSAS domain will have access to resources in the LANDOFOZ domain after logging on to the KANSAS domain.
#1 |
---|
LANDOFOZ\\TINMAN> ADD TRUST LANDOFOZ "OverTheRainbow" - _LANDOFOZ\\TINMAN> /DOMAIN=KANSAS/PERMITTED/NOCONFIRM %PWRK-S-TRUSTADD, trust between domains "KANSAS" and "LANDOFOZ added" |
This example adds the domain LANDOFOZ to the list of permitted-to-trust domains on the domain called KANSAS. The password to be used to establish the trust will be "OverTheRainbow."
#2 |
---|
LANDOFOZ\\TINMAN> ADD TRUST KANSAS "OverTheRainbow"/TRUSTED This may take some time, do you want to continue? [YES or NO] (YES) : %PWRK-S-TRUSTADD, trust between domains "LANDOFOZ" and "KANSAS" added |
This example adds the domain KANSAS to the list of trusted domains on the domain currently being administered (LANDOFOZ). The password used to establish the trust is "OverTheRainbow." This example would complete the one-way trust between domains LANDOFOZ and KANSAS initiated in the first example.
Adds a local or global user account to a domain's security database, and optionally adds the user as a member of specified groups.
ADD USER user-name [/qualifiers]
Use of this command requires membership in the Administrators or Account Operators local group. Only members of the Administrators local group can add members to the Administrators local group.
COPY USER
MODIFY USER
REMOVE USER
SHOW USERS
user-name
Specifies a 1 to 20 character account name for the user to be added. The user name cannot be identical to any other user or group name of the domain or server being administered. It can contain any uppercase or lowercase characters except the following:" / \ [ ] : ; | = , + * ? < >
/DESCRIPTION="string"
/NODESCRIPTION
Specifies a string of up to 256 characters used to provide descriptive information about the user. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. /NODESCRIPTION, the default, indicates that the description is to be blank./DOMAIN=domain-name
Specifies the name of the domain on which to add the user account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./EXPIRATION_DATE=date
/NOEXPIRATION_DATE
Specifies whether the account has an expiration date, and, if so, the date the account is to expire. The date is specified in the standard OpenVMS date format (dd-mmm-yyyy). /NOEXPIRATION_DATE, the default, specifies that the account will not have an expiration date, and therefore will never expire./FLAGS=(option[,...])
Specifies the logon flags for the user account. Precede the option keyword with NO to clear the specified flag. The option keyword can be one or more of the following. If you do not specify the /FLAGS qualifier, the default flags are as indicated.
Option Description [NO]DISPWDEXPIRATION Prevents the password from expiring, overriding the Maximum Password Age setting for the account policy. Select this option for user accounts that will be assigned to services. Selection of this option overrides the PWDEXPIRED option. NODISPWDEXPIRATION is the default if you specify neither DISPWDEXPIRATION nor NODISPWDEXPIRATION. Do not specify the DISPWDEXPIRATION and PWDEXPIRED options in the same command. [NO]DISUSER Disables the account so the user cannot log on. You might disable a new account to create an inactive account that can be copied to create new accounts. Or, you might temporarily disable an account if it does not need to be used until a later date. You cannot disable the built-in Administrator account. NODISUSER is the default if you specify neither DISUSER nor NODISUSER. Option Description [NO]PWDEXPIRED The password is initially expired. This forces the user to change the password at the next logon. PWDEXPIRED is the default if you specify neither PWDEXPIRED nor NOPWDEXPIRED. Do not specify the PWDEXPIRED option in the same command with either the PWDLOCKED or the DISPWDEXPIRATION option. [NO]PWDLOCKED Prevents the user from changing the password. This option is usually applied only to user accounts used by more than one person, such as the Guest account. NOPWDLOCKED is the default if you specify neither PWDLOCKED nor NOPWDLOCKED. Do not specify the PWDLOCKED and PWDEXPIRED options in the same command. /FULLNAME="full-user-name"
/NOFULLNAME
The full name is the user's complete name, and can be up to 256 characters in length. Enclose the string in quotation marks to preserve case (the default is uppercase). It is a good idea to establish a standard for entering full names, so that they always begin with either the first name (Louise G. Morgan) or the last name (Morgan, Louise G.), because the full name can affect the sorting order for the SHOW USERS command. /NOFULLNAME, the default, specifies a blank full name./GLOBAL
Indicates that the specified user account is to be added as a global account. User accounts can be either global (the default) or local. Most accounts are global accounts. A global account is a normal user account in the user's home domain. A local account is an account provided in this domain for a user whose global account is not in a trusted domain. Do not specify both /GLOBAL and /LOCAL on the same command line./HOME=(option[,...])
/NOHOME
Specifies a user's home directory information. A home directory is a directory that is automatically accessible to a user and contains files and programs for the user. This feature applies only when the user logs on from a Windows NT client. The specified home directory becomes the Windows NT user's default directory for the File Open and Save As dialog boxes, for the command prompt, and for all applications that do not have a working directory defined. A home directory can be assigned to a single user or it can be shared by many users. A home directory can be a shared network directory or a local directory on a user's workstation. On other clients, the home directory setting has no effect.If you specify a network path for the home directory, you must also specify a drive letter to be assigned to the path when the user logs on. If the specified directory does not exist, an attempt will be made to create it. If the directory cannot be created, a message will be issued instructing you to manually create the directory.
If you specify a local path for the home directory, do not include a drive letter. You must manually create the directory if it does not exist. /NOHOME, the default, specifies that the user will not have a home directory.
The option keyword can be one or more of the following:
Option Description DRIVE= driveletter Specifies the drive letter to use for connecting to the home directory if the home directory specified in the PATH option is a shared network directory. The driveletter can be from C to Z. PATH= homepath Specifies an optional home directory that is accessible to the user and contains files and programs for the user. The homepath must be an absolute path of a directory local to the user's workstation, or a UNC (Universal Naming Convention) path of a shared network directory. /HOURS=(logon-time[,...])
/NOHOURS
Specifies the days and hours when the user can connect to a server. The default is to allow a user to connect during all hours of any day. /NOHOURS specifies that the user cannot connect at any time of any day.Specify logon-time in the following format:
day=([n-m],[n],[*])
where n and m are hours of the day, and day is any one of the following:
SUNDAY, MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, WEEKDAYS, WEEKENDS, EVERYDAY, ALL
Specify the hours as integers from 0 to 23, inclusive, using the 24-hour clock. You can specify a single hour (n), ranges of hours (n-m), or all hours of the day (*). Note that hours are inclusive; that is, if you grant access during a given hour, access extends to the end of that hour. If you specify no hours, all hours are allowed for the specified days.
/LOCAL
Indicates that the specified user account is to be added as a local account. User accounts can be either global (the default) or local. Most accounts are global accounts. A global account is a normal user account in the user's home domain. A local account is an account provided in this domain for a user whose global account is not in a trusted domain. Do not specify both /GLOBAL and /LOCAL on the same command line./MEMBER_OF_GROUPS=(group-name[,...])
Adds the user as a member of the specified local or global groups./PASSWORD[="password"]
/NOPASSWORD
Specifies the password for the user account. Passwords are case sensitive, and can be up to 14 characters in length. The minimum length is set by using the SET ACCOUNT POLICY/PASSWORD_POLICY=MINLENGTH= command. The default is 0, which permits a blank password. Passwords entered on the command line are converted to uppercase unless enclosed within quotation marks. If the password you specify contains lowercase letters, blanks (spaces), or other nonalphanumeric characters, enclose it in quotation marks, unless you enter the password in response to the password prompt. (If you enclose the password in quotation marks at the password prompt, the quotation marks become part of the password.) If you enter /PASSWORD with no value, or as an asterisk (*), you are prompted for a password and a confirmation, which will not be displayed as they are entered. /NOPASSWORD, the default, specifies that the account will have a blank password. If you specify the /NOPASSWORD qualifier with the command line, the default is /FLAGS=NOPWDEXPIRED, so that the user is not prompted for a password. To override this default for /NOPASSWORD, specify the /FLAGS=PWDEXPIRED qualifier./PRIMARY_GROUP=group-name
Sets the user account's primary group. A primary group is used when a user logs on using Windows NT Services for Macintosh, or runs POSIX applications. group-name must be a global group of which the user is a member. If the /PRIMARY_GROUP qualifier is not specified, the user's primary group is set to the "Domain Users" global group by default./PROFILE=profile-path
/NOPROFILE
Specifies a path for an optional user profile. The path should be a network path that includes a file name. The file name can be that of a personal user profile (.USR file name extension) or a mandatory user profile (.MAN file name extension). For example, you might enter: /PROFILE="\\eng\profiles\johndoe.usr". /NOPROFILE, the default, specifies that the user will not have a profile./SCRIPT=script-name
/NOSCRIPT
Specifies a name for an optional logon script that runs each time the user logs on. A logon script can be a batch file (.BAT or .CMD file name extension) or an executable program (.EXE file name extension). A single logon script can be assigned to one or more user accounts. When a user logs on, the server authenticating the logon locates the logon script by following the server's logon script path in the \netlogon share. The script-name specifies a file relative to that path. /NOSCRIPT, the default, specifies that the user will have no logon script./SERVER=server-name
Specifies the name of a server that is a member of the domain to which to add the user. Do not specify both /DOMAIN and /SERVER on the same command line./WORKSTATIONS=(workstation-name[,...])
Specifies up to eight workstations from which the user can log on to the domain. The default is to allow a user to log on from any workstation, but you can restrict a user to log on only from specific workstations. The workstation-name is a 1 to 15 character name of a workstation. You may use an asterisk (*) for the workstation name to specify all workstations.
#1 |
---|
LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="OverTheRainbow" - _LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS="Administrators" - _LANDOFOZ\\TINMAN> /HOURS=(WEEKDAYS=8-16,WEEKENDS=*) - _LANDOFOZ\\TINMAN> /FLAGS=NOPWDEXPIRED %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" |
This example adds the user with user name SCARECROW to the domain LANDOFOZ. The password for the user account is OverTheRainbow. The user is made a member of the Administrators local group, may connect to a server from 8:00 AM to 4:59 PM Monday through Friday, and all day Saturday and Sunday. The password for the account will not be initially expired.
#2 |
---|
LANDOFOZ\\TINMAN> ADD USER FRIENDLY/PASSWORD="PotOfGold"- _LANDOFOZ\\TINMAN> /EXPIRATION_DATE=09-JAN-2002 %PWRK-S-USERADD, user "FRIENDLY" added to domain "LANDOFOZ" |
This example adds the user with user name FRIENDLY to the domain LANDOFOZ, and sets the account to expire January 9, 2002.
Clears all the events from the selected event log file.
CLEAR EVENTS [/qualifiers]
Use of this command requires membership in the Administrators local group. The server to be administered must be a HP OpenVMS server.
SAVE EVENTS
SHOW EVENTS
/CONFIRM
/NOCONFIRM
Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode./SERVER=server-name
Specifies the name of the server on which to clear the events. For clearing events, the specified server must be a HP OpenVMS server. The default is the server currently being administered./TYPE=log-type
Specifies the log file to be cleared. The log-type keyword can be one of the following:
Log-Type Log File APPLICATION The application log file SECURITY The security log file SYSTEM The system log file (the default)
LANDOFOZ\\TINMAN> CLEAR EVENTS/TYPE=SECURITY Clear the Security Event Log [YES or NO] (YES) : YES %PWRK-S-ELFCLEARED, Security Event Log on server "TINMAN" cleared |
This example clears the Security Event Log file on the server currently being administered (TINMAN). A confirmation is required.
Closes one or all of the resources open on a server.
CLOSE OPEN_FILE resource-id [/qualifiers]
Use of this command requires membership in the Administrators or Server Operators local group.
SHOW OPEN_FILES
resource-id
Specifies the resource ID of the resource to be closed, or * to close all open resources. You can obtain the resource ID for a specific open resource from the SHOW OPEN_FILES command display.Note that some administration resources are opened on behalf of the system or the ADMINISTER interface. You cannot close these resources. The system will close them when appropriate.
/CONFIRM
/NOCONFIRM
Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode./SERVER=server-name
Specifies the name of the server on which to close the resource. The default is the server currently being administered.
#1 |
---|
LANDOFOZ\\TINMAN> CLOSE OPEN_FILE 4 The user DOT has opened the resource for Write. Are you sure you want to close TINMAN$DKA1:[SHARES.S1]A.TXT ? [YES or NO] (YES) : %PWRK-S-FILECLOSE, file with resource ID 4 on server "TINMAN" closed |
This example closes the resource that has ID 4 on the server currently being administered (TINMAN). By default, confirmation is required before the resource is closed.
#2 |
---|
LANDOFOZ\\TINMAN> CLOSE OPEN_FILE * Some of the users have resources open for Write. Closing those open resources may result in loss of data. Are you sure you want to close all open resources ? [YES or NO] (YES) : %PWRK-S-FILECLOSE, file with resource ID 2 on server "TINMAN" closed %PWRK-S-FILECLOSE, file with resource ID 6 on server "TINMAN" closed %PWRK-E-ERRCLSFILE, error closing file ID 9997 -LM-E-NERR_FILEIDNOTF, there isn't an open file with that ID number %PWRK-E-ERRCLSFILE, error closing file ID 9999 -LM-E-NERR_FILEIDNOTF, there isn't an open file with that ID number %PWRK-E-ERRCLSFILE, error closing file ID 9998 -LM-E-NERR_FILEIDNOTF, there isn't an open file with that ID number %PWRK-E-ERRCLSFILE, error closing file ID 10000 -LM-E-NERR_FILEIDNOTF, there isn't an open file with that ID number |
This example closes all open shared files on server TINMAN. The named pipes (system or administrative resources) are not closed, because they are being used to process the command.
Previous | Next | Contents | Index |