3    Creating User Accounts

By default, the ASU server and Tru64 UNIX operating system software must authenticate a user's name and password before a user can access an ASU share. Therefore, a Windows user must have a domain user account that the ASU server uses for user authentication and a Tru64 UNIX user account that the Tru64 UNIX operating system uses for user authentication.

By default, when you create a domain user account, the ASU server automatically creates a Tru64 UNIX user account in the local /etc/passwd file if an account with the same name does not exit. The Tru64 UNIX operating system software uses the local user account information for authentication if you did not configure it to direct authentication requests to a Windows 2000 Server or to a Windows NT Server Version 4.0 as described in Section 1.1.3.

This chapter describes how to change the default ASU server behavior and how to create and manage domain user accounts and Tru64 UNIX user accounts created by the ASU server.

3.1    Domain User Account Attributes

A domain user account is the same whether you create it on an ASU server or a Windows NT server.

A domain user account is made up of three categories of attributes:

Table 3-1 describes the mandatory domain user account attributes for which you must provide values when you create a domain user account.

Table 3-1:  Mandatory Domain User Account Attributes

Attribute Specifies Restrictions/Default
User name The name of the user account A user name must be unique.Can contain up to 20 alphanumeric characters. However, 8 or fewer is recommended because by default, this user name maps to a Tru64 UNIX user name that is limited to 8 alphanumeric characters.
Password The password assigned to the user account Can contain up to 14 alphanumeric characters.

Table 3-2 describes the mandatory attributes that are assigned default values. You can change the default value when you create an domain account.

Table 3-2:  Mandatory Domain User Account Attributes

Attribute Specifies Possible/Default Values
Account type If the user account is global (for regular user accounts in this domain) or local (for user accounts on a member server that are not in the domain) Global or localDefault: Global
Active If the user account is activated or deactivated Yes or noDefault: Yes (activated)
Country code The language files for a user's help and error messages A numeric value that the operating system uses for a country codeDefault: 0 (same as the operating system)
Expires The date that the user account expires A date or neverDefault: Never
Must change password If the user must change password at next logon Yes or noDefault: When using the net user command the default is no (do not force a password change). When using the User Manager for Domains GUI the default is yes (force a password change).
Password change If the user can change the password Yes or noDefault: Yes (allow change)
Password expires If the password expires based on the maximum password age Yes or noDefault: Yes (password expires)
Password must change If the user must change the password at next logon Yes or noDefault: No (do not have to change password)
Password required If a user account requires a password Yes or noDefault: Yes (requires a password)
Primary group The primary group for the user Any global group to which the user belongsDefault: Domain Users
Times The times when the user is allowed to use the ASU server A specified time or AllDefault: All
Workstations Up to eight computer names from which a user can log on to the network A comma-separated list or an asterisk (*) or no list to allow log on from any clientDefault: * (all)

Table 3-3 describes the optional attributes for which you can provide values when you create a domain user account.

Table 3-3:  Optional Domain User Account Attributes

Attribute Specifies Possible Values
Comment A comment about the user's account Can contain up to 48 alphanumeric characters enclosed in quotation marks
Full name A user's full name (rather than user name) Can contain up to 256 alphanumeric characters enclosed in quotation marks
Home directory The pathname for the user's home directory A path nameDefault: none
Home directory drive A network drive letter; for example z:, to connect the user's remote home directory as a local drive. An alpha character followed by a colon. Default: none
Profile path A path for the user's logon profile A path nameDefault: none
Script path The path to the user's login script A path nameDefault: none
User comment An administrative comment Can contain up to 48 alphanumeric characters enclosed in quotation marks

3.2    Tru64 UNIX User Accounts Created by ASU

By default, when you create a domain user account, the ASU server automatically creates a Tru64 UNIX user account (using lowercase letters) in the local /etc/passwd file if an account with the same name does not exist.

You control if and how the ASU server creates Tru64 UNIX user accounts by assigning values to registry value entries located in the following registry path:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ AdvancedServer/UserServiceParameters

If the CreateUnixUser value entry is enabled, which it is by default, then how and where the ASU server creates Tru64 UNIX user accounts depends on the values assigned to other entries in the UserServiceParameters registry subkey. For example, entries that define:

The following sections describe some of the registry value entries that effect the setup and behavior of Tru64 UNIX user accounts that are created by the ASU server. See Section B.1.9 for a complete list of registry value entries that effect how the ASU server creates Tru64 UNIX user account.

3.2.1    ASU and Tru64 UNIX User Account Attributes

By default, the ASU server creates a Tru64 UNIX user account using the same name in lowercase letters as the domain user account. However, domain user account names can contain up to 20 characters; the maximum number of characters for a Tru64 UNIX user account is 8. If a domain user account name exceeds 8 characters, then the ASU server creates a Tru64 UNIX user account using the first 6 characters and substitutes random characters for the last 2 characters. For example, if a domain user account name is longusername, then the corresponding Tru64 UNIX user account that the ASU server creates might be named longush3.

If you are using Tru64 UNIX for user account authentication, then you must set Tru64 UNIX passwords for users before they can log in to the Tru64 UNIX system.

Table 3-4 describes the registry value entries that effect how the ASU server creates Tru64 UNIX user accounts.

Table 3-4:  User Account Value Entries

Entry Specifies/Default
Exclude A range of Tru64 UNIX user IDs that the ASU server cannot assign. If the ASU server attempts to create a Tru64 UNIX account with a name that matches a user ID in the exclude list, then the ASU server generates a new Tru64 UNIX user account. Default: 0 - 100
ForceUniqueUnixUserAccount Whether to automatically assign an existing Tru64 UNIX user account if one exists when the ASU server creates a Tru64 UNIX user account, or to create a unique Tru64 UNIX user account. Default: 0 (Assign existing accounts)
NewUserShell The login shell for new Tru64 UNIX user accounts. Set this key to /bin/false to prevent users from logging in to the Tru64 UNIX system. Default: /bin/sh

PreserveCase

Whether or not the ASU server creates Tru64 UNIX user accounts using the same case that you enter to create domain user accounts.

Default: 0 (do not preseve the case; create Tru64 UNIX user accounts using lowercase letters)

UserRemark

Specifies the comment associated with the USERS shared directory.Default: Users Directory

You use a registry editor to change the values of these entries. For example, follow these steps to use the regconfig editor to change the UserRemark entry to display ASU user home directories. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Change the text associated with the UserRemark entry to ASU user home directories by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters \         
    UserRemark  REG_SZ 'ASU user home directories'
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

3.2.2    ASU and Tru64 UNIX User Account Home Directories

Table 3-5 describes the registry value entries that define how the ASU server effects Tru64 UNIX user directories:

Table 3-5:  User Directory Value Entries

Entry Specifies/Default

CreateUnixHomeDirectory

Whether or not the ASU server creates a user's Tru64 UNIX home directory when it creates a Tru64 UNIX user account.

Default: 1 (create Tru64 UNIX home directory)

DeleteUnixHomeDirectory

Whether or not the ASU server deletes a user's Tru64 UNIX home directory when it deletes the Tru64 UNIX user account. Note: The ASU server only deletes Tru64 UNIX user accounts that it created. Default: 0 (do not delete home directories)

SpreadUnixHomeDirectory

Whether or not the ASU server creates Tru64 UNIX user home directories in a one-letter subdirectory that corresponds to the first letter of the user name. For example, whether or not the Tru64 UNIX home directory for a user named peter is created as /usr/users/p/peter.Enabling this entry allows you to create more than 32,768 user home directories under the /usr/users directory path.Default: 0 (do not use one-letter subdirectories)

SyncUnixHomeDirectory

Whether or not the ASU server changes the Tru64 UNIX home directory of a user account if the home directory of the associated domain user account changes. Default: 0 (do not synchronize home directories)

You use a registry editor to change the values of these keys. For example, follow these steps to use the regconfig registry editor to delete a user's Tru64 UNIX home directory when you delete their domain user account. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Enable the DeleteUnixHomeDirectory entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters \  
    DeleteUnixHomeDirectory REG_DWORD 1
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

3.2.3    Local or NIS Tru64 UNIX User Accounts

By default, the ASU server creates Tru64 UNIX user accounts in the local /etc/passwd file. If the Tru64 UNIX system is configured as the ASU PDC and the network information service (NIS) master, you can configure the ASU server to use NIS when creating Tru64 UNIX user accounts.

Table 3-6 describes the registry value entries that specify if the ASU server creates Tru64 UNIX user accounts with NIS.

Table 3-6:  User Account NIS Value Entries

Registry Value Entry Specifies/Default

UseNIS

Whether or not the ASU server uses NIS to create Tru64 UNIX user account. Enable this value entry only on a Tru64 UNIX system that is configured as an ASU PDC and as a NIS master.Default: 0 (not enabled)

NISPasswordFile

The directory path to the NIS password file.Default: /var/yp/src/passwd

Use a registry editor to change the values of these entries. For example, follow these steps to use the regconfig registry editor to enable the ASU server to use NIS when creating Tru64 UNIX user accounts. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Ensure that the ASU server is configured as the PDC. To display the role of the ASU server, enter:

    # net computer

    See Chapter 1 if you need to reconfigure the role of the ASU server.

  2. On the PDC, ensure that the system is the NIS master. To display and change a system's NIS configuration, enter:

    # nissetup

  3. On the PDC, enable the UseNIS entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters UseNIS REG_DWORD 1
    

  4. On the PDC, display the value of the NISPasswordFile entry and, if necessary, change the value. To display the value of the NISPasswordFile entry, enter:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/UserServiceParameters NISPasswordFile
    

  5. On BDCs, ensure that the CreateUnixUser entry is disabled so that it does not create Tru64 UNIX user accounts. To display the value of the CreateUnixUser entry, enter:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters CreateUnixUser
    

    To disable the CreateUnixUser entry, enter:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters \     
    CreateUnixUser REG_DWORD 0
    

  6. On each system for which you changed a registry value, restart the ASU server by entering the following commands:

    # net stop server

    # net start server

3.2.4    Tru64 UNIX and Domain Password Synchronization

The ASU software associates the domain and Tru64 UNIX user accounts; however, the accounts are independently stored and managed and users can set different passwords for each account. To coordinate user passwords, the ASU software provides the following options:

3.2.4.1    Enabling the SyncUnixPassword Entry

To configure the ASU server to synchronize passwords, you must enable the SyncUnixPassword entry.

If the UseNIS entry is enabled, the ASU server synchronizes Tru64 UNIX passwords in the file defined by the NISPasswordFile entry. Otherwise, the ASU server synchronizes passwords in the local /etc/passwd file.

See Section 3.2.3 for more information on NIS.

The Tru64 UNIX user account must have a valid password. For example, the ASU server will not synchronize a Tru64 UNIX password of NoLogin or asterisk (*). You must use Tru64 UNIX commands or utilities to change the password to a valid Tru64 UNIX password.

Follow these steps to use the regconfig registry editor to configure the ASU server to synchronize Tru64 UNIX passwords to domain user account passwords. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. On the PDC, enable the SyncUnixPassword registry entry. To enable the SyncUnixPassword registry entry, enter:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/UserServiceParameters \    
    SyncUnixPassword REG_DWORD 1 
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

3.2.4.2    Installing the Change Password Utility

You install the Password Management utility independently of the Windows Administrative interfaces.

Follow these steps to install the Change Password utility on a system running the Windows operating system software:

  1. On the Tru64 UNIX system, ensure that the Client-based Advanced Server Administration Tools subset is installed. To display installed ASU subsets, enter:

    # setld -i |grep ASU |grep -v not |grep installed

    Look for the ASUADMnnn (nnn reflects the current ASU version) subset in the output.

    If ASUADMnnn is displayed, the subset is installed. Otherwise, you must install the ASUADMnnn subset. See Section 1.3 for information on installing ASU subsets.

  2. Connect a network drive to the astools disk share.

  3. Select the asdupass folder.

  4. Change to the i386 directory.

  5. Run the setup.exe program and follow the instructions on the screen.

3.2.4.2.1    Using the Password Management Utility on a Windows 95 System

The Password Management utility is integrated with the Windows 95 password utility. Follow these steps to use the Change Password utility:

  1. Start the Password Management utility by selecting the Passwords icon from the Control Panel.

    The Password Properties dialog box is displayed

  2. Click on the Change Other Passwords... button.

    The Select Password dialog box is displayed

  3. Select either the ASDU UNIX or NIS password option to change your Tru64 UNIX or NIS password, or select the Microsoft Networking option to change your domain user account password, and click on the Change... button.

    With either option, a Change Password dialog box is displayed.

  4. Enter your old, new, and confirmed new passwords in the Change Password dialog box.

See the Password Management utility online help for more information about the Password Management utility.

3.2.4.2.2    Using the Password Management Utility on a Windows NT System

Follow these steps to start the Password Management utility on a system running the Windows NT operating system software:

  1. Expand the Programs option from the Start button.

  2. Select the ASDU Password option to start the Password Management utility.

Enter your old and new passwords in the password fields, then choose the account to which you want to apply the change and click on:

In either case a dialog box is displayed in which users supply specific user and server information.

See the Password Management utility online help for more information about the Password Management utility.

3.3    Disabling ASU from Creating Tru64 UNIX User Accounts

You can configure the ASU server to not create Tru64 UNIX user accounts when you create domain user accounts. This is recommended if you are running NIS and the ASU server is configured as a BDC.

Follow these steps to use the regconfig registry editor to configure the ASU server to not create Tru64 UNIX user accounts. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Disable the CreateUnixUser entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/UserServiceParameters \      
    CreateUnixUser REG_DWORD 0
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

If you disable the CreateUnixUser entry, you can follow these steps to use the regconfig registry editor to enable the MapExistingUnixUser entry to map a newly created domain user account to an existing Tru64 UNIX user account with the same name in lowercase letters. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Enable the MapExistingUnixUser entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/UserServiceParameters \ 
    MapExistingUnixUser REG_DWORD 1
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

3.4    Creating a Domain User Account

You can use either of the following interfaces to create a domain user account:

You can also use the following Tru64 UNIX interfaces to create a domain user account when you create a Tru64 UNIX user account:

See System Administration for more information on creating domain user accounts using Tru64 UNIX interfaces.

Caution

On a Tru64 UNIX Version 5.0 or higher system, a lock file called /etc/.AM_is_running prevents you from using two different interfaces (or two instances of the same interface) at the same time. This might happen in large environments in which many administrators are managing user accounts. If the lock file exists, only one process can access the system files that relate to user and group data. If you attempt to invoke a second instance of any Tru64 UNIX account management interface, an error message informs you that the data file is locked.

If the lock file exists, neither the net command nor the User Manager for Domain GUI inform you about the presence of the lock file and creates only the domain user account. The associated Tru64 UNIX user account is not created. A message indicating that the associated Tru64 UNIX user account was not created or a lock file error message is displayed. When using the net command or the User Manager Manager for Domain GUI, you must check the /etc/passwd file to verify that the associated Tru64 UNIX user account was created.

3.4.1    Using the net user Command

You enter a net command in lowercase at the Tru64 UNIX command prompt on a system running the ASU server. Press the Enter key at the end of the entire command.

Table 3-7 shows the user account attributes and the net user command option that you use to set the attribute. See Section 3.1 for more information on these attributes.

Table 3-7:  Setting User Account Attributes

Attribute net user Option
User name Enter the user name after the net user command
Password Enter the password or an asterisk (*) to be prompted for the password
Account type /accounttype:{global | local}
Active /active:{yes | no}
Comment /comment:"value"
Country code /countrycode:value
Expires /expires:{date | never}
Full name /fullname:"value"
Home directory /homedir:pathname
Home directory drive /homedirdrive:letter
Must change password /passwordmustchg:{yes | no}
Password required /passwordreq:{yes | no}
Password change /passwordchg:{yes | no}
Password expires /passwordexp:{yes | no}
Primary group /primarygroup:[groupname]
Profile path /profilepath:[pathname]
Script path /scriptpath:[pathname]
Times /times:{times | all}
User name /username:"new_name"
User comment /usercomment:"text"
Workstation /workstations:{computername[,...] | *}

To create a domain user account named peter and a password of temporary, enter:

# net user peter temporary /add

To create a domain user account named peter and be prompted for the password, enter:

# net user peter \* /add

Enter the following command to create a domain user account named peter with a password of temporary, a comment of Office 3C, and force the user to change the password when first connecting to an ASU share. The backslash (\) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

# net user peter temporary /comment:"Office 3C"\ 
/passwordmustchg:yes /add

3.4.2    Using the User Manager for Domains

Follow these steps to create a domain user account using the User Manager for Domains GUI:

  1. Start the User Manager for Domains GUI (usrmgr.exe).

    You must install the User Manager for Domains GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.

    The main User Manager for Domains windows is displayed.

  2. From the User menu, choose Select Domain.

    The Select Domain dialog box is displayed.

  3. Choose the name of the domain in which you want to create the account by either entering the name in the Domain: field or by browsing and clicking on the domain name in the Select Domain: window.

    A dialog box is displayed that shows user account names in the domain.

  4. Choose New User from the Users menu.

    A New Users dialog box displays where you enter user information as shown in the following figure:

    Enter the user name, password, and other user account attributes in the appropriate fields. Click on the Groups, Profiles, Hours, Logon To, Account, or Dialin button to provide information for those related attributes.

  5. Click on the Add button to create the user account.

3.5    Domain and Tru64 UNIX User Account Mapping

The ASU server stores the mapping of a user's domain user account to their corresponding Tru64 UNIX user account. By default, one domain user account is mapped to one Tru64 UNIX user account. You can map one or many domain user accounts to a Tru64 UNIX user account. You cannot map a domain user account to multiple Tru64 UNIX user accounts.

The following are special mappings of domain user accounts to Tru64 UNIX user accounts:

The ASU server assigns the lmxadmin, lmxguest, and lmworld Tru64 UNIX user accounts the next available user ID if 200, 201, or 202 are assigned to other accounts.

You use the mapuname command to view and change the mapping between a user's domain user account and their corresponding Tru64 UNIX user account.

To display domain user account to Tru64 UNIX account mappings, enter:

# mapuname

Information similar to the following is displayed that shows the mappings for the built-in accounts and the user accounts in a domain. In the following example, the domain is called asudoc.dom.

Builtin:Account Operators       lmxadmin
asudoc.dom:john john
asudoc.dom:evan evan
asudoc.dom:Administrator        lmxadmin
Builtin:Server Operators        lmxadmin
:SYSTEM root
asudoc.dom:sam  sam
asudoc.dom:stan stan
asudoc.dom:peter        peter
asudoc.dom:Domain Admins        lmxadmin
Builtin:Print Operators lmxadmin
Builtin:Guests  lmxguest
asudoc.dom:Domain Guests        lmxguest
asudoc.dom:Guest        lmxguest
Builtin:Administrators  lmxadmin
Builtin:Backup Operators        lmxadmin

Follow these steps to change the mapping between a domain user account and a Tru64 UNIX user account:

  1. Delete the current mapping. To delete the current mapping for a user named peter, enter:

    # mapuname -d peter

  2. Add the new mapping. To map peter's account to the lmxadmin Tru64 UNIX account in a domain called asudoc.dom, enter:

    # mapuname -a asudoc.dom:peter lmxadmin

  3. Instruct the user to disconnect and reconnect to shares to effect the change. To verify that the user is disconnected, enter:

    # net session \\pc_name

    In this example, \\pc_name is the name of the user's system. A user is disconnected if a message indicates that there are no sessions for the computer.

See mapuname(8) for more information on the mapuname command.

3.6    Using Windows NT Server Version 4.0 Authentication

This section describes how users can log in to a Tru64 UNIX application and can change their passwords if you installed the ASU SIA software to configure the Tru64 UNIX operating system software use a Windows NT Version 4.0 Server for authentication, as described in Section 1.1.3.2.

3.6.1    Logging In To a Tru64 UNIX Application

Users can log in to a Tru64 UNIX application using their domain user account information by including the name of the domain that contains their user account information and their domain user name, for example:

\\domain_name\user_name

The double backslashes (\\) are optional. Users can omit the \\domain_name if they are logged in to the domain that contains their domain user account. To specify a default domain, edit the lanman.ini file and add the following entry under the [ workstation ] section:

[ workstation ]
defaultdomain=domain_name

Replace domain_name with the name of the default domain.

The ASU SIA module checks user name and password requests. If the ASU SIA module cannot authenticate the request, the request is passed to the local Tru64 UNIX security module.

If ASU SIA authenticates the request, the domain_name is stored in the NTUSERDOMAIN environment variable and the user_name is stored in the NTUSERNAME environment variable.

A user can use either their domain or Tru64 UNIX user account name and password with the Tru64 UNIX su command using the following format:

su [-f] | [-] \\domain_name\user_name

The double backslashes (\\) are optional. Users can omit the \\domain_name if they are logged in to the default ASU domain. If the user omits the user_name, the default is root.

3.6.2    Specifying Only Tru64 UNIX Authentication

Users can specify only Tru64 UNIX authentication when logging in to a Tru64 UNIX application by entering a colon ( : ) before their user name, for example:

:user_name

You can specify only Tru64 UNIX authentication for a user by entering the account name in the /etc/asusiausers file. The /etc/asusiausers file is a text file that you edit to enter one user account name per line. User account names must exactly match the user account name in the /etc/passwd file. In the /etc/asusiausers file white space is prohibited and a pound sign (#) must precede a comment line.

By default, the /etc/asusiausers file contains the root account. A user whose Tru64 UNIX user account name is in the /etc/asusiausers file must log in to a UNIX application using the following format:

\\domain_name\user_name

3.6.3    Changing Passwords

Users change their domain or Tru64 UNIX password by entering the Tru64 UNIX passwd command with the name of the domain that contains their user account information and their user name, for example:

passwd '\\domain_name\user_name'

The single quotes surrounding the domain and user names are necessary to prevent a shell from interpreting the backslash as an escape character. The double backslashes (\\) are optional. Users can omit the \\domain_name if they are logged in to their ASU domain. If the user omits the user_name, the default name is the value in the NTUSERNAME environment variable. If the NTUSERNAME is not set, the default name is the associated Tru64 UNIX user account name.

The user is either prompted for password information or a menu is displayed from which users choose a password to change. The menu is displayed if the user's name is recognized by more than one security module. Users choose ASU to change a domain password or BSD to change a Tru64 UNIX password.

3.7    Deleting a Domain User Account

To delete a domain user account you can use either:

3.8    Grouping Domain User Accounts

To ease administration, you can group domain user accounts and administer the group as one unit. Users added to a group become members of the group and immediately acquire the rights and permissions granted to the group. Changes made to the group effect each member.

Like user accounts, ASU and the Tru64 UNIX operating system software maintain separate repositories for group information. However, there is no mapping between ASU groups and Tru64 UNIX groups.

By default, a domain user account is a member of the Windows Everyone group and the Domain Users group. You cannot administer, that is, add users to or remove users from, the Everyone group. You can administer the Domain Users group or any other group that you create. Tru64 UNIX user accounts created by the ASU server are members of the Tru64 UNIX users group.

Certain ASU files are assigned DOS attributes. The ASU server uses the Tru64 UNIX group field and group numbers 91 through 99 to store DOS attributes. If, during the ASU installation, group numbers 91 to 99 groups are available, then the ASU server creates the following entries in the /etc/group file:

DOS----::99:
DOS-a--::98:
DOS--s-::97:
DOS---h::96:
DOS-as-::95:
DOS-a-h::94:
DOS--sh::93:
DOS-ash::92:
Other::91:

If, during the ASU installation, the group numbers 91 to 99 are not available, then the ASU server selects the next available range of group numbers and assigns them to the DOS attributes entries.

3.8.1    Creating and Administering a Domain Group

To create a domain group you must create the group, then add domain user accounts to the group. To create a domain group, you can use either:

3.8.1.1    Using the net Command

Enter a net command in lowercase at the Tru64 UNIX command prompt on a system running the ASU server. Press the Enter key at the end of the entire command.

To create a group called project1, enter:

# net group project1 /add

To add the peter, jen, mike, and sue domain user accounts as members to the project1 group, enter:

# net group project1 peter jen mike sue /add

To view project1 group information, enter:

# net group project1

3.8.1.2    Using the User Manager for Domains

Follow these steps to use the User Manager for Domains:

  1. Start the User Manager for Domains GUI (usrmgr.exe).

    You must install the User Manager for Domains GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.

    The main User Manager for Domains window is displayed.

  2. Choose Select Domain... from the User menu.

    The Select Domain dialog box is displayed.

  3. In the Domain: field, enter the name of the domain in which you want to create the group and click on the OK button.

    The User Manager main window is displayed. The top half of the window displays user names, the bottom half displays group names.

  4. Choose New Global Group from the User menu. The New Global Group box is displayed.

  5. Enter the name of the group and an optional group description. To add members to the group, click on a name in the Not Members window then click on the Add button, as shown in the following figure:

3.8.2    Deleting a Domain Group

To delete a domain group, you can use either:

3.8.2.1    Using the net Command

Enter a net command in lowercase at the Tru64 UNIX command prompt on a system running the ASU server. Press the Enter key at the end of the entire command.

To delete the project1 group, enter:

# net group project1 /delete

3.8.2.2    Using the User Manager for Domains

Follow these steps to use the User Manager for Domains:

  1. Start the User Manager for Domains GUI (usrmgr.exe).

    Install the User Manager for Domains GUI on the Windows NT system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.

    The User Manager for Domains window is displayed.

  2. Choose Select Domain... from the User menu.

    The Select Domain dialog box is displayed.

  3. In the Domain: field, enter the name of the domain in which you want to delete the group and click on the OK button.

    The User Manager main window is displayed. The top half of the window displays user names, the bottom half displays group names.

  4. Click on the name of the group that you want to delete.

  5. Choose Delete from the User Menu.