Compaq PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

2.2.1.1 Example: Setting a User Account Policy

The following example shows how to set the account policy for the domain so that users are disconnected when they exceed their logon hours (/FORCE_DISCONNECT), and they are locked out after three failed logon attemps. The failed logon count resets 20 minutes after the last failed login attempt, and locked-out accounts are unlocked after 25 minutes.


LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/FORCE_DISCONNECT - 
_LANDOFOZ\\TINMAN> /LOCKOUT=(ATTEMPTS=3,WINDOW=20,DURATION=25) 
%PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" 

2.2.1.2 Example: Displaying the Account Policy for a Domain

The following example shows how to use the SHOW ACCOUNT POLICY command to display the account policy for a domain:


LANDOFOZ\\TINMAN> SHOW ACCOUNT POLICY 
 
Account Policy for domain "LANDOFOZ": 
 
Minimum password age (days) : 1 
Maximum password age (days) : 42 
Minimum password length : 0 
Length of password history maintained : None 
Force user logoff after logon hours expire: YES 
Lock out account after how many bad password attempts : 3 
Number of minutes account remains locked : 20 
Number of minutes to wait before resetting lockout count : 25 
Role of server TINMAN : Primary Domain Controller 

2.2.2 Managing the Audit Policy

You specify the audit policy using the SET AUDIT POLICY command. When auditing is enabled, the server records selected security-related activities in the Security event log. The server can record systemwide events, such as a user logging on, and file-specific events, such as a user attempting to access a specific file. You display the audit policy using the SHOW AUDIT POLICY command.

The audit policy affects Security event logging for all servers in the domain, because they share the same audit policy. You can specify whether to log failed events and successful events. See Table 2-3 for a list of the events that you can audit. Note that to audit events pertaining to files or directories (ACCESS events), you must also set auditing on the files or directories. For more information, see Section 6.1.3.6, Setting and Displaying Security Event Auditing for Files and Directories.

Table 2-3 Events You Can Audit
Audit Event Name Events Audited
ACCESS - A user accessing a directory or file that is set for auditing (SET FILE/AUDIT=)
- A user sending a print job to a printer that is set for auditing
ACCOUNT_MANAGEMENT - Creating, changing, or deleting a user account or group
- Renaming, disabling, or enabling a user account
- Setting or changing a password
LOGONOFF - A user logging on or logging off
- A user making a network connection
POLICY_CHANGE - Changing the audit policy
- Changing a trust relationship
- Changing user rights policies
PROCESS - Program activation
- Handling duplication
- Indirect object access
- Process exit
SYSTEM - A user starting or restarting a server
- A system security event
- An event that affects the security log
USER_RIGHTS - A user exercised a user right such as accessing a file, except for logon/logoff rights

2.2.2.1 Example: Displaying the Audit Policy for a Domain

The following example shows how to display the audit policy for a domain:


LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 


Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Disabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------- --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Disabled  Disabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

2.2.2.2 Example: Enabling Auditing and Setting the Audit Policy for a Domain

The following example shows how to enable auditing and set the audit policy for a domain, using the SET AUDIT POLICY/AUDIT command. In this example, the /SUCCESS=LOGONOFF qualifier enables auditing of successful logon and logoff operations.


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/SUCCESS=LOGONOFF 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 
 
Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Enabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------  --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Enabled   Disabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

To enable auditing of all events, use the following command:

SET AUDIT POLICY/AUDIT/SUCCESS=ALL/FAILURE=ALL

2.3 Managing a Server

When you manage a server, you can display server information, send messages to users, and start and stop services.

2.3.1 Displaying Server Information

You can display information about the server including connections, user sessions, shared resources, and the software version number.

2.3.1.1 Displaying Connections

As you manage your server, you may need to know which connections are active. A connection is a virtual link between a workstation or a server process and a shared resource on a server.

To display existing connections, use the SHOW CONNECTIONS command. The SHOW CONNECTIONS command displays information about active connections to the server, including connections from the Advanced Server. The information about each connection includes:

The following example displays information about all the connections to the server currently being administered (TINMAN).


 LANDOFOZ\\TINMAN> SHOW CONNECTIONS 
 
  Connections on server "TINMAN": 
 
  User name             Computer name    Share name  Opens  Time 
  --------------------  ---------------  -----------------  -------- 
  ADMINISTRATOR         TINMAN_176       IPC$           3   0 11:30 
  SCARECROW             TINMAN_149       ADMIN$         0   0 00:00 
  SCARECROW             TINMAN_149       IPC$           0   0 00:00 
  SCARECROW             TINMAN_149       IPC$           1   0 00:00 
  SCARECROW             TINMAN_149       RAINBOW        0   0 06:14 
 
    Total of 5 connections 

2.3.1.2 Displaying User Sessions

As you manage your server, you may need to know which sessions are active. A session is a link between a workstation and a server. Multiple share connections can be established over a single session.

To display user sessions, use the SHOW SESSIONS command. You can include the /SERVER qualifier to display sessions on a specific server. The display includes:

For example:


LANDOFOZ\\TINMAN> SHOW SESSIONS/SERVER=WOODMAN 
 
User sessions on server "WOODMAN": 
 
Connected Users     Computer      Opens   Time       Idle       Guest 
------------------  ---------     -----   -------    -------    ----- 
ADMINISTRATOR       TINMAN            1   1 22:54    0 00:00    No 
SCARECROW           DOROTHY           3   0 03:48    0 00:03    No 
 
  Total of 2 connected users 
 
LANDOFOZ\\TINMAN> 

2.3.1.3 Displaying Shared Resources

The Advanced Server allows you to display information about shared resources. You can display information about the share permissions and the OpenVMS protections on them, as well as the maximum number of connections to the share allowed at one time. You can specify the display of only the active shares (those currently connected to) or by the type of share (printers or directories).

To see shared resources from the current server, use the SHOW SHARES command. This command displays:

Specify the share name to display information about only one share. Use the /FULL qualifier to display detailed information about each share.

For example, the following command displays the shares on the server currently being administered (TINMAN):


LANDOFOZ\\TINMAN> SHOW SHARES 
 
Shared resources on Server "TINMAN": 
 
Name              Type          Description 
---------       ---------       ---------------------------------- 
NETLOGON        Directory       Logon Scripts Directory 
RAINBOW         Directory       Local Oz Share 
PWLIC           Directory       PATHWORKS Client License Sftwr 
PWLICENSE       Directory       PATHWORKS Client License Sftwr 
PWUTIL          Directory       Adv. Srv. Client-based Utilities 
USERS           Directory       Users Directory 
 
   Total of 6 shares 
 
LANDOFOZ\\TINMAN> 

To display hidden shares (shares whose name ends in a dollar sign ($), such as administrative resources and local device shares (such as C$)), you must include the /HIDDEN qualifier or specify the share name. For example, the following command displays the local device share C$:


LANDOFOZ\\TINMAN> SHOW SHARES C$ 
 
Shared resources on Server "TINMAN": 
 
Name          Type       Description 
------------  ---------  ---------------------------------------- 
C$            Directory  PATHWORKS share 
 
  Total of 1 share 

2.3.1.4 Displaying the Advanced Server Version Number

You can verify the version number of Advanced Server software. To display the version number of server software on your system, use the SHOW VERSION command. For example:


LANDOFOZ\TINMAN> SHOW VERSION 
 
PATHWORKS V6.1 for OpenVMS (Advanced Server) 
 
LANDOFOZ\\TINMAN> 

This command is valid for PATHWORKS for OpenVMS (Advanced Server) and Advanced Server for OpenVMS servers only.

2.3.2 Stopping the Advanced Server

You can stop the Advanced Server at any time for any reason, which can include the following:

To stop the Advanced Server, enter the following command:


$ @SYS$STARTUP:PWRK$SHUTDOWN 
Shutting down the currently running server(s)... 
 

For a cluster server, enter:


$ @SYS$STARTUP:PWRK$SHUTDOWN CLUSTER 

To stop the Advanced Server as part of an orderly system shutdown, add the shutdown command to the site-specific system shutdown procedure. In addition, prior to shutting down the server, announce the planned shutdown to connected users by using the ADMINISTER SEND/USERS command, as described in Section 2.3.3, Sending Messages to Users.

2.3.3 Sending Messages to Users

You should send messages to users before you change the operating characteristics of a server. For example, you might send a message before disconnecting users or if you need to stop sharing a resource on a computer. For a message to be sent and received, the Alerter service must be running on the computer sending the message, and the Messenger service must be running on the computer receiving the message.

Note

The Messenger service is not supported on the Advanced Server. Therefore, OpenVMS users on Advanced Servers will not receive messages sent this way.

2.3.3.1 Sending a Message to the User of a Specific Computer

To send a message to the user of a specific computer, follow these steps:

  1. Identify the computer to which you will send your message.
  2. Enter the ADMINISTER SEND command, including the computer name and the message. Enclose the message in quotation marks.

For example, the following command sends the message "Shutdown at 1 pm today!!!" to the computer called WORTHY.


LANDOFOZ\\TINMAN> SEND WORTHY "Shutdown at 1pm today!!!" 
LANDOFOZ\\TINMAN> 

The message is displayed in a Messenger Service pop-up window on computer WORTHY in the following form:


       Message from TINMAN to WORTHY on 4/30/01 11:20 AM 
       "Shutdown at 1pm today!!!" 

With the /SERVER=servername qualifier, you can send a message from another specified server in your domain to a specific group of users in your domain. With the /USER qualifier, you can send a message to all or specific users on a server.

2.3.3.2 Sending a Message to Users on a Specific Server

To send a message to users connected to a specific server, use the /SERVER qualifier. For example, the following command sends the message "Shutdown at 1pm today!!!" to all users connected to server WOODMAN.


LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown at 1pm today!!!" 
 
LANDOFOZ\\TINMAN> 

This command may take a few minutes to complete.

2.3.4 Managing Services

To manage Advanced Server services, you need to know how to start and stop services and how to configure service startup. Services are set up during server installation and configuration.

You can start and stop some of the services available on the computer and determine whether a service will start up automatically when the system starts. You must be logged on to a user account that has membership in the Administrators group or the Server Operators group to perform these operations. Table 2-4, Network Services on the Advanced Server, shows the default services provided with Advanced Server.

Table 2-4 Network Services on the Advanced Server
Service Description Supported on Advanced Servers Starts by Default Can Be Paused Can Be Stopped
Alerter Notifies selected users and computers of administrative alerts that occur on this server. Used by the server and other services. Yes Yes No Yes
Browser Lists network entities, such as domains, computers, and shared resources. Yes Yes No Yes
EventLog Records system, security, and application events in the event logs, and enables remote access to those logs. Cannot be stopped separately; stops together with the Server service. Yes Yes No No
NetLogon Verifies the user name and password of each user who attempts to log on to the network or gain access to the server. Synchronizes security databases. Yes Yes Yes Yes
Server Provides file and print sharing. Yes Yes Yes No 1
TimeSource Identifies a server as the time server for a domain. Other computers synchronize their clocks with the time server. Yes No No Yes
Replicator Replicates user directories and files. No No No No
Messenger Allows receipt of server management messages No No No No


1Only by using the PWRK$SHUTDOWN command procedure.

The Replicator and Messenger services are supported on Windows NT and can be stopped and started, but not paused, from the Advanced Server.

The Alerter, NetLogon, and TimeSource services can be enabled and disabled by adding them to the list of services associated with the SrvServices server configuration parameter stored in the LANMAN.INI file, as described in Section 7.3, Using the LANMAN.INI File. When a service is enabled, it is started automatically when the Advanced Server starts.

Note

For smooth operation of the domain, Compaq recommends that the NetLogon service always be enabled, even on member servers.

2.3.4.1 Displaying Services

As you manage your server, you may need to know the state of network services.

To display available services, use the SHOW SERVICES command. For example:


LANDOFOZ\\TINMAN> SHOW SERVICES 
 
Services on server "TINMAN": 
 
Service           Current State 
--------------    --------------- 
ALERTER           Started 
BROWSER           Started 
EVENTLOG          Started 
NETLOGON          Started 
SERVER            Started 
TIMESOURCE        Started 
 
   Total of 6 services 
 
LANDOFOZ\\TINMAN> 

2.3.4.2 Starting Services

By default, the Server, Alerter, Browser, and NetLogon services are started automatically when the server is started.

To start a service, use the START SERVICE command, specifying the full service name. For example:


LANDOFOZ\\TINMAN> START SERVICE TIMESOURCE 
%PWRK-S-SVCSTART, service "TIMESOURCE" started on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

2.3.4.3 Pausing Services

You can suspend execution of the Server and NetLogon services. Unlike stopping a service, pausing does not cancel resource sharing, terminate connections or change any settings associated with the service.

Pausing the Server service prevents users from making new connections to the server's shared resources; however, users who have already connected to shared resources can continue to use the resources. Pausing the Server service does not prevent users who are members of the Administrators group from connecting to the service.

Pausing the NetLogon service prevents the server from synchronizing the domain's security accounts database. The server will not validate logons.

To pause a service, use the PAUSE SERVICE command. For example:


LANDOFOZ\\TINMAN> PAUSE SERVICE SERVER 
Do you really want to pause service "SERVER" [YES or NO](YES): YES 
%PWRK-S-SVCPAUSE, service "SERVER" paused on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

2.3.4.4 Continuing Services

You can use the CONTINUE SERVICE command to continue a paused service. When you continue a service, you restore access to the service.

To continue a service, use the CONTINUE SERVICE command. For example:


LANDOFOZ\\TINMAN> CONTINUE SERVICE SERVER 
%PWRK-S-SVCCONT, service "SERVER" continued on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

2.3.4.5 Stopping Services

Stopping a service disables all operations provided by that service. You can use ADMINISTER commands to stop the following services:

To stop the Server service, use the PWRK$SHUTDOWN.COM command procedure, as described in Section 2.3.2, Stopping the Advanced Server. Before you stop the Server service, you should follow these steps:

  1. Pause the service.
  2. Send a message to users connected to the server's shared resources, warning them that Advanced Server will be shut down. Your message should ask all users to stop their current activities and close all files. Give users adequate time to close their files before you proceed. If you shut down the server while users are accessing shared resources, they may lose data.

To stop a service, use the STOP SERVICE command. For example:


LANDOFOZ\\TINMAN> STOP SERVICE TIMESOURCE 
Do you really want to stop service "TIMESOURCE" [YES or NO] (YES): YES 
%PWRK-S-SVCSTOP, service "TIMESOURCE" stopped on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 


Previous Next Contents Index