HP OpenVMS Systems Documentation

Content starts here

Compaq PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

3.1.9 Specifying Workstations

Use the /WORKSTATIONS qualifier to restrict the workstations from which users can log on to domain accounts. The default is to allow a user to log on from any workstation, but you can optionally restrict a user's logons to certain workstations. You can specify up to eight workstations for the user account.

To manage logon workstations, use the ADD USER, COPY USER, or MODIFY USER command, with the /WORKSTATION qualifier. For example:


LANDOFOZ\\TINMAN> ADD USER LION /WORKSTATION=(LIONS_DEN)
%PWRK-S-USERADD, user "LION" added to domain "LANDOFOZ"

This command creates the new user account LION and specifies that the user can log on from the LIONS_DEN workstation.

3.1.10 Specifying Home Directories

A user's home directory is accessible to the user and contains files and programs for that user. When a user logs on at a workstation, a connection can be made to that user's home directory automatically. Depending on the client computer, you may need to specify the home directory in a logon script. The home directory becomes the user's default directory for file access and for all applications that do not have a defined working directory. Home directories can make it easier for an administrator to back up user files because they keep many or all of a user's files in one location.

On a server running Advanced Server software, the default parent directory for user account home directories is:

PWRK$LMROOT:[LANMAN.ACCOUNTS.USERDIRS]

You can specify a home directory as an absolute path name or as a UNC (Universal Naming Convention) path name, which is domain wide. To specify the default parent directory for user account home directories, enter:


\\server\LANMAN\ACCOUNTS\USERDIRS

If you omit the /HOME qualifier when you create a user account, no home directory is defined for a user.

Note

The Advanced Server home directory is not associated with the OpenVMS SYS$LOGIN directory.

A home directory can be assigned to a single user or it can be shared by several users. It can be a local directory on a user's workstation or a shared network directory. If you specify a network path for the home directory, an attempt is made to create that home directory. If the directory cannot be created, a message instructs you to create the directory manually.

To specify a home directory, use the ADD USER, COPY USER, or MODIFY USER command, with the /HOME=(PATH=pathname) qualifier. The home directory pathname must be specified in one of the following forms:

  • The absolute path of a directory local to the user's workstation
  • The UNC path for a shared network directory, as follows:


    \\servername\sharename\directoryname
    

    If you specify a UNC path, you must also specify a drive letter that is not currently being used on the user's workstation, to be assigned to the path when the user logs on.

For example, to modify user account LION, specifying a home directory on server TINMAN to be associated with drive D, enter the following command:


LANDOFOZ\\TINMAN> MODIFY USER LION/HOME=(PATH=\\TINMAN\USERS\LION,DRIVE=D:)
%PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

3.1.11 Specifying User Account Expiration Dates

You can assign an expiration date for a user account, at which time the account is automatically expired but not removed from the accounts database. You can reactivate an expired account by removing the expiration date or by assigning a new date.

By default, there is no expiration date for a user account. Use the ADD USER, COPY USER, or MODIFY USER command with the /EXPIRATION qualifier to define the account expiration date for a user account.

When an account has an expiration date, the account is disabled at the end of the previous day. When an account expires, a user who is logged on remains logged on, but cannot establish new network connections or log on again after logging off.

For example, to add a user named FRIENDLY to the domain LANDOFOZ and set the account to expire on November 9, 2001, enter the following command:


LANDOFOZ\\TINMAN> ADD USER FRIENDLY/PASSWORD="PotOfGold"-
_LANDOFOZ\\TINMAN>/EXPIRATION_DATE=09-NOV-2001
%PWRK-S-USERADD, user "FRIENDLY" added to domain "LANDOFOZ"

3.1.12 Specifying User Profiles

User profiles allow you to set up the user's environment so that it can be downloaded to the user's workstation when the user logs on to the network. The user profile contains configuration information such as:

  • Desktop arrangement
  • Personal program groups and program items
  • Screen colors and screen savers
  • Network connections
  • Mouse settings
  • Window size and positions

When the user logs on, the user profile is downloaded and the user's workstation is configured accordingly.

You create user profiles using the Windows NT Server tool User Profile Editor. Refer to your Windows NT Server documentation for more information.

When you add a user, you can specify a profile and its path.

To specify a profile, use the ADD USER or MODIFY USER command with the /PROFILE qualifier. For example, to add user SCARECROW with a profile that is stored on the server TINMAN, enter the following command:


LANDOFOZ\\TINMAN> ADD USER SCARECROW/PROFILE="\\TINMAN\PROFILES\SCARECROW.USR"
%PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

Note that the network path to the profile is enclosed in quotation marks.

3.1.13 Displaying User Accounts

To display information about user accounts, use the SHOW USERS command. For example:


LANDOFOZ\\TINMAN> SHOW USERS

User accounts in domain "LANDOFOZ":

User Name          Full Name      Type    Description
--------------     -----------    ------  ------------------------
Administrator                     Global   Built-in account for
                                           administering the domain
Guest                             Global   Built-in account for
                                           guest access to the domain
LION               Lion,Cowardly  Global   Cowardly Lion
SCARECROW          Man, Straw     Global   The Straw Man

   Total of 4 user accounts

LANDOFOZ\\TINMAN>

3.1.13.1 Example: Sorting the Display by User Full Name

To sort the display by user full name, use the SHOW USERS/SORT=FULLNAME command, as in the following example:


LANDOFOZ\\TINMAN> SHOW USERS/SORT=FULLNAME

User accounts in domain "LANDOFOZ:"

Full Name      User Name        Type    Description
-------------- -------------    ------  ---------------------------
               Administrator    Global  Built-in account for
                                        administering the domain
               Guest            Global  Built-in account for guest
                                        access to the domain
Lion, Cowardly  LION            Global  Cowardly Lion
Man, Straw      SCARECROW       Global  The Straw Man

   Total of 4 user accounts

LANDOFOZ\\TINMAN>

3.1.13.2 Example: Reviewing User Account Settings for a Specific User

To display user account settings for a specific user, use the SHOW USERS/FULL command. For example, the following display shows the settings for user LION.


LANDOFOZ\\TINMAN> SHOW USERS LION/FULL

User accounts in domain "LANDOFOZ":

User Name       Full Name       Type    Description
--------------- --------------- ------- -------------
LION            Lion, Cowardly  Global  Cowardly Lion
   User profile:
   Logon script:
   Home Path: D: Path: \\TINMAN\USERS\LION
   Primary Group: Domain Users
   Member of groups: Domain Users, MUNCHKINS
   Workstations: No workstation restrictions
   Logon Flags: Logon script is executed, Password is expired
   Account Type: Global
   Account Expires: Never
   Logon hours (All hours)
   Last Log On: 07/23/01 05:07 PM
   Password Last Set: 06/30/01 11:03 AM
   Password Changeable: 06/30/01 11:03 AM
   Password Expires: 09/11/01 11:03 AM

  Total of 1 user account

LANDOFOZ\\TINMAN>

3.1.14 Modifying User Accounts

Use the MODIFY USER command to change the attributes of an existing user account. You can:

  • Change group membership
  • Add, change, or delete a description
  • Specify a full name
  • Specify whether the user is a global or local user
  • Change the user's account settings
  • Remove a user from a group
  • Specify workstations that the user can access

3.1.14.1 Example: Adding an Existing User to a Group

To add an existing user to a group, use the MODIFY USER/ADD_TO_GROUPS command, as in the following example:


LANDOFOZ\\TINMAN> MODIFY USER SCARECROW/ADD_TO_GROUPS=MUNCHKINS
%PWRK-S-USERMOD, user "SCARECROW" modified on domain "LANDOFOZ"

You can then enter the SHOW GROUPS/FULL command to see that the group MUNCHKINS now includes the user SCARECROW:


LANDOFOZ\\TINMAN> SHOW GROUPS MUNCHKINS/FULL

Groups in domain "LANDOFOZ":
Group Name            Type    Description
--------------------  ------  ------------------------------------
MUNCHKINS             Global  Users in the Land of Oz
    Members: [US]LION, [US]SCARECROW)

  Total of 1 group)

LANDOFOZ\\TINMAN>

3.1.14.2 Example: Changing a User's Logon Hours

To change the hours when a user can log on, use the MODIFY USER/HOURS command. For example, to restrict a user to logging on only on Monday from 8 a.m. to 9 a.m. and from 3 p.m. to 8 p.m., specify /HOURS=(MON=(8-9,15-20)).

For example, to modify LION's logon hours, use the MODIFY USER command, as follows.


LANDOFOZ\\TINMAN> MODIFY USER LION/HOURS=(MON=(8-9,15-20))
%PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

You can verify that the change was made correctly using the SHOW USERS/FULL command. For example:


LANDOFOZ\\TINMAN> SHOW USERS LION/FULL

User accounts in domain "LANDOFOZ":

User Name       Full Name       Type     Description
--------------- --------------- ------- -------------
LION            Lion, Cowardly  Global  Cowardly Lion
   User profile:
   Logon script:
   Home Path: D: Path: \\TINMAN\USERS\LION
   Primary Group: Domain Users
   Member of groups: Domain Users, MUNCHKINS
   Workstations: No workstation restrictions
   Logon Flags: Logon script is executed, Password is expired
   Account Type: Global
   Account Expires: Never
   Logon hours: 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2
                0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
        Sunday: - - - - - - - - - - - - - - - - - - - - - - - -
        Monday: - - - - - - - - X X - - - - - X X X X X X - - -
       Tuesday: - - - - - - - - - - - - - - - - - - - - - - - -
     Wednesday: - - - - - - - - - - - - - - - - - - - - - - - -
      Thursday: - - - - - - - - - - - - - - - - - - - - - - - -
        Friday: - - - - - - - - - - - - - - - - - - - - - - - -
      Saturday: - - - - - - - - - - - - - - - - - - - - - - - -
   Last Log On: 07/23/01 05:07 PM
   Password Last Set: 06/30/01 11:03 AM
   Password Changeable: 06/30/01 11:03 AM
   Password Expires: 09/11/01 11:03 AM

  Total of 1 user account

LANDOFOZ\\TINMAN>

3.1.15 Disabling and Removing User Accounts

A user's ability to log on can be rescinded by either disabling or removing the user account. A disabled user account still exists, but the user is not permitted to log on. It continues to appear in the user accounts list. It can be restored to enabled status at any time. A removed account is permanently removed and cannot be recreated with the same security settings.

Each user in a domain is identified by a unique security identifier (SID). The SID is created when a user account is created and is used when assigning permissions to a resource. Because a SID is unique to an account, a new account, even with the same user name, is assigned a new SID. Therefore, if you delete a user account and then need to create another user account for the same user with the same user name, the new user account will not have the rights or permissions that previously were granted to the old user account, because the user account will have a different SID. To avoid problems, first disable a user account you want to remove and then remove it after a reasonable time.

3.1.15.1 Disabling a User Account

Set the account to Disabled, using the MODIFY USER/FLAGS=(DISUSER) command.

3.1.15.2 Deleting a User Account

To delete a user account, use the REMOVE USER command. You are prompted for confirmation before the command executes.

A deleted user account is removed from the user accounts list and cannot be restored or recreated. Make sure that you want to delete a user account before doing so. For example:


LANDOFOZ\\TINMAN> REMOVE USER LION
Each user account is represented by a unique identifier which is
independent of the user name.  Once the user account is deleted,
even creating an identically named user account in the future will
not restore access to resources which currently name this user
account in the access control list.
Remove user "LION" [YES or NO] (YES) : YES
%PWRK-S-USERREM, user "LION" removed from domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

3.1.16 User Account Host Mapping

Advanced Server provides user account host mapping, which associates a network user account with an OpenVMS user account, simplifying the management of both user accounts. Host mapping is required for users who are externally authenticated, as described in Section 3.1.17, External Authentication.

Every file on an OpenVMS system must have an owner. Host mapping establishes which OpenVMS account is assigned as the owner when an Advanced Server user creates files or directories. Host mapping is also used to determine the OpenVMS user name when logging on to OpenVMS using external authentication. Additionally, when the Advanced Server and OpenVMS security model is enabled, host mappings are used to determine the OpenVMS access rights permitted to the user. The security models are selected using the Configuration Manager, as described in Section 7.2, Using the Configuration Manager.

3.1.16.1 Implicit and Explicit Host Mapping

The Advanced Server supports both explicit and implicit host mapping between OpenVMS and Advanced Server user accounts. You can explicitly map a network user name to an OpenVMS user name using the ADMINISTER command ADD HOSTMAP.

Implicit host mapping is established when:

  • An OpenVMS user name matches a network user name exactly.
  • The network user name is one of the following:
    • Administrator (implicitly mapped to the SYSTEM account)
    • Guest (implicitly mapped to PWRK$GUEST)
    • PWRK$DEFAULT (used when no match is found)

Host mapping is used to determine the OpenVMS user name when logging on to OpenVMS using external authentication. The user account Administrator is implicitly mapped to the OpenVMS user account SYSTEM. Therefore, if you enable the OpenVMS user account SYSTEM for external authentication, you can log in to the SYSTEM account using the Administrator user name and password, without explicitly defining any host map information. See Section 3.1.17, External Authentication, for more information.

Implicit host mapping is based on the user account names. Therefore, if you copy the Administrator account or the Guest account, you must specifically set up host mapping for the new user accounts. If you rename the Administrator or Guest account, the implicit mapping is not preserved. You must explicitly map the newly renamed account name to the OpenVMS SYSTEM account using the ADMINISTER command ADD HOSTMAP.

3.1.16.2 Establishing User Account Host Mapping

By default, if a user name for a network user account is identical to the user name for an OpenVMS user account, the user accounts are host mapped. Files created by the network user are automatically designated with the OpenVMS owner setting. This feature is controlled by a set of server configuration parameters, described in Section 7.3, Using the LANMAN.INI File. including:

  • HostMapUseVMSNames, which specifies whether host mapping is enabled or not. By default, host mapping is enabled.
  • HostMapDomains, which specifies domain names for user accounts in trusted domains.
  • HostMapDefault, which specifies the default OpenVMS user name to associate with user accounts that have no default or specified mapping.

When a user creates a file or directory using the Advanced Server, the resource is assigned the OpenVMS ownership associated with the user's mapped account. The mapped account is used for OpenVMS resource ownership. (For more information about enabling this security model, see Section 7.2, Using the Configuration Manager.)

3.1.16.2.1 Setting Up Explicit Host Mapping

To set up explicit host mapping, use the ADD HOSTMAP command in the following form:

ADD HOSTMAP network-user-name OpenVMS-user-name

In the following example, the network user account for SCARECROW is host mapped to the user's OpenVMS user account STRAWMAN. If SCARECROW creates a file, the file is assigned the RMS ownership attributes associated with the OpenVMS account STRAWMAN.


LANDOFOZ\\TINMAN> ADD HOSTMAP SCARECROW STRAWMAN
%PWRK-S-HOSTMAPADD, user "SCARECROW" mapped to host user "STRAWMAN"

LANDOFOZ\\TINMAN>
3.1.16.2.2 Displaying Host Mapping

To display host mapping, use the SHOW HOSTMAP command. For example:


LANDOFOZ\\TINMAN> SHOW HOSTMAP
Host Mappings for server "TINMAN":

User Name                       Host Name
----------------------------    -----------
Guest                           PWRK$GUEST
SCARECROW                       STRAWMAN
LION                            CLION

  Total of 3 host mappings

LANDOFOZ\\TINMAN>

3.1.17 External Authentication

External authentication is supported on OpenVMS systems Version 7.1 and higher. External authentication allows the OpenVMS system manager to set up an OpenVMS user account for which login authentication is verified by the Advanced Server domain security. External authentication allows the Advanced Server to perform the user authentication for both Advanced Server domain user and OpenVMS user accounts.

External authentication is an option for users who have both OpenVMS and Advanced Server domain user accounts. It is not required. User host mapping provides the link between these two accounts, as described in Section 3.1.16, User Account Host Mapping.

With external authentication, users get automatic password synchronization between their OpenVMS accounts and their corresponding Advanced Server domain accounts. If the domain account password is changed, the OpenVMS LOGINOUT program sets the OpenVMS account password to the domain account password the next time the user logs in to the OpenVMS account. If the user changes the OpenVMS password with the DCL SET PASSWORD command, the the SET PASSWORD command sends the password change to the Advanced Server external authenticator. For synchronization to succeed, an Advanced Server domain controller must be available and the domain account password must meet OpenVMS syntax requirements. Externally authenticated users are considered to have a single password and are not subject to OpenVMS password policies, such as password expiration, password history, and minimum and maximum password length restrictions. Users are, however, subject to the Advanced Server domain user account policy that is defined. All other OpenVMS account restrictions remain in effect, such as disabled accounts, time restrictions, and quotas. For information about enabling external authentication, as well as information about setting up external authentication in OpenVMS Clusters, refer to the Compaq PATHWORKS for OpenVMS (Advanced Server) Server Installation and Configuration Guide. For information about setting up the system and enabling OpenVMS user accounts for external authentication, refer to the OpenVMS Guide to System Security.

3.1.17.1 Configuring the Server Capacity for External Authentication

By default, the Advanced Server can support up to 10 simultaneous external authentication logon requests (signons). You can modify this maximum to suit the server requirements, using the Configuration Manager. For more details, see Section 7.2.4.4, Specifying the Maximum Number of Concurrent Signons.

3.1.17.2 Synchronizing Passwords

The password of an externally authenticated OpenVMS user is automatically synchronized with the host mapped Advanced Server domain user, regardless of the role of the Advanced Server in the domain.

When a user changes the OpenVMS password using the OpenVMS command SET PASSWORD, and external authentication is set for the user, OpenVMS forwards the password change request to the Advanced Server. When the password change request is successfully processed, OpenVMS updates the OpenVMS user password. If Advanced Server is not running when the OpenVMS command SET PASSWORD is executed, the domain password is not changed.

When users change their passwords from their client workstations, or the server administrator changes a password with the ADMINISTER command SET PASSWORD, the Advanced Server processes the password change as usual. The OpenVMS password is synchronized when the user next logs in to OpenVMS. All password changes are synchronized. When an OpenVMS user no longer has the external authentication flag set, the password for the OpenVMS user account is the same as the one that was last set by Advanced Server.

When users change their password on the OpenVMS system or on their client computer, they should use the new password to log in to OpenVMS. If, for some reason, the Advanced Server software is down at the time of the OpenVMS login, users can use their old OpenVMS password to log in, but only if you have enabled overriding of external authentication. In this case, privileged users can enter the /LOCAL_PASSWORD qualifier after their OpenVMS user name at the login prompt, as explained in Section 3.1.17.4, Bypassing External Authentication When the Network Is Down. This causes OpenVMS to perform local authentication.

Note

Password synchronization may fail due to the different sets of valid characters allowed by OpenVMS and Advanced Server. Keep this in mind when changing the password of an externally authenticated user.


Previous Next Contents Index