HP OpenVMS Systems

Content starts here

HP Advanced Server for OpenVMS
Server Administrator's Guide


Previous Contents Index


Chapter 3
Managing Users and Groups

On OpenVMS, you use Advanced Server ADMINISTER commands to manage network user accounts and groups for domains and computers. You can also use the Windows NT server administration tool, User Manager for Domains, to perform these tasks.

The following topics are discussed in this chapter:

Network user accounts and groups are separate and distinct from OpenVMS user accounts and groups. This guide discusses management of network user accounts and groups using Advanced Server.

3.1 Managing Network User Accounts

A network user account contains all the information that defines an Advanced Server user. This includes user name, password, and group memberships. It can also include information such as the user's full name, the user account description, user profile information, a list of logon workstations, and a schedule of authorized logon hours.

3.1.1 Built-In User Accounts

Two predefined, built-in user accounts are provided when an Advanced Server is installed:

  • The Administrator user account is used to manage the server's users, groups, and resources. The Administrator account belongs to the Administrators, Domain Admins, and Domain Users built-in groups.
    You can use the Administrator account to administer a new server or workstation before you have had the opportunity to create an account for yourself. You cannot delete or disable the Administrator account. This ensures that you will never lock yourself out of the computer. When you initially configure the Advanced Server, you are prompted to choose a password for the Administrator account. Always assign a password to the Administrator account to help ensure security.
  • The Guest user account belongs to the Domain Guests group and allows logons for users who do not have accounts in the computer's domain, or in a domain trusted by the domain where the Guest account has been enabled. By default, the Guest account is disabled at installation. You can enable it if Guest access is desired.

Note

Guest users should not create files in their default directory that they do not want other users to access, because all users logged on as Guest access the same default directory.

3.1.2 Types of User Accounts

Every network user account is either a global account or a local account:

  • Global user accounts provide access to resources in the domain where the user account is created, and can also provide access to resources in domains that trust the domain where the user account is created.
  • Local user accounts are restricted to the local domain. A local account can be used only to access server resources over the network. It cannot be used to log on to a Windows NT Server or workstation computer from the console.

3.1.3 User Account Attributes

The user account identifies the user to Advanced Server. The user account is used to authenticate the user both when the user logs on to the domain and when the user requests access to shared resources.

Each user account must have a unique user name in the domain. When you create a user account, you can specify the user account attributes shown in Table 3-1, User Account Attributes.

Table 3-1 User Account Attributes
Attribute Contains
User name The user's account name (up to 20 alphanumeric characters).
Password The password the user enters to log on to the account (up to 14 uppercase and lowercase alphanumeric characters). Passwords entered on ADMINISTER command lines are converted to uppercase unless enclosed within quotation marks.
Full name User's full name, typically more complete than the account name (up to 256 characters).
Description A brief text string describing the account.
Expiration date Date when the account expires.
Type Global or local.
Group names The names of groups of which the user is a member. Determines privileges and access.
Logon restrictions Logon hours and valid workstations.
Logon script A script that is executed when the user logs on.
Home directory A specified location containing files and programs for the user.
User profile Setup information for the user's specific environment.

Advanced Server allows you to integrate OpenVMS user accounts with network user accounts. Network user accounts can be linked (host mapped) to OpenVMS user accounts, simplifying user account management, ensuring password synchronization, and providing automatic access to network administration functions for OpenVMS system manager and operators. See Section 3.1.16.2, Establishing User Account Host Mapping, for more information.

To set account characteristics across all network user accounts, set the account policy, as described in Section 2.2.1, Managing the Account Policy.

User accounts are stored in the domain's Security Account Manager (SAM) database. The SAM database is maintained by the primary domain controller and periodically updated on the backup domain controllers. One of the computers in the domain must be running as a primary domain controller in order for user accounts to be created or modified.

3.1.4 Creating User Accounts

You create network user accounts on the Advanced Server with the ADD USER or COPY USER command.

3.1.4.1 Creating a Network User Account

When you create a user account, you must provide all the information relevant to that user. You can use the ADD USER command to create a user account, or the COPY USER command to copy another account and modify it to suit the specific user.

When you display user information, the users are listed alphabetically by user name; you can optionally sort the display based on the full name. Therefore, follow the same conventions for all users when you enter full names; for example, Cowardly Lion or Lion, Cowardly.

Passwords for network user accounts are case sensitive. Passwords entered on the ADMINISTER command line default to all uppercase characters, unless you enclose them in quotation marks. To preserve lowercase letters, spaces, and other nonalphanumeric characters in passwords when you enter ADMINISTER commands, enclose the password in quotation marks, or enter the password in response to the prompt instead of on the command line. The following example shows how to enter a mixed-case password on the command line:


LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="OverTheRainbow"
%PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

You can specify an optional description for the user by including the /DESCRIPTION qualifier. If the description contains nonalphanumeric characters, spaces, or lowercase letters, enclose the description in quotation marks.

3.1.4.1.1 Creating a Global User Account

Use the ADD USER command to create a global user account, as in the following example:


LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD -
_LANDOFOZ\\TINMAN> /DESCRIPTION= "The Straw Man" -
_LANDOFOZ\\TINMAN> /FULLNAME="Man, Straw"
Password:
Password verification:
%PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

You can let Advanced Server prompt you for the user name and the password. The password is not displayed as you enter it. You should always supply a password when you add a user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown. By default, a user account is created with an expired password. The user must enter a new password at first logon. To remove the need for users to reset their passwords at first logon, use the /FLAGS=(NOPWDEXPIRED) qualifier with the ADD USER command.

You can specify additional details about the user account, including an account description, expiration date, a full name, type of account (global or local), a home directory, logon hours, group membership, user profile, logon script, and workstation names, if any. For details on the ADD USER command, refer to the HP Advanced Server for OpenVMS Commands Reference Manual.

The ADD USER command does not create an OpenVMS user account. However, if the user also has an OpenVMS account, you can associate the two user accounts. For more information, see Section 3.1.16, User Account Host Mapping.

Users with both a network account and an OpenVMS account have two passwords: one for each user account. You can enable external authentication for these users, providing automatic password synchronization between the OpenVMS password and the network password. For information about external authentication, see Section 3.1.17, External Authentication.

3.1.4.1.2 Verifying That the User Has Been Added

To verify that the user you created an account for has been added, use the SHOW USERS command. You can display details about a user account with the SHOW USERS/FULL command. For example:


LANDOFOZ\\TINMAN> SHOW USERS SCARECROW/FULL

User accounts in domain "LANDOFOZ":

User Name             Full Name             Type    Description
--------------------  --------------------  ------  ---------------
SCARECROW             Man, Straw            Global  The Straw Man
    User Profile:
    Logon Script:
    Primary Group: Domain Users
    Member of groups: Domain Users
    Workstations: No workstation restrictions
    Logon Flags: Login script is executed, Password is expired
    Account Type: Global
    Account Expires: Never
    Logon hours: (All hours)
    Last Log On: 08/23/00 05:07 PM
    Password Last Set: 06/30/00 11:03 AM
    Password Changeable: 06/30/00 11:03 AM
    Password Expires: 09/11/00 11:03 AM

  Total of 1 user account

LANDOFOZ\\TINMAN>

A primary group is used when a user logs on using Windows NT Services for Macintosh, or runs POSIX applications.

3.1.4.1.3 Creating a Local User Account

To create a local user account, use the ADD USER command as shown previously, and include the /LOCAL qualifier.

3.1.4.2 Creating User Account Templates

You can create a template for user accounts, specifying user account information common to the new user accounts you need to create. Most user account information can be copied from the template to the new user accounts, except for user name and password. For example, you could create a template user account as follows:


LANDOFOZ\\TINMAN> ADD USER TEMPLATE/LOCAL/HOURS=(8-5) -
_LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS=MUNCHKINS
%PWRK-S-USERADD, user "TEMPLATE" added to domain "LANDOFOZ"

You can then use the COPY USER command to create many new user accounts that have these same characteristics. Once you have completed adding all your new user accounts, you can then delete or disable the TEMPLATE user account, as described in Section 3.1.15, Disabling and Removing User Accounts.

3.1.4.3 Copying User Accounts

You can use the COPY USER command to create a new user account from an existing account or a template account. Some of the original user account information is copied to the new user account, such as group memberships and logon restrictions. A template account makes it easier to create many similar user accounts with fewer errors than to create them one by one. Some user account information, such as user name and password, is not copied to the new user account. You should always supply a password when you create a new user account, or explicitly specify that the user account has no password (using the /NOPASSWORD qualifier); otherwise the password value is unknown.

Use the /PASSWORD qualifier with the COPY USER command to specify the password for the new user account. For example, to create a new user LION based on a user account template (TEMPLATE), enter the following command:


LANDOFOZ\\TINMAN> COPY USER TEMPLATE LION/PASSWORD="Roaring1" -
_LANDOFOZ\\TINMAN> /FULL_NAME="Cowardly Lion"
%PWRK-S-USERCOPY, user "TEMPLATE" copied to "LION" in domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

This example copies the TEMPLATE user account information to a new account for user LION and uses the /FULL_NAME qualifier to provide the full name for the new user. The /PASSWORD qualifier specifies the password for the account LION. You can verify that the user is correctly added, by using the SHOW USERS command.

3.1.5 Specifying Passwords

Users must specify their password when they log on to the domain. The user name and password are validated against the security accounts database.

Advanced Server password characteristics are controlled by the following:

  • The /FLAGS qualifier with the ADD USER, COPY USER, and MODIFY USER commands.
    For example, use ADD USER/FLAGS=(keyword) to specify password characteristics when you create a user account. The keywords that control the password characteristics are:
    • [NO]DISPWDEXPIRATION, which prevents the password from expiring.
    • [NO]PWDEXPIRED, which specifies whether the password is initially expired. This forces the user to specify a new password when they log on the first time.
    • [NO]PWDLOCKED, which specifies whether the user is allowed to change the password.

    For more information about these commands and qualifiers, refer to the HP Advanced Server for OpenVMS Commands Reference Manual.
  • The SET ACCOUNT POLICY/PASSWORD_POLICY command.
    This command sets domainwide account policy characteristics that pertain to all passwords, including the:
    • Maximum password age
    • Minimum password age
    • Minimum length of the password
    • Whether password history is maintained

    For more information about how to use this command to establish a policy for password usage, see Section 2.2.1, Managing the Account Policy.
  • The SET ACCOUNT POLICY/LOCKOUT command.
    This command establishes how failed attempts to log on to the network are handled. You can use this command to specify the number of failed logon attempts before the account is locked, as explained in detail in Section 2.2.1, Managing the Account Policy.
    By default, user account lockout is disabled, meaning that the user accounts are never locked out, no matter how many failed logon attempts are made on a user account.
    For more information about setting the account policy, see Section 2.2, Managing Security Policies and refer to the HP Advanced Server for OpenVMS Commands Reference Manual.

Network users who also have OpenVMS user accounts have two passwords, one for each account. If password synchronization is important, as with external authentication, be careful to observe limitations in password length and characters required by OpenVMS as well as Advanced Server. Network passwords can be up to 14 characters long; OpenVMS passwords can be longer. To help ensure security, select secure passwords using words not found in the dictionary, including numbers or nonalphabetic characters.

When you add a new user or modify the password for an existing user, you specify the password for that user. For example:


LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="YellowRoad"
%PWRK-S-USERADD, user "SCARECROW" added on domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

To preserve case in a password, enclose it in quotation marks. By default, a password entered on the command line that is not enclosed in quotation marks is stored in uppercase letters. However, case is preserved for a password entered in response to a prompt.

3.1.5.1 Changing a User Password

To change a user's password, you can use the SET PASSWORD command or the MODIFY USER/PASSWORD command. For example:


LANDOFOZ\\TINMAN> SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity"
%PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain
"LANDOFOZ"

LANDOFOZ\\TINMAN>

In this example, the user name is SCARECROW, the existing password is "YellowRoad" and the password is changed to "EmeraldCity."

3.1.6 Specifying Group Membership

Group membership allows you to control multiple user accounts and to grant permissions to use resources to a group of users rather than specifying individual users for resource permissions. By default, all user accounts are included in the special group Everyone. For the purposes of network administration, the user account is also included in the groups Domain Users and Users.

When you create a user account, you can specify membership in additional groups using the ADD GROUP or COPY GROUP command. For example, to include the user SCARECROW in the group MUNCHKINS, add the user account including the /MEMBER_OF_GROUPS qualifier, as follows:


LANDOFOZ\\TINMAN>ADD USER SCARECROW/PASSWORD/MEMBER_OF_GROUPS=(MUNCHKINS)
Password:
Password verification:
%PWRK-S-USERADD, user "SCARECROW" added to domain LANDOFOZ"

LANDOFOZ\\TINMAN>

3.1.7 Specifying Logon Hours

You can restrict the days and hours during which a user can connect to a server. The default is to allow a user to connect at all times. To specify logon hours, use the ADD USER, COPY USER, or MODIFY USER command with the /HOURS qualifier. Specify the hours to be administered as shown in Table 3-2, Specifying Logon Hours. The /NOHOURS qualifier specifies that the user cannot log on to the server.

Hours are inclusive: if you grant access during a given hour, access extends to the end of that hour; if no hours are specified for a given day, all hours are allowed.

Table 3-2 Specifying Logon Hours
Hours to Specify Example Specification
A specific hour /HOURS=(MONDAY=(8))
A block of hours /HOURS=(FRIDAY=(8-12))
One entire day /HOURS=(SUNDAY)
A specific hour across all seven days /HOURS=(SUNDAY=(1),MONDAY=(1),
TUESDAY=(1), WEDNESDAY=(1),
THURSDAY=(1),FRIDAY=(1), SATURDAY=(1))
All weekdays /HOURS=(WEEKDAYS)
The entire week /HOURS=(EVERYDAY)

In the following example, a user called MOUSEQUEEN is added to the domain LANDOFOZ with logon capability on Fridays from 8 a.m. to 12 noon.


LANDOFOZ\\TINMAN> ADD USER MOUSEQUEEN/HOURS=(FRIDAY=(8-12))
%PWRK-S-USERADD, user "MOUSEQUEEN" added to domain "LANDOFOZ"

The following example adds user BLACKCROW to domain LANDOFOZ, with logon capability from Monday through Friday, all hours.


LANDOFOZ\\TINMAN> ADD USER BLACKCROW/HOURS=(WEEKDAYS)
%PWRK-S-USERADD, user "BLACKCROW" added to domain "LANDOFOZ"

For more details on the /HOURS qualifier, see Section 3.1.14, Modifying User Accounts.

3.1.8 Specifying Logon Scripts

You can specify the execution of a logon script when a user logs on. A logon script is an executable or batch file of commands that runs on the client. It is typically used to configure the client for a particular user, performing such tasks as making network connections and starting applications. Logon scripts can be tailored to the requirements of individual users. A logon script typically has a .BAT, .CMD, or .EXE file extension, depending on its function.

3.1.8.1 Setting Up a Logon Script

When a user logs on, Advanced Server checks the user's account on the logon server for the name of a script. Scripts are kept on the primary and backup domain controllers. By default, user scripts on an Advanced Server are stored in the following location:

PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS]

3.1.8.2 Providing User Access to Logon Scripts

For a user to have access to a logon script, the following conditions must be true:

  • The SCRIPTS directory must be shared.
  • The user must have R (read) permission for the script. By default, all users in group Everyone have R (read) permission to access the scripts directory.

Ensure that permissions on the directory or share where the scripts reside permit access to all users who will be using the scripts. Advanced Server automatically provides Read access to members of the special group Everyone.

When the NetLogon service starts, the Advanced Server shares the scripts directory identified with the share name NETLOGON. For logon scripts to run, do not remove the NETLOGON share. You can display information about the NETLOGON share using the SHOW SHARE NETLOGON/FULL command. For example:


LANDOFOZ\\TINMAN> SHOW SHARE NETLOGON/FULL

Shared resources on server "TINMAN":
Name          Type       Description
------------  ---------  ------------------------------------------
NETLOGON      Directory  Logon Scripts Directory
    Path: PWRK$LMROOT:[LANMAN.REPL.IMPORT.SCRIPTS]
    Connections:  Current: 0, Maximum: No limit
    RMS file format: Stream
    Directory Permissions: System: RWED, Owner: RWED, Group: RWED, World: RE
    File Permissions: System: RWD, Owner: RWD, Group: RWD, World: R
    Share Permissions:
        Everyone                        Read

  Total of 1 share

LANDOFOZ\\TINMAN>


Previous Next Contents Index