HP OpenVMS Systems

HP Advanced Server for OpenVMS
Commands Reference Manual

As mentioned previously, member servers do not maintain or manage the domain-wide security accounts database and cannot manage or display certain objects, such as global groups, primary groups, and trusts. Table 2-1, Disallowed or Restricted Commands When Administering a Member Server's Local Database, lists the commands that are not allowed, or are restricted when, administering the member server's local domain database. If you attempt to use these commands in such circumstances, the following error message will be displayed:

%PWRK-E-DCONLY, operation is only valid to a Domain Controller

The affected commands are categorized by each of the following management objects: COMPUTER, GROUP, TRUST, and USER.

Some of your network users may be designated as Account Operators, Print Operators, or Server Operators. These users have limited administrative or operator privileges that enable them to perform specific tasks. If you have different operators responsible for parts of your network and you do not want to assign them full administrative privileges, then make them members of groups only at the server being administered.

Required privileges are included in the command descriptions in this manual.

2.1.4 Understanding Command Syntax

In this manual, command syntax for ADMINISTER commands is denoted as follows:

• An option enclosed in braces ({ }) is required. For example, {YES | NO} indicates that you must specify either YES or NO when using the command.
• An option enclosed in brackets ([ ]) is optional. For example, [password] indicates that a password can be used with the command if desired, but it is not required.
• When a vertical bar (|) separates items within braces or brackets, select only one option. For example, the following list indicates that you must select only one of the options:
  {/HOLD | /RELEASE | /DELETE}
• When an ellipsis (...) appears in a syntax statement, you can repeat the previous item. For example, /FLAGS=(option, ...) indicates that you can specify more than one option, with a comma between the flag options.
• Be sure to type slashes (/), backslashes (\), commas (,), double quotes ("), equal signs (=), colons (:), parentheses ( ), semicolons (;), spaces ( ), and asterisks (*) as they are shown.
• When you finish typing a command, press Return or Enter.
• If you are typing a long command string, do not press Return when your cursor gets to the edge of your screen; the cursor wraps around and continues on the next line of your screen. Press Return only after you finish typing the entire command string. Or, enter multiple line command strings; use a hyphen (-) at the end of the line as the continuation character.

In general, the ADMINISTER command syntax conforms to the OpenVMS DCL command conventions. Refer to the OpenVMS DCL Dictionary for more information.

2.1.5 Case Sensitivity

Due to the behavior of OpenVMS, all parameters and qualifier values entered on the command line are converted to uppercase characters when they are processed by the user interface. If you wish to preserve case, or you wish to enter any value that contains blanks (spaces) or any nonalphanumeric characters, you must enclose the value in quotation marks. This is not necessary, however, if you are prompted for additional information after entering a command.

For further information, refer to your Server Administrator's Guide.

2.1.6 Using Passwords with Commands

$ ADMINISTER
LANDOFOZ\\TINMAN> LOGON JIM KAHUNA
The server \\TINMAN successfully logged you on as JIM.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 10/08/01 07:48 PM

LANDOFOZ\\TINMAN>

Because passwords are case sensitive in most cases, pay careful attention when entering them on a command line. If they are to contain any lowercase letters, blanks (spaces), or nonalphanumeric characters, be sure to enclose them in quotation marks.

You can also have the user interface prompt you for the password. For example, to log on to the network, type:

$ ADMINISTER
LANDOFOZ\\TINMAN> LOGON JIM
Password:
The server \\TINMAN successfully logged you on as JIM.
Your privilege level on domain LANDOFOZ is ADMIN.
The last time you logged on was 10/08/01 07:48 PM

LANDOFOZ\\TINMAN>

When you enter a password when prompted, as in the second example, the password does not appear on the screen as you type. This helps you keep your password confidential, providing added security. In addition, you need not use quotation marks if the password contains lowercase letters, blanks (spaces), or nonalphanumeric characters (as you do when entering the password on the command line).

If you forget to enter a password for a command that requires one, the software prompts you for it. Depending on the command that you type, the software may also prompt you for other required information, such as your user name.

Although the software may prompt for required parameters, do not rely on the software to prompt you for all required information. Be sure to enter all required information, except for passwords, on the command line.

2.1.7 Using Abbreviations

In general, the command descriptions in this manual include full command names, command options, and service names. However, the software recognizes abbreviations. Note that abbreviations are not recommended for use in batch jobs and command procedures.

You can abbreviate any command option by typing enough letters to distinguish it from other command options. The following is an example of the SET AUDIT POLICY command:

$ ADMINISTER
LANDOFOZ\\TINMAN> SET AUD POLI /FAILURE=(LOGONOFF,PROCESS) -
_LANDOFOZ\\TINMAN>/AUDIT/SUCCESS=(ALL)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

Note the use of the continuation character (-) to enter this long command string.

You can abbreviate options and qualifiers as illustrated in the following example:

$ ADMIN
LANDOFOZ\\TINMAN> SET AUD POLICY/FAIL=(LOG,PROC)/AUD/SUCCESS=(ALL)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"

LANDOFOZ\\TINMAN>

You can manage a server with batch jobs that you set up. The .COM files can contain the ADMINISTER commands you would otherwise enter interactively. The following example (EVT_CLEANUP.COM) saves an event log, then clears it:

$ TYPE EVT_CLEANUP.COM
$ ADMINISTER SAVE EVENTS/TYPE=SECURITY SYS$BACKUP:PW-SECURITY.EVT
$ ADMINISTER CLEAR EVENTS/TYPE=SECURITY/NOCONFIRM
$ EXIT

For commands that have confirmation responses (selectable using /CONFIRM and /NOCONFIRM qualifiers), the default in batch mode is to not ask for confirmation. In other words, /NOCONFIRM is the default action for batch jobs.

2.1.9 Universal Naming Convention (UNC) for Path Names

When using the Universal Naming Convention (UNC) for specifying the path to a shared directory or file, the UNC path has the form

\\server-name\share-name\path

where:

The server-name portion of the UNC, if omitted, defaults to the server currently being administered (the server to which commands are directed). You can omit the backslash before the share-name if you omit the server-name.

Except for the TAKE FILE OWNERSHIP command, you can use standard DOS wildcards within file names, but not for directories. The TAKE FILE OWNERSHIP command does not accept wildcards for the UNC path.

2.1.10 Parameter Restrictions

The ADMINISTER command parameters listed in Table 2-2, ADMINISTER Command Parameter Restrictions, cannot contain the following characters:

" / \ [ ] : ; | = , + * ? < >

When using ADMINISTER commands, note the parameter restrictions listed in Table 2-2, ADMINISTER Command Parameter Restrictions:

Adds a computer account to a domain's security database (the domain-wide user accounts database). Before a computer can join a domain, a computer account must be added to the domain's security database.

The ADD COMPUTER command is useful only if you do not wish to give out the user name and password of an Administrator account in your domain to the administrator of the computer that will join your domain. If you do not wish to supply this information, use the ADD COMPUTER command to add the computer account to your domain before the computer's administrator joins the domain. If you supply password information to the administrator of the other computer, the administrator can use it when joining and the computer account will be added to the domain automatically.

The ADD COMPUTER command is not necessary for the primary domain controller; that computer is added automatically.

Note that until the intended computer account actually joins the domain, it is possible for a malicious user to give a different computer that computer name, and then have it join the domain using the computer account you have just created. If the added computer is a backup domain controller when it joins, it receives a copy of the domain's security database.

Format

ADD COMPUTER computer-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators local group.

Related Commands

REMOVE COMPUTER
SET COMPUTER
SHOW COMPUTERS

Parameters

computer-name

Specifies a 1 to 15 character name for the computer account to be added to the domain. The specified name cannot be the same as any other computer or domain name in the network.

Qualifiers

/DOMAIN=domain-name

Specifies the name of the domain to which to add the computer account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/ROLE=role-type

Specifies the computer's role in the network. (Note that to change the role of a backup domain controller to a primary domain controller, or vice versa, use the SET COMPUTER/ROLE command. To change the role of an Advanced Server domain controller to a member server, or of an Advanced Server member server to a domain controller, you must use the SYS$UPDATE:PWRK$CONFIG command procedure. ) The role-type keyword can be one of the following:

Role-Type	Specify if the computer is:
BACKUP_DOMAIN_CONTROLLER
	A Windows NT or compatible backup domain controller.
SERVER	Windows NT or compatible server, but not a primary or backup domain controller.
WORKSTATION	A Windows NT Workstation. This is the default.

/SERVER=server-name

Specifies the name of a server that is a member of the domain to which to add the computer account. Do not specify both /DOMAIN and /SERVER on the same command line.

Example

LANDOFOZ\\TINMAN> ADD COMPUTER DOROTHY/ROLE=SERVER
%PWRK-S-COMPADD, computer "DOROTHY" added to domain "LANDOFOZ"

      

This example adds the computer named DOROTHY to the default domain (LANDOFOZ), as a Windows NT compatible server.

Adds a local or global group to a domain's security database, and optionally adds members to the group.

Format

ADD GROUP group-name [/qualifiers]

restrictions

Use of this command requires membership in the Administrators or Account Operators local group.

Related Commands

COPY GROUP
MODIFY GROUP
REMOVE GROUP
SHOW GROUPS

Parameters

group-name

Specifies a 1 to 20 character name for the group to be added. A group name cannot be identical to any other group or user name of the domain or server being administered. It can contain any uppercase or lowercase characters except for the following:

" / \ [ ] : ; | = , + * ? < >

Qualifiers

/DESCRIPTION="string"

/NODESCRIPTION

Specifies a string of up to 256 characters used to provide descriptive information about the group. Enclose the string in quotation marks if it contains lowercase letters, blanks (spaces) or other nonalphanumeric characters. /NODESCRIPTION, the default, indicates that the description is to be blank.

/DOMAIN=domain-name

Specifies the name of the domain to which to add the group. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line.

/GLOBAL

Indicates that the specified group is to be added as a global group. This is the default if neither /GLOBAL nor /LOCAL are specified. Do not specify both /GLOBAL and /LOCAL on the same command line.

/LOCAL

Indicates that the specified group is to be added as a local group. By default, a group is added as a global group. Do not specify both /GLOBAL and /LOCAL on the same command line.

/MEMBERS=([domain-name]\member-name[,...])

Adds the specified members to the membership list of the group. If the group being added is a local group, you can add user accounts and global groups from the domain being administered and from domains it trusts.

To specify a user account or global group in a trusted domain, enter a domain-qualified name (domain-name\member-name), such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. If you omit a domain name, the user or group is assumed to be defined in the domain being administered.

If the group being added is a global group, you can add user accounts only from the domain being administered.

/SERVER=server-name

Specifies the name of a server that is a member of the domain to which to add the group. Do not specify both /DOMAIN and /SERVER on the same command line.

Examples

 LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/MEMBERS=(SCARECROW,STRAWMAN)
 %PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ"
      

This example adds the global group named MUNCHKINS to the default domain being administered (LANDOFOZ). The group will contain as members, the users named SCARECROW and STRAWMAN. The group is added as a global group because neither the /GLOBAL nor /LOCAL qualifiers were specified, and /GLOBAL is the default.

 LANDOFOZ\\TINMAN> ADD GROUP WINKIES/LOCAL -
 _LANDOFOZ\\TINMAN> /MEMBERS=(MUNCHKINS,KANSAS\WIZARD)
 %PWRK-S-GROUPADD, group "WINKIES" added to domain "LANDOFOZ"
      

This example adds the local group named WINKIES to the default domain being administered (LANDOFOZ). The group will contain as members, the global group MUNCHKINS from the LANDOFOZ domain, and the user WIZARD from the trusted domain KANSAS.