[an error occurred while processing this directive]

HP OpenVMS Systems

Content starts here

HP Advanced Server for OpenVMS
Commands Reference Manual


Previous Contents Index


SET ACCOUNT POLICY

Sets the account policy, which controls how passwords are used by all user accounts, and whether user accounts are automatically locked out after a series of failed logon attempts.

Format

SET ACCOUNT POLICY [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

SHOW ACCOUNT POLICY

Qualifiers

/DOMAIN=domain-name

Specifies the name of the domain for which to set the account policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/FORCE_DISCONNECT

/NOFORCE_DISCONNECT

Controls whether a user's connections to any server in the domain are forcibly disconnected when the user account exceeds its logon hours. This interacts with the logon hours defined for a user account. /NOFORCE_DISCONNECT, the default, specifies that the user is not to be disconnected, but no new connections from that account will be allowed.

/LOCKOUT=(option[,...])

/NOLOCKOUT

Controls whether users are locked out after a specified number of failed logon attempts. By default, account lockout is disabled. To enable account lockout, you must specify a value for each of the following three option keywords:
Option Description
ATTEMPTS= n Specifies the failed logon count. Account is locked out after the specified number of failed attempts. The value of n can be from 1 to 999.
DURATION= n Specifies the number of minutes before a locked out account is automatically unlocked. The value of n can be FOREVER or a value from 1 to 99999. The value must be greater than, or equal to, the value assigned to the WINDOW keyword.
WINDOW= n Specifies the number of minutes from the most recent failed login attempt before the failed login count is reset to zero. For example, if the WINDOW is set to 30 minutes, then thirty minutes after the most recent failed login attempt, the failed logon count is reset to zero. The value of n can be from 1 to 99999. The value must be less than, or equal to, the value assigned to the DURATION keyword.

The /NOLOCKOUT qualifier specifies that user accounts are never locked out, no matter how many failed logon attempts are made on a user account. This is the default if you do not specify /LOCKOUT.

Administrators can unlock a locked out account using the MODIFY USER/UNLOCK command.

/PASSWORD_POLICY=(option[,...])

Specifies password policies for the domain. The option keyword can be one or more of the following:
Option Description
HISTORY= n Sets the number of new passwords that must be used by a user before an old password can be reused. n specifies the number of passwords to maintain in the password history, from 0 to 24. The default is 0 (equivalent to specifying /PASSWORD_POLICY=NOHISTORY).
NOHISTORY Specifies that no password history should be maintained. This is equivalent to specifying /PASSWORD_POLICY=HISTORY=0.
MAXAGE= n Sets the maximum number of days a user's password can be used before the server requires the user to change it. n specifies the number of days from 1 to 999. The default is 90 days.
NOMAXAGE Specifies that a user's password never expires.
MINAGE= n Sets the minimum number of days a user's password must be used before a user can change it. Do not allow immediate changes if a password history value is set. n is the number of days from 0 to 999. The default is 1.
NOMINAGE Specifies that a user may change his or her password at any time. This is equivalent to specifying /PASSWORD_POLICY=MINAGE=0.
MINLENGTH= n Sets the minimum length of a password. n is the minimum number of characters required in the password and can be from 0 to 14. A value of 0 means that a blank password is permitted. The default is 0, which permits a blank password.

/SERVER=server-name

Specifies the name of a server that is a member of the domain for which to set the account policy. Do not specify both /DOMAIN and /SERVER on the same command line.

Examples

#1

 LANDOFOZ\\TINMAN> SET ACCOUNT POLICY -
 _LANDOFOZ\\TINMAN> /LOCKOUT=(ATTEMPTS=3,WINDOW=20,DURATION=25)
 %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ"
      

This example limits users to three failed logon attempts, resets the failed logon count after 20 minutes, and unlocks locked-out accounts after 25 minutes.

#2

 LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/NOLOCKOUT-
 _LANDOFOZ\\TINMAN> /PASSWORD_POLICY=(NOHISTORY,MINLENGTH=10)
 %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ"
      

This example disables account lockouts and history checking of passwords, and sets the minimum password length to 10. The account policy is set on the domain currently being administered (LANDOFOZ).


SET ADMINISTRATION

Selects a new default domain or server, or both, to be administered. The command prompt is changed to reflect the new domain and server being administered. The format of the command prompt is DOMAIN\\SERVER>, where DOMAIN is the name of the domain being administered, and SERVER is the name of the server being administered.

Format

SET ADMINISTRATION [/qualifiers]

restrictions

Use of this command does not require special group membership.

Related Commands

SHOW ADMINISTRATION

Qualifiers

/DOMAIN=domain-name

Selects a new default domain to be administered. Initially, the domain name is set to be the domain where you are logged on, or, if you are not logged on, the domain of the local server. A value for domain-name specifies a different domain to be administered. If you omit the domain-name value, then the initial default domain is reset. The domain-name is used as the default domain for any command that operates on a domain. The /DOMAIN qualifier value on an individual command overrides this default value.

If you omit the /SERVER qualifier, the server being administered is set to the local server if the specified domain is the local server's domain; otherwise, it is set to the name of the primary domain controller for the specified domain. If you specify both a domain and a server, the server must be a member of the domain.

You can specify a computer name in place of the domain name, by preceding the computer name with two backslashes (\\). This allows you to manage a computer that maintains its own security database, such as a member server, a Windows NT Workstation, or a Windows NT Server computer that is not a domain controller. If you specify a primary or backup domain controller, the specified computer's domain is selected. The /SERVER qualifier is ignored if you specify a computer name.

Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.

/SERVER=server-name

Selects a new default server to be administered. Initially, the server name is set to be the local server if it is a member of the domain being administered; otherwise, it is set to the primary domain controller of the domain being administered. A value for server-name specifies a different server to be administered. If you omit the server-name value, then the initial default server name is reset.

The server-name is used as the default server name for any command that operates on a server. The /SERVER qualifier value on an individual command overrides this default value. If you do not also specify the /DOMAIN qualifier, the domain being administered is set to the domain of the specified server. If you specify both a domain and a server, the server must be a member of the domain.

Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.


Examples

#1

 LANDOFOZ\\TINMAN> SET ADMINISTRATION/SERVER=OZ3
 %PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "OZ3"

 LANDOFOZ\\OZ3>
      

This example sets the default server to be administered to OZ3. Because OZ3 is a member of the LANDOFOZ domain, the default domain remains unchanged. All further commands that operate on a specific server will be performed against server OZ3. The command prompt is changed to reflect the new default.

#2

 LANDOFOZ\\OZ3> SET ADMINISTRATION/DOMAIN=KANSAS
 %PWRK-S-ADMSET, now administering domain "KANSAS", server "TOPEKA"

 KANSAS\\TOPEKA>
      

This example sets the default domain to be administered to KANSAS. Because KANSAS is not the domain of the local server, and the /SERVER qualifier was not specified, the default server is set to the primary domain controller for the KANSAS domain, TOPEKA. All further commands will be performed against the new domain and server. The command prompt is changed to reflect the new defaults.

#3

 KANSAS\\TOPEKA> SET ADMINISTRATION/DOMAIN
 %PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "TINMAN"

 LANDOFOZ\\TINMAN>
      

This example resets the default domain and server to the initial defaults. The command prompt is changed to reflect the new defaults.


SET AUDIT POLICY

Sets the auditing policy for a domain. A server can track selected activities of users by auditing security events and then placing entries in a server's security log. The server can record a range of security event types, from a systemwide event such as a user logging on, to an attempt by a user to read a specific file. You can audit both successful and failed attempts to perform an action. Use the audit policy to establish the types of security events to log.

When administering domains, the audit policy affects the security logs of the domain controller and of all servers in the domain, because they share the same audit policy.


Format

SET AUDIT POLICY [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

SHOW AUDIT POLICY

Qualifiers

/AUDIT

/NOAUDIT

Controls whether auditing events are logged. /AUDIT enables auditing of the specified events, and /NOAUDIT (the default) disables auditing of the specified events.

/DOMAIN=domain-name

Specifies the name of the domain on which to set the audit policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/FAILURE=(event[,...])

Specifies events whose failure adds an entry to the security log. Precede the event keyword with NO to disable logging of a failed event. The event keyword can be one or more of the following:
Event Description
ALL Selects all possible events.
NONE Deselects all possible events.
[NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing.
[NO]ACCOUNT_MANAGEMENT
  A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.
[NO]LOGONOFF
  A user logged on the domain, logged off, or made a server connection.
[NO]POLICY_CHANGE
  A change was made to the Audit, Trust Relationships, or User Rights policies.
[NO]PROCESS
  Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit.
[NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log.
[NO]USER_RIGHTS
  A user exercised a user right, except rights related to logon or logoff.

/SERVER=server-name

Specifies the name of a server that is a member of the domain on which to set the audit policy. Do not specify both /DOMAIN and /SERVER on the same command line.

/SUCCESS=(event[,...])

Specifies events whose success adds an entry to the security log. Precede the event keyword with NO to disable logging of a successful event. The event keyword can be one or more of the following:
Event Description
ALL Selects all possible events.
NONE Deselects all possible events.
[NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing.
[NO]ACCOUNT_MANAGEMENT
  A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed.
[NO]LOGONOFF
  A user logged on, off, or made a network connection.
[NO]POLICY_CHANGE
  A change was made to the Audit, Trust Relationships, or User Rights policies.
[NO]PROCESS
  Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit.
[NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log.
[NO]USER_RIGHTS
  A user exercised a user right, except rights related to logon or logoff.

Example


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=NOLOGONOFF -
_LANDOFOZ\\TINMAN> /SUCCESS=(ACCESS,POLICY_CHANGE)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"
      

This example enables logging of audit events, disables auditing of failures to log on or log off, and enables logging of successful attempts to access an object or make policy changes.


SET COMPUTER

Sets the role of the server in the domain and controls domain synchronization.

Format

SET COMPUTER computer-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

ADD COMPUTER
REMOVE COMPUTER
SHOW COMPUTERS

Parameters

computer-name

Specifies the name of the computer whose attributes are to be affected.

Qualifiers

/ACCOUNT_SYNCHRONIZE

Normally, synchronization of primary domain controller (PDC) and backup domain controller (BDC) security/accounts databases occurs without user intervention. Use the SET COMPUTER command with the /ACCOUNT_SYNCHRONIZE qualifier in those rare circumstances when PDC and BDC databases get out of synchronization.

If you specify the PDC of a domain with the SET COMPUTER command, /ACCOUNT_SYNCHRONIZE causes the PDC to send a synchronize status message to all BDCs in the domain. (Normally, the PDC sends synchronize status messages to all BDCs in the domain at regular intervals.) Each BDC that receives the status message uses it to determine whether its databases are synchronized with the PDC's databases. If the status message indicates to a BDC that the PDC's databases contain changes that are not represented in the BDC's databases, the BDC will request a partial synchronization. The PDC sends the BDC only those database elements that were changed since the last time the BDC received a status message.

If you specify the BDC with the SET COMPUTER command,
/ACCOUNT_SYNCHRONIZE causes the BDC to request a full synchronization.

Do not specify a member server with the
SET COMPUTER/ACCOUNT_SYNCHRONIZE command.

/AUTOSHARE_SYNCHRONIZE

Causes the computer to synchronize its list of autoshares. This qualifier is valid only to HP OpenVMS servers.

/CONFIRM

/NOCONFIRM

Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode.

/DESCRIPTION="string"

/NODESCRIPTION

Specifies a string of up to 256 characters used to provide descriptive information about the computer. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. /NODESCRIPTION indicates that the description is to be blank.

/ROLE=role-type

Sets the computer's role in the network to be either a primary or backup domain controller. The role-type can be either PRIMARY_DOMAIN_CONTROLLER or BACKUP_DOMAIN_CONTROLLER.

Only a computer whose current role is backup domain controller can have its role changed to primary domain controller. When this occurs, the existing primary domain controller (if it is available to the network) will automatically be demoted to backup domain controller.

A primary domain controller can only have its role changed to backup domain controller if another computer in the domain is acting as the current primary domain controller. This could happen if a backup domain controller was promoted to primary domain controller while the original primary domain controller was not available to the network. When the original primary domain controller is restarted, use this command to explicitly demote it to backup domain controller.

Do not use the SET COMPUTER/ROLE command to change the role of an Advanced Server domain controller to a member server, or vice versa. Use the SYS$UPDATE:PWRK$CONFIG command procedure.


Examples

#1

 LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/AUTOSHARE_SYNCHRONIZE
 %PWRK-S-AUTOSHRSYNCHED, autoshare synchronization was successful
      

This example causes the computer TINMAN to resynchronize its list of autoshares.

#2

 LANDOFOZ\\TINMAN> SET COMPUTER TINMAN/ACCOUNT_SYNCHRONIZE

 Resynchronizing the "LANDOFOZ" domain may take a few minutes.

 Do you want to continue with the synchronization  [YES or NO] (YES) :
 %PWRK-S-ACCSYNCHED, account synchronization was successful
      

This example synchronizes the accounts databases on all backup domain controllers in the LANDOFOZ domain, with the primary domain controller TINMAN.

#3

 LANDOFOZ\\TINMAN> SET COMPUTER DOROTHY/ACCOUNT_SYNCHRONIZE

 Resynchronizing "DOROTHY" with its Primary Domain Controller "TINMAN"
 may take a few minutes.  After the synchronization has completed, you
 should check the Event Logs on "DOROTHY" and "TINMAN" to determine
 whether synchronization was successful.

 Do you want to continue with the synchronization [YES or NO] (YES) :
 %PWRK-S-ACCSYNCHED, account synchronization was successful
      

This example synchronizes the accounts database on the backup domain controller DOROTHY, with its primary domain controller TINMAN.

#4

 LANDOFOZ\\TINMAN> SET COMPUTER DOROTHY/ROLE=PRIMARY_DOMAIN_CONTROLLER

 Promoting "DOROTHY" to a Primary Domain Controller may take a few minutes.

 Do you want to continue with the promotion [YES or NO] (YES) :
 %PWRK-I-ROLESYNC, synchronizing "DOROTHY" with its primary
 %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "DOROTHY"
 %PWRK-I-ROLENLSTOP, stopping the Net Logon service on "TINMAN"
 %PWRK-I-ROLECHANGE, changing "TINMAN"'s role to Backup Domain Controller
 %PWRK-I-ROLECHANGE, changing "DOROTHY"'s role to Primary Domain Controller
 %PWRK-I-ROLENLSTART, starting the Net Logon service on "DOROTHY"
 %PWRK-I-ROLENLSTART, starting the Net Logon service on "TINMAN"
 %PWRK-S-ROLECHANGED, the computers role was successfully changed
      

This example sets the backup domain controller named DOROTHY to be the primary domain controller in its domain. The current primary domain controller, TINMAN, is demoted to a backup domain controller.


Previous Next Contents Index