7    Administering User Accounts and Groups

Assigning user accounts and organizing user accounts into related groups is the most common way that you will assign system resources to users. This chapter describes user account and group administration, organized into the following sections:

• Section 7.1 describes the different utilities that you can use to administer accounts and groups, and the user environments in which you can use these utilities. Any general constraints on use are also identified.

• Section 7.2 is a quick start section, providing brief information on the utilities. You can use the on-line help to guide you through a task.

• Section 7.3 provides information to help you understand general account and group concepts, and important data items such as the unique identifiers assigned to accounts and groups. This section also describes the contents of the data files for passwords and groups and setting the default characteristics of an account or group.

• Section 7.4 provides specific instructions on using utilities to perform administrative tasks on user accounts such as adding, modifying, and deleting user accounts and the associated system resources.

• Section 7.5 provides specific instructions on using utilities to perform administrative tasks on user groups.

• Section 7.6 provides information on administering associated (synchronized) Windows NT domain and UNIX accounts.

7.1    Account Administration Options and Restrictions

Depending on how your local system is configured, the user environment, and your personal preferences, there are several methods of administering accounts and a number of different utilities that you can use. The following sections introduce and describe your options and identify any restrictions or requirements for their use.

7.1.1    Administrative Utilities

The operating system provides several different utilities that you can use to administer accounts. Not all are described in detail in this chapter. However, the principles of use are the same for all utilities. Refer to the on-line help and reference pages for each utility for specific information on the options available.

The utilities are listed in Table 7-1. You must be root user on UNIX or the Windows NT domain Administrator to use these utilities.

Table 7-1:  Utilities for Administering Accounts and Groups

You must install and configure the Advanced Server for UNIX (ASU) software to use the Microsoft Windows-based utilities. ASU provides the following utilities that you can use to manage domain user accounts.

• User Manager for Domains, a Microsoft Windows application

• The net command line options which you can run in an MS-DOS window or UNIX terminal.

Using the ASU utilities is not explained in detail in this chapter, but is discussed only in the context of a UNIX server running the ASU software. Refer to the ASU Installation and Administration Guide for more information on installing and using ASU.

7.1.2    Windows 2000 Single Sign-On

If your local computing environment consists of UNIX servers and Windows 2000 client systems and you have one or more domain controllers in the environment, you can configure the optional Windows 2000 Single Sign-On (SSO) software. The SSO software enables account holders in the Windows 2000 domain to access computing resources on the UNIX server without needing a separate UNIX account.

The SSO software modifies the Windows Active Directory and the associated Windows account management utilities. These modifications enable administrators in the Windows 2000 domain to record UNIX information in the user's Windows 2000 account records. The UNIX server systems have secure access to the account holder's data and can read the account holder's UNIX login information, such as password or GID.

You can also create SSO user groups using the same software and administrative tools.

7.1.2.1    Single Sign-On Installation Requirements

Configuration and use of this feature has the following installation prerequisites:

• You must have root access to the UNIX system and be an administrator of every Windows 2000 domain controller on which the SSO software is to be installed. You must run an installation procedure on the UNIX system and at least one domain contoller.

• The UNIX system cannot be running C2 level security. Refer to the Security guide for more information on security levels.

• You need the Associated Products Volume 2 CD-ROM on which you will find the SSO software kit. The Windows 2000 Single Sign-On Installation and Administration Guide is included in the kit in the /doc directory.

• You need the following information:

  • The domain name, such as sso.w2k.com.

  • The domain controller host name, such as w2kserv.sso.w2k.com.

  • The account name and password of a privileged domain account. This account should belong to the Administrators group and hold administrative privileges, but should not be the main Administrator account. If no such account exists, create one before starting the installation.

7.1.2.2    Installing the Single Sign-On Software

Install the software as follows:

1. Load the CD-ROM into the reader as described in the Installation Guide.

2. Create a mount point and mount the CD-ROM using commands similar to the following:

   # mkdir /apcd
   # mount -r /dev/disk/cdrom4c /apcd
   

3. Locate the installation kits and documentation as follows:

   # ls /apcd/Windows2000_SSO
    
    
   

4. Use the setld command to install the software subset named W2KSS0100. The configuration script, /usr/sbin/w2ksetup, runs automatically when the installation is complete. Complete the configuration as described in the Windows 2000 Single Sign-On Installation and Administration Guide.

7.1.2.3    UNIX Requirements for Creating Single Sign-On Accounts

The following requirements for UNIX account characteristics apply to SSO accounts:

• You can only create SSO user accounts in the Windows 2000 user environment using a modified version of the standard Windows 2000 user management tools. You cannot create SSO accounts using UNIX tools such as dxaccounts or useradd.

  Note that you can upgrade existing Windows 2000 accounts to provide account holders with SSO privileges for UNIX resources.

• There are terminology differences between UNIX and Windows 2000 accounts. For example, user account data that describe the characteristics of an account are referred to as properties in Windows 2000 and attributes in UNIX. In the UNIX environment, this information is called GECOS data. The data is used by certain UNIX commands and utilities to perform account operations or to identify users. Refer to Section 7.3.2 and subsequent sections for a description of UNIX account attributes.

  Prepare the following account data for each user or group. If necessary, use the UNIX account management tools described in this chapter to ensure that the account data is of an appropriate format and is unique for each user:

  Username

  In Windows 2000, the account name is the user logon name. For SSO it must meet two requirements; length and uniqueness. This also applies to group names.

  Windows 2000 can support very long user names although in practice most users prefer short adaptations of their name and initials which are easier to remember and type. The maximum length of the account name is determined by the current restriction to eight characters in the UNIX environment.

  The actual name can be as short as the user's initials but must be unique on both systems for every user. If a user with only a UNIX account has the account name chs, you cannot assign that name to an SSO account.

  Password

  Each user requires a password. You determine the length of the password by the current settings on the UNIX system. These settings may vary depending on the security mechanisms in force. Refer to the Security guide for more information.

  UID and GID

  Each account requires a unique identification integer called a UID and each group has a GID. Refer to Section 7.3.1 and Section 7.3.3 for a description of these identifiers.

  User Comment

  This field enables you to enter a text description of the account for future reference.

  Home Directory

  In the UNIX environment, the user's home directory is synonymous with a disk share on Windows 2000 system. The home directory is a section of the /usr UNIX file system that is reserved for user accounts, typically using the user's account name in the path to the directory. For example, /usr/staff/songch or /usr/users/chs.

  Shell

  This is the user's default UNIX command environment that is invoked when the user logs on, such as the Bourne shell (sh) or Korn shell (ksh) . Refer to the shells(4) reference page and Section 7.2.7 for more information.

7.1.2.4    Creating Single Sign-On Accounts and Groups

Using the information prepared in Section 7.1.2.3, create SSO accounts as follows:

1. Log in to your administrator's account on the Windows 2000 domain controller.

2. Invoke the Microsoft Management Console (MMC) interface and display the Active Directory Users and Computers Window.

3. Open the Users folder and either select an existing user or open the Action menu and choose the New option then the User option.

4. Three dialog boxes are displayed in succession. You are prompted to enter the following information for each new user account:

   • The user account details, such as name.

   • The initial password for the account and any password characteristics.

   • The UNIX account properties. Use the information identified in Section 7.1.2.3, such as the UID and GID.

To create an SSO group use the same procedure, selecting the New and Group menu options in step 3.

7.1.2.5    Single Sign-On System Files

When you install and configure the software, the following system files are created:

• The ldapcd daemon, which is the connection to the registry of account information on the domain server. If the daemon is accidentally killed or stopped, restart it using the following command:

  #  /sbin/init/dldapw2k restart
  

• The /etc/ldapcd.conf configuration file, which contains settings for the ldapcd daemon.

• The /etc/w2kusers.deny configuration file, which forces UNIX authentication only for the named users.

Refer to the file headers and the Windows 2000 Single Sign-On Installation and Administration Guide for more information on these files.

7.1.3    Restrictions on Using the Utilities

The following restrictions apply when using account management utilities, or when certain system features are enabled:

• To configure the default UNIX account and group characteristics, you can only use the UNIX command utilities or dxaccounts. Refer to the ASU Installation and Administration Guide for more information on setting default values for PC accounts when ASU is in use.

• When enhanced security is enabled, it places restrictions on account creation and enables additional features such as enhanced passwords. Refer to the Security guide for more information.

• The Network Information Services (NIS) service enables users to log in to any system in the local network that is running NIS. User data such as account name and password is shared between all NIS systems and users will use different commands such as yppasswd instead of passwd to change passwords.

  When NIS is configured, you have two potential classes of users to manage: local users and groups and NIS users and groups. Features in the user account administration utilities that support NIS become enabled only when NIS is running. Refer to the Network Administration guide for information on setting up the NIS environment.

• The Division of Privileges (DOP) and distributed administration features enables the root user to easily assign account management privileges to other users. However, only one account management utility can be used by one authorized user at any time. This condition is required to prevent corruption of the system files. When invoked, an account management utility creates a lock file, preventing other utilities (or two instances of the same utility) from accessing system files such as /etc/passwd. This lock file is located at /etc/.AM_is_running.

7.2    Account Administration - Quick Start

This section provides you with brief instructions on invoking the account administration utilities so that you can create basic accounts quickly. For example, if you have just installed and configured the system as the root user, you might want to set up a nonprivileged user account under your own name using the default account settings. At a later time you can read Section 7.3 and other sections to understand how you can configure the system defaults and use the advanced features of account and group administration utilities.

7.2.1    Creating Primary Accounts During System Setup

On the first root login after a full installation of the operating system, the System Setup utility is automatically displayed to guide you through the options for configuring your system. The Account Manager icon included in System Setup enables you to configure initial accounts. This icon invokes the Account Manager (dxaccounts) graphical user interface (GUI). This is an X11-compliant GUI that can be used in CDE or other X-windowing environments. See Section 7.5.2 for information on using the Account Manager.

When the Advanced Server for UNIX (ASU) is installed and configured, you can also use this GUI to administer Windows NT domain accounts as described in Section 7.6.

Using dxaccounts to administer UNIX accounts is described in Section 7.4.2.

7.2.2    Using the SysMan Menu Accounts Option

The SysMan Menu Accounts options provide the same functions as dxaccounts, but with limited support for managing Windows NT domain accounts for PC clients. You can invoke these options from the CDE Applications Manager, the CDE Front Panel (SysMan Applications menu), or from the command line as follows:

# sysman accounts

The Accounts options also let you add and modify accounts in a NIS (Network Information Service) environment. You can add local users to any system without adding them to the NIS environment. Refer to the Network Administration guide for information on NIS.

To use the Accounts options from the SysMan Menu, invoke the SysMan Menu as described in Chapter 1 and expand the options as follows:

1. Select Accounts to expand the menu options. The following options are displayed:

   • Manage local users

   • Manage local groups

   • Manage NIS users

   • Manage NIS groups

2. Move the pointer (or use the Tab key) to select an option. Press mouse button 1 or the Enter key to invoke the utility.

3. The first window (or screen) of the utility is displayed. Press the Add... button to begin creating an account and follow the online instructions.

Use of these utilities is described in Section 7.5.1, or in the online help.

7.2.3    Using the dxaccounts GUI

The X11-compliant graphical user interface (GUI) dxaccounts provides features supported by the CDE environment, such as drag-and-drop and cut-and-paste, to quickly clone new accounts from existing accounts. You can invoke this GUI as follows:

• Use the following command from a terminal to invoke the GUI in any X11-compliant windowing environment:

  
  # dxaccounts
  

• In CDE, open the Application Manager or the SysMan Applications pop-up menu from the Front Panel. Select Daily Administration, and click on the Account Manager icon.

The dxaccounts GUI also provides options for administering Windows NT domain users when ASU is installed. These options are grayed out on the window if ASU is not installed and configured.

You can also use the Account Manager to configure default options for user accounts, such as the shell and the parent directory. See Section 7.4.2.5 for information.

7.2.4    Using the Command-Line Utilities

The following command-line utilities are available for administering accounts and groups:

• useradd, userdel, and usermod - Use these commands to add, modify, and delete user accounts.

• groupadd, groupdel, and groupmod - Use these commands to add, modify, and delete groups.

• The adduser and addgroup utilities, documented in adduser(8) and addgroup(8) are obsolete interactive scripts provided only for backwards compatibility. If you are still using these scripts, you should migrate to one of the newer utilities that provide support for any work environment, including character-cell terminals and Windows NT.

The command-line utilities also provide options for administering Windows NT domain accounts when ASU is installed.

7.2.5    Advanced Server for UNIX

Advanced Server for UNIX (ASU) is a layered application that implements Windows NT Version 4.0 server services and functions on a server running UNIX. To other computers running Windows, the UNIX system appears to be a Windows NT Version 4.0 server. Through ASU, you can share UNIX file systems and printers as shares. By default, the client Windows user must have both a Windows NT domain account and a UNIX account in order to share UNIX resources. When ASU is running, the UNIX account administrative utilities that are described in this chapter can be used to perform certain account administrative tasks, such as creating new accounts.

ASU software is located on the Associated Products Volume 2 CD-ROM and provides two free connects. See the Installation Guide for information on installing the software subsets and the Installation and Administration Guide for information on configuring ASU for use.

7.2.6    Related Documentation

The following documentation contains information on administering accounts.

• Books

  • Refer to Chapter 6 for information on file systems and user file space.

  • The Network Administration guide provides information on NIS user accounts.

  • The Security guide provides information on important security considerations when assigning resources to users. Information on account requirements for enhanced security and system auditing is provided in this volume.

  • The Common Desktop Environment: Advanced User's and System Administrator's Guide provides information on configuring the CDE environment and setting up system default resources such as printers.

  • The Technical Overview provides information on maximum system limits for numbers such as UIDs and GIDs.

  • The Concepts and Planning Guide, Installation and Administration Guide, and Release Notes provide information on ASU.

• Reference pages provide a definitive list of all options and switches supported by commands. The following pages are referenced in this chapter:

  • The command-line utilities are documented in useradd(8), usermod(8), userdel(8), groupadd(8), groupmod(8), and groupdel(8)

  • The SysMan utilities are documented in sysman(8) and sysman_cli(8).

  • The Account Manager is documented in dxaccounts(8)

  • The system files are documented in passwd(4), group(4), shells(4), default(4),

  • Individual commands are documented in passwd(1), vipw(1), grpck(8), and pwck(8).

• Online help - The SysMan Menu Accounts options and dxaccounts provide online help files that describe all the options and define appropriate data entries. Some command-line routines also provide text help for the command syntax. This help is invoked with the -h or -help command flag.

7.2.7    System Files

The following system files may be updated when you perform account administration tasks and should be backed up regularly:

• The /etc/group file contains group data. Each row specifies one of the following: the group name; optional encrypted password; numerical group ID; and a list of all users who are members of the group. For example:

  system:*:0:root luis
  daemon:*:1:daemon
  uucp:*:2:uucp
  mem:*:3:
  kmem:*:3:root
  bin:*:4:bin,adm
  sec:*:5:
  cron:*:14:
  .
  .
  .
  .users:*:15:billP carsonK raviL annieO
  sysadmin:*:16:
  tape:*:17:
  .
  .
  .
  .
  

• The /etc/passwd file consists of rows of one record (row) per user, containing seven fields of user data. See Section 7.3.2 for more information. Example entries are:

  
   
  .
  .
  .
  carsonK:6xl6duyF4JaEI:200:15:Kit Carson,3x192,1-6942,:/usr/users/carsonK:/bin/sh
  annieO:.murv3n1pg2Dg:200:15:Annie Olsen,3x782,1-6982,:/usr/users/annieO:/bin/sh
  .
  .
  .
  
  

• The /usr/skel directory contains skeleton files for new accounts such as a .login file. Users can edit these files to customize their account to the local environment, by defining environment variables and default paths to programs or project files. The /etc/shells file provides a list of available command shells on the system.

• If enhanced security is in use, the following security files are relevant: /etc/auth/system/default, /tcb/files/auth.db, and /var/tcb/files/auth.db.

• If NIS (Network Information Services) is in use, the following NIS files are relevant: /var/yp/src/group, /var/yp/src/passwd, and /var/yp/src/prpasswd.

• The log files /var/adm/wtmp and /var/adm/utmp, and log files in the /usr/var/adm/syslog.dated directory provide information about account usage.

7.2.8    Related Utilities

The resources in the following list are also useful when administering accounts. These commands may be useful in correcting system problems when the graphical user environments are unavailable, such as after a system crash, or if you only have access to a simple character-cell terminal.

• The vipw utility, documented in vipw(8), allows you to invoke a text editor to edit the password file manually. Note that you should avoid manually editing system files if possible, and use one of the available utilities instead. You can use the vipw utility to edit the local password database, but you cannot use it to edit the NIS database, or use it on systems that have enhanced security.

  The vipw command allows you to edit the passwd file and at the same time locks the file to prevent others from modifying it. It also does consistency checks on the password entry for root and does not allow a corrupted root password to be entered into the passwd file.

  The vipw utility can be used to patch a corrupted passwd file when in standalone mode.

• A number of commands, such as who(1) and finger(1), provide information on user activities and account information.

• The csh, ksh, and sh commands invoke and interpret the C, Korn, and POSIX shells.

• The grpck and pwck utilities can be used to check the integrity of the group and passwd files.

• The quotaon command is used to turn quota information on and off.

• The passwd, chfn, and chsl commands provide the same functions as password options in command utilities, such as usermod and thedxaccounts Password option.

7.3    Understanding User Accounts and Groups

The administration of user accounts and groups involves managing the contents of the system's password and group files. On standalone systems, the files you manage are /etc/passwd, which is documented in passwd(1), and /etc/group, which is documented in group(4).

On networked systems, typically, the Network Information Service (NIS) is for central account and group management. NIS allows participating systems to share a common set of password and group files. See the Network Administration manual for more information.

If enhanced security is enabled on your system, you need to administer more than the /etc/passwd file for security. For example, the protected password database is used for security related information such as minimum password lengths and password expiration times. These tasks are documented in the Security manual.

7.3.1    Understanding Identifiers - UIDs and GIDs

Each user is known to the system by a unique number called a user identifier (UID). The system also knows each user group by a unique number called a group identifier (GID). The system uses these numbers to track user file access permissions and group privileges and to collect user accounting statistics and information.

The maximum number of UIDs and GIDs is 4,294,967,294 (32 bits with 2 reserved values). The maximum number of users that can be logged on is determined by the available system resources, but is of course a much smaller figure. If you intend to use the full range of UIDs and GIDs, note that some older utilities and applications will not support this number of UIDs and GIDs and you may need to take other precautions as follows:

• If you are running applications that have not recently been upgraded to the latest version, ensure that they support maximum UIDs and GIDs. For example, the widely used Kerberos Version 4.0 does not support UIDs and GIDs beyond a certain range. If you currently use Kerberos Version 4.0, you should probably upgrade to Kerberos Version 5.0. Similarly, If you use PATHWORKS, you should upgrade to ASU (Advancer Server for UNIX) Version 4.0 or higher.

• The System V file system (S5FS) does not support the maximum range of UIDs and GIDs. Any file system syscall that specifies UIDs and GIDs greater than 65,535 will return an EINVAL error. Users assigned a UID or GID greater than 65,535 will not be able to create or own files on a System V file system. Consider using the UFS or AdvFS as a solution.

• The behavior of certain commands and utilities changed when the maximum UID and GID range was increased. Check these changes against any local use of these commands, such as in shell scripts:

  • The ls -l command does not display the disk block usage on quota files or sparse files. To display the actual disk block usage for any file, use the ls -s command.

  • The cp command will incorrectly copy quota files or other sparse files. To correctly copy quota files or other sparse files, use the dd command with the conv=sparse parameter:

    % dd conv=sparse if= inputfile  of= outputfile
    

  • If a UFS file system that contains quota files or other sparse files is backed up using the vdump utility and restored using the vrestore utility, the quota files or other sparse files will be restored as follows:

    • The first page of a file on disk will be restored as a fully populated page; that is, empty nonallocated disk blocks will be zero filled.

    • Any additional pages on disk will be restored sparse.

7.3.2    Understanding the Password File

The passwd file for a standalone system identifies each user (including root) on your system. Each passwd file entry is a single line that contains seven fields. The fields are separated by colons and the last field ends with a newline character. The syntax of each entry and the meaning of each field is as follows:

username:password:user_id:group_id:user_info:login_directory:login_shell

username

The name for the user account. The username must be unique and consist of from one to eight alphanumeric characters.

password

You cannot enter a password directly. Enter an asterisk (*) in the passwd field to disable a login to that account. An empty password field allows anyone who knows the login name to log in to your system as that user.

user_id

The UID for this account. This is an integer, the maximum value of which is defined in the Technical Overview (See also the /usr/include/limits.h) file. This number must be unique for each user on the system. Reserve the UID 0 for root. Assign each UID in ascending order beginning with 100. Lower numbers are used for pseudousers such as bin or daemon.

group_id

The GID for this account, which is an integer. Refer to the Technical Overview for information on the limit . Reserve the GID 0 for the system group. Be sure to define the GID in the group file.

user_info (or gecos)

This field contains additional user information such as the full user name, office address, telephone extension, and home phone. The finger command reads the information in the user_info field. Users can change the contents of their user_info field with the chfn command. Refer the finger(1) and chfn(1) reference pages for more information.

login_directory

The absolute pathname of the directory where the user account is located immediately after login. The login program assigns this pathname to the HOME environment variable. Users can change the value of the HOME variable, but if a user changes the value, then the home directory and the login directory are two different directories. Create the login directory after adding a user account to the passwd file. Typically the user's name is used as the name of the login directory. Refer to the chown(1), mkdir(1), chmod(1), and chgrp(1) reference pages for additional information on creating a login directory.

login_shell

The absolute pathname of the program that starts after the user logs in. Normally, a shell starts. If you leave this field empty, the Bourne shell /bin/sh starts. Refer to the sh(1b) reference page for information on the Bourne shell. Users can change their login shell by using the chsh command. Refer to the chsh(1) reference page for more information.

In windowing (graphical) user environments, utilities such as Account Manager (dxaccounts) can be used to perform all the operations provided by commands such as passwd and mkdir.

Note that you can only set default characteristics for new accounts in some graphical utilities, while the command-line utilities enable full access to setting and changing the default characteristics. See Section 7.4.2.5 for an explanation of how to do this with Account Manager (dxaccounts).

When the /etc/passwd file is very large, a performance degradation may occur. If the number of passwd entries exceeds 30,000, mkpasswd will sometimes fail to create a hashed (ndbm) database. Because the purpose of this database is to allow for efficient (fast) searches for password file information, failure to build it causes commands that rely on it to do a linear search of /etc/passwd. This results in a serious performance degradation for those commands.

If you use the mkpasswd -s option to avoid this type of failure, a potential database or binary compatibility problem may arise. If an application that accesses the password database created by mkpasswd is built statically (nonshared), that application will be unable to read from or write to the password database correctly. This would cause the application to fail either by generating incorrect results or by possibly dumping core.

Any statically linked application would be affected if it directly or indirectly calls any of the libc ndbm routines documented in the ndbm(3) reference page and then accesses the password database. To remedy this situation, you must relink the application. If the mkpasswd -s option is avoided, you will not see this compatibility problem.

Note

In an NIS environment you can add a user account to either the local passwd file or the NIS distributed passwd file. Accounts added to the local passwd file are visible only to the system to which they are added. Accounts added to the NIS distributed passwd file are visible to all NIS clients that have access to the distributed file. Refer to nis_manual_setup(7) for more information on adding users in a distributed environment.

7.3.3    Understanding the Group File

All users are members of at least one group. The group file identifies the group name for a user. There are two primary reasons to group user accounts:

• Several users work together on the same files and directories; grouping these users together simplifies file and directory access.

• Only certain users are permitted access to system files or directories; grouping them together simplifies the identification of privileged users.

The group file is used for the following purposes:

• To assign a name to a group identification number used in the passwd file

• To allow users to be members of more than one group by adding the user account to the corresponding group entries

Each entry in the group file is a single line that contains four fields. The fields are separated by colons, and the last field ends with a newline character. The syntax of each entry and the meaning of each field is as follows:

groupname: password: group_id: user1 [user2,...,userN]

groupname

The name of the group defined by this entry. The groupname consists of from one to eight alphanumeric characters and must be unique.

password

Place an asterisk (*) in this field. Entries for this field are currently ignored.

group_id

The group identification number (GID) for this group, which is an integer. Refer to the Technical Overview for information on the limits. Reserve the GID 0 for the system. The GID must be unique.

user

The user account belonging to this group as defined in the passwd file. If more than one user belongs to the group, the user accounts are separated by commas. The last user account ends with a newline character. A user can be a member of more than one group.

There is a limitation on the number of groups that a user can be in, as documented in group(4). reference page. The maximum line length is LINE_MAX as defined in the limits.h file. User accounts should be divided into a number of manageable groups.

Note that you can also set defaults for certain GID values using the graphical or command-line utilities. See Section 7.4.2.5 for an explanation of how to do this with Account Manager (dxaccounts).

7.4    Administering User Accounts

The following sections describe how to:

• Administer user accounts using the SysMan Menu options. This method also allows you to add users in a NIS (Network Information Service) environment.

• Administer local and NIS users and associated Windows NT domain accounts using dxaccounts.

The process for using the useradd command-line utility is similar and is documented in the reference pages but does not support NIS accounts. Refer to the Network Administration for information on NIS. Note that the SysMan Menu Accounts options can also be used from a terminal.

Note

Avoid using adduser because it does not provide all the available options and is not sensitive to security settings. You should also avoid manual methods of adding user accounts to preserve the integrity of system files.

7.4.1    Using the SysMan Menu Accounts Options

The following sections describe how you create new accounts using SysMan Menu options. The following tasks are described:

• Gathering account information

• Creating a new local or NIS user account

• Modifying an existing local or NIS account record

• Deleting a local or NIS user account

For information on how to use the keyboard to enter information into fields on SysMan Menu utilities, invoke the online help.

7.4.1.1    Gathering Account Information

To prepare for administering accounts, gather the information from the worksheet provided in Table 7-2. Note that if enhanced security is in use, you must make the data items comply with the minimum requirements (such as password length). Refer to the Security guide for more information. Items marked O in the table are optional data.

Refer to Section 7.3.2 for an explanation of the passwd file data items.

Table 7-2:  Account Administration Worksheet

An example of typical user data is provided in Table 7-3.

Table 7-3:  Account Administration Worksheet

7.4.1.2    Creating or Modifying Local Accounts

To create a new account, invoke the SysMan Menu and select the Manage local users option as described in Section 7.2.2. A table of local users is displayed, listing all the existing local user accounts. Use the following procedure to add a local user:

1. Select the Add... option to display the Manage Local Users: Add a User window.

2. Complete the data fields using the information from the worksheet described in Table 7-2.

3. If additional NIS options are required, select Options and enter the appropriate NIS values. Then press OK to return to the Add a User window.

4. Press OK to add the new user. You will be prompted to correct any errors, such as mistyped password confirmations.

5. You return to the Local Users window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

To modify an existing account, invoke the SysMan Menu and select the Users option as described in Section 7.2.2. The Local Users table is displayed, listing all the existing local user accounts. Use the following procedure to modify a user entry:

1. Scroll through the list of users and select an entry.

2. Select the Modify... option to display the Account Manager: Modify a User window.

3. Change the contents of data fields as required.

4. If additional NIS changes are required, select Options and enter the appropriate NIS values. Then press OK to return to the Add a User window.

   To add or modify more than one account, click Apply instead of OK. All changes are deferred until you select OK to exit.

5. Press OK to confirm the changes. You will be prompted to correct any errors, such as mistyped password confirmations.

6. You return to the Local Users window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

Online help provides explanations for the fields, and defines valid data.

7.4.1.3    Deleting Local Accounts

The following considerations may apply before deleting accounts:

• You can simply lock an account with the Modify... option, and later transfer the account to another new user using the Modify... option to change some account details.

• You may want to invoke dxarchiver before deleting the account, to create a compressed archive file of the user's directories and files. See the dxarchiver(8) reference page for more information.

To delete an account, select the Users option as described in Section 7.2.2. The Local Users table is displayed, listing all the existing accounts. Use the following process to delete a user:

1. Scroll through the list of users and select an entry.

2. Select the Delete... option to display the Account Manager: Delete a User window.

3. Optionally, choose Delete User's Directory and Files if you want to remove the user's resources and recover the disk space.

4. Press OK to delete the account. The list of local users is updated immediately.

7.4.1.4    Creating or Modifying NIS Accounts

To create a new NIS account, invoke the SysMan Menu and select the Manage NIS Users option as described in Section 7.2.2. The NIS Users table is displayed, listing all the existing local user accounts. Use the following procedure to create an account for a local user:

1. Select the Add... option to display the Manage NIS Users: Add a User window.

2. Complete the data fields using the information from the worksheet described in Table 7-2.

3. Press OK to add the new user. You will be prompted to correct any errors, such as mistyped password confirmations.

4. You return to the Manager NIS Users window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

To modify an existing account, invoke the SysMan Menu and select the Manage NIS Users option as described in Section 7.2.2. The NIS Users table is displayed, listing all the existing local user accounts. Use the following procedure to modify a user entry:

1. Scroll through the list of NIS users and select an entry.

2. Select the Modify... option to display the Manage NIS Users: Modify a User window.

3. Change the contents of data fields as required.

4. Press OK to confirm the changes. You will be prompted to correct any errors, such as mistyped password confirmations.

   To add more than one account, click Apply instead of OK. All changes are deferred until you select OK to exit.

5. You return to the Local Users window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

Online help provides explanations for the fields, and defines valid data.

7.4.1.5    Deleting NIS Accounts

To delete a NIS account, select the Manage NIS Users option as described in Section 7.2.2. The NIS Users table is displayed, listing all the existing accounts. Use the following process to delete a user:

1. Scroll through the list of users and select an entry.

2. Select the Delete... option to display the Manage NIS Users: Delete a User window.

3. Optionally, choose Delete User's Directory and Files if you want to remove the user's resources and recover the disk space.

4. Press OK to delete the account. The list of NIS users is updated immediately.

7.4.2    Using dxaccounts

Invoke dxaccounts as described in Section 7.2.3. The Account Manager on <host> window is displayed first. Use the following procedure to administer accounts, using the data gathered in the Table 7-2 worksheet.

Use the following procedures to add, modify and delete accounts when using dxaccounts. The processes are identical for administering NIS users, except that you must also be authorized to make changes to the NIS databases. Any options that do not affect the databases are available to all users, such as Find. Refer to the Network Administration guide for more information on NIS.

Note that If ASU is installed, additional options are displayed on the dxaccounts windows that enable you to administer accounts in Windows NT domains and create associated UNIX accounts simultaneously. Refer to the Installation and Administration Guide for more information on ASU.

7.4.2.1    Adding and Modifying Accounts

The same window is used to add or modify user accounts. If the account is new, you begin by clicking on the Add button. If the account is existing, you double-click on the user's icon. To add or modify accounts:

1. If the current view is not Local Users, pull down the View menu and choose the Local Users option.

2. Choose the Add button to display the Add/Modify Local User window and press the Add button.

   (To modify an existing account, double-click on the user's icon.)

3. Enter the new user name in the Username field.

4. You can opt to choose the next available GID, or enter a GID.

5. Use the pull-down menu to select the primary group, or clear the box and type a group name.

   If secondary groups are required, choose the Secondary Groups... button. In the Secondary Groups window, double-click on any required local or NIS (if available) groups.

6. Select the preferred shell from the pull-down menu.

7. The home directory is created at the default location of /usr/users/<username>. Enter an alternative path if required.

8. Press Password.... to enter an initial password. Use a mixed case or alphanumeric string of length determined by local security settings.

9. Enter any user information (GECOS field data) in the comments fields.

10. You can optionally check the following boxes:

    • Automatically create the home directory -- This creates the directory with the correct ownership and protections.

    • Lock the account -- This prevents any logins until you clear the box.

11. Press OK to create the account and return to the Account Manager main window. You will be prompted to correct any errors. The Current View is updated with an icon for the new user.

An alternative method of creating a new account is to clone it from an existing group as follows:

1. Click on an existing user icon to highlight it.

2. Choose the Copy button to copy the account.

3. Choose the Paste button to paste a new account version. The new icon label will have the original name, appended with the string _copyn, where n represents the sequential number of the copy. You can make as many copies as required.

4. Double-click on the newly copied icon to highlight it and display the Add/Modify Local User window. The Modify button is selected automatically.

5. Make the required modifications to the Account as follows:

   • Enter the new user name

   • Change the UID (or select the next available)

   • Change the password

6. Make any optional changes, such as Comments or Lock Account.

7. Press OK to add the modified account and return to the Account Manager on <host> window. This window is immediately updated with an icon for the new account.

7.4.2.2    Deleting Accounts

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first.

1. Double-click on the required user's icon to highlight it.

2. Press the delete button. The Delete Local UNIX User window is displayed. You can opt to remove the user's files and directories at this time. (You may want to archive these. See the dxarchiver option.)

3. Press OK to confirm the deletion and return to the Account Manager on <host> window. This window is immediately updated, removing the deleted user.

7.4.2.3    Finding and Selecting Accounts

The dxaccounts utility provides a useful search feature to locate user accounts. You can also use this feature to select groups of users to which you want to apply global changes, such as modifying the user shell or password.

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first.

1. Press the Find button.

2. Enter a search string in one of the fields (a text string) and press OK.

   The Find option will select and display all accounts where the data in the search field contains the search string. For example:

   • Enter the string ad in the Username field and press OK.

   • The Selected Users window is displayed, stating that the following users matched the search criteria.

   • The matched users include adm, admin, adamK, and wadmanB; these groups are highlighted in the Current View.

You can now select the modify (or delete) option to perform global operations on the selected users.

7.4.2.4    The Password Option

The dxaccounts utility provides an option to easily change or remove passwords for a single user or a group of users as follows:

1. Select the user or users (the Find option may be useful in selecting groups of users).

2. From the Edit menu, select Password.

3. In the New Password window, enter and confirm the new password. You can also opt for No password, although note the security implications of this option.

4. Press OK to confirm the change and return to the Account Manager main window.

7.4.2.5    Account Manager General Options

The Account Manager enables you to easily set defaults for newly created user accounts. Use the following procedure to add or modify defaults. Note that you can also set these through the command line, but not with the SysMan Menu options.

1. From the Options menu, select General..... The General Options window is displayed, enabling you to set the following defaults:

   1. Duplicates Policy - These options enable you to allow duplicate User Identifiers (UID) and Group Identifiers (GID).

   2. ID Ranges Policy - These options enable you to control the minimum, next, and maximum UID and GID.

   3. Default Primary Group - This option enables you to set the default primary group to a group other than users.

   4. Default Primary Group - This option enables you to set the default home directory to a location other than /usr/users.

   5. Default Shell for User - This option enables you to set the default login shell.

   6. Default Primary Group - This option enables you to set the default skeleton directory path to a location other than /usr/skel.

   7. Use Hashed Password Database - This option forces the creation of a hashed (encrypted) password database.

   8. Require Password For New Accounts - This option forces the entry of a password each time an account is created.

   9. Synchronize UNIX and Windows NT domain accounts - This option forces the automatic creation of an account when the UNIX account is created.

2. When you have made any required changes, press OK to update the defaults and return to the Account Manager main window.

7.5    Administering Groups

The following sections describe how to:

• Administer groups with the SysMan Menu options. This method also allows you to add groups in a NIS (Network Information Service) environment.

• Administer groups using dxaccounts.

The processes for using the groupadd, groupmod, and groupdel commands are similar and are documented in the reference pages. Note that the SysMan Menu can also be used from a terminal.

Note

Avoid using addgroup as it does not provide all the available options and is not sensitive to security settings. Avoid using manual methods of adding user accounts to preserve system file integrity.

7.5.1    Using the SysMan Menu Accounts Group Options

The following sections describe how to administer groups using SysMan Menu options. The following tasks are described in this section:

• Creating a new local or NIS group

• Modifying an existing local or NIS group

• Deleting a local or NIS group

For information on how to use the keyboard to enter information into fields on SysMan Menu screens, invoke the online help.

7.5.1.1    Gathering Group Information

To prepare for administering groups, gather the information in the worksheet provided in Table 7-4. Note that if enhanced security is in use, you must make the data items comply with the minimum requirements. Refer to the Security guide for more information.

Refer to Section 7.3.3 for an explanation of the group file data items. In the SysMan Menu options, you also have the option to specify values for NIS groups. Refer to the Network Administration guide for information on configuring NIS.

Items marked O are optional during group creation.

Table 7-4:  Group Administration Worksheet

7.5.1.2    Creating or Modifying Groups

To create a new group, invoke the SysMan Menu and select the Manage local groups option as described in Section 7.2.2. The Local Groups table is displayed, listing all the existing local groups. The process for adding NIS groups is identical, except that you select the Manage NIS Groups option.

Use the following procedure to add a group:

1. Select the Add... option to display the Manage local groups: Add a Group window.

2. Complete the data fields using the information from the worksheet described in Table 7-4.

3. From the Members panel, highlight the names of users who will be the initial members of the new group. This action is optional.

4. Press OK to add the new user. You will be prompted to correct any errors.

5. You return to the Local Groups table window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

To modify an existing group, invoke the SysMan Menu and select the Manage local groups option as described in Section 7.2.2. The Local Groups table is displayed, listing all the existing local groups. Use the following procedure to modify a group entry:

1. Scroll through the list of groups and select an entry.

2. Select the Modify... option to display the Manage Local Groups: Modify a Group window.

3. Change the contents of data fields as required. For example, you can scroll through the list of users and add new users to the group.

4. Press OK to confirm the changes.

   To add or modify more than one group, click Apply instead of OK. All changes are deferred until you select OK to exit.

5. You return to the Local Groups window. A message confirming the successful addition is displayed. Press OK to return to the SysMan Menu.

Online help provides explanations for the fields, and defines valid data.

7.5.2    Using the Account Manager

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first. Using the data gathered in the Table 7-4 worksheet, use the procedures in the following sections to add, modify and delete groups when using dxaccounts. The process for administering NIS groups is identical to the process for administering Local Groups, except that you must be authorized to change the NIS databases. You can still use any options, such as Find, that do not change the databases.

7.5.2.1    Adding Groups

Add groups as follows:

1. Pull down the View menu, and choose the Local Groups option.

2. Choose the Add button to display the Add/Modify Local UNIX group window.

3. Enter the new group name in the Name field.

4. You can opt to choose the next available GID or enter a GID.

5. Double click on any user name to add that user to the group.

6. Press OK to add the group and return to the Account Manager on <host> window. This window is immediately updated with an icon for the new group.

An alternative method of creating a new group is to clone it from an existing group as follows:

1. Click on an existing group icon to highlight it.

2. Choose the Copy button to copy the group.

3. Choose the Paste button to paste a new group version. The new icon label will have the original name, appended with the string _copyn, where n represents the sequential number of the copy. You can make as many copies as required.

4. Click on the newly copied icon to highlight it.

5. Press the Add button to display the Add/Modify Local UNIX group window.

6. Make any required modifications to the group as follows. For example:

   • Rename the group

   • Change the GID

   • Add or delete members.

7. Press OK to add the group and return to the Account Manager on <host> window. This window is immediately updated with an icon for the new group.

7.5.2.2    Modifying Groups

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first. Use the following procedure to create a new group, using the data gathered in the Table 7-4 worksheet:

1. Double-click on the required group to display the Add/Modify Local UNIX group window.

2. Make any required modifications to the group as follows. For example:

   • Rename the group

   • Change the GID

   • Add or delete members.

3. Press OK to confirm the changes and return to the Account Manager on <host> window. This window is immediately updated with any name changes for the group.

7.5.2.3    Deleting Groups

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first.

1. Double-click on the required group to highlight it.

2. Press the delete button. You will be prompted to ensure that you want to delete this group.

3. Press yes to confirm the deletion and return to the Account Manager on <host> window. This window is immediately updated, removing the deleted group.

7.5.2.4    Finding Groups

The Account Manager provides a useful search feature to locate groups and users who are members of groups.

Invoke the dxaccountsutility as described in Section 7.2.3. The Account Manager on <host> window is displayed first.

1. Press the Find button.

2. Enter one of the following search strings:

   • A group name or name fragment [text string] -- The Find option selects and displays all groups where the group name contains this string. For example, the string mem is matched to groups mem and kmem.

   • A group identifier (GID) [integer] -- Any number entered is treated as a string . The Find option selects and displays all groups where the GID contains this string. For example, the string 20 is matched to groups 20 and 220.

   • A user name [text string] -- The Find option selects and displays all groups with users whose user name contains this string. For example, the string wal is matched to groups wallyB and cadwalZ.

7.6    Administering Windows NT Domain Accounts and Groups

When the Advanced Server for UNIX (ASU) is running, the account management utilities can be configured to support the creation and administration of Windows NT domain accounts. For information on installing and configuring ASU, refer to the Installation and Administration Guide. Note that in such environments, you can use the account management utilities to perform certain operations on associated (synchronized) accounts. These are accounts for the same user that exist both in the Windows NT domain and the UNIX environment and are referred to as synchronized accounts in the UNIX utilities.

To configure a UNIX system to create associated Windows NT domain and UNIX accounts, and to set the default account creation options, you must set the account environment defaults using the usermod (or useradd) command at a terminal as shown in Example 7-1.

Note

When the Advanced Server for UNIX (ASU) is installed and configured, the creation of associated Windows NT domain and UNIX accounts is enabled by default. All account management utilities will have their PC support featuers enabled automatically. The value of Synchronized UNIX/PC Accts in the system default settings will be =1 (on).

Example 7-1:  Changing the Default Environment with usermod

# usermod -D [1]
 
Local                           = 1
Distributed                     = 0
Minimum User ID                 = 12
Next User ID                    = 200
Maximum User ID                 = 4294967293
Duplicate User ID               = 0
Use Hashed Database             = 0
Max Groups Per User             = 32
Base Home Directory             = /usr/users  [2]  
Administrative Lock             = 1
Primary Group                   = users
Skeleton Directory              = /usr/skel
Shell                           = /bin/sh
Synchronized UNIX/PC Accts      = 0
PC Minimum Password Length      = 0
PC Minimum Password Age         = 0
PC Maximum Password Age         = 42
PC Password Uniqueness          = 0
PC Force Logoff After           = Never
 
# usermod -D -x pc_synchronize=1 pc_passwd_uniqueness=1 \
pc_max_passwd_age=60 [3]
 
# usermod -D
.
.
.
Synchronized UNIX/PC Accts      = 1
PC Minimum Password Length      = 0
PC Minimum Password Age         = 0   [4]
PC Maximum Password Age         = 60
PC Password Uniqueness          = 1
PC Force Logoff After           = Never

1. This command displays the current default user account creation environment. [Return to example]

2. The output from the usermod command is this list of default values. When you create an account, these values are assigned to the new account. For example, all new accounts are created in the base home directory of /usr/users. [Return to example]

3. This command specifies new values for three of the defaults that apply to Windows NT domain accounts only. [Return to example]

4. This (truncated) list shows the new default values, which are as follows:

   • pc_synchronize=1 - Create associated Windows NT domain and UNIX accounts if ASU is running.

   • pc_passwd_uniqueness=1 - Forces validation of the password for uniqueness.

   • pc_max_passwd_age=60 - Specifies the maximum number of days that can elapse before a password must be changed by the user.

   [Return to example]

It is not possible to use ASU account management utilities to perform operations on UNIX-only accounts, or to use UNIX utilities to perform operations on accounts that exist only in the Windows NT domain. The following sections provide information on how the UNIX and ASU account administration utilities behave when ASU is running and when you are administering synchronized accounts.

7.6.1    Administering Synchronized Accounts

If you have set up ASU and configured the creation of synchronized accounts, certain features in the account administration utilities will become enabled automatically. The following sections describe how those features appear in the different account management utilities.

A lock file prevents you from using two different utilities (or two instances of the same utility) at the same time. This scenario could easily arise in large installations with many administrators managing many accounts. This lock file is at /etc/.AM_is_running. If the lock file exists, only one process can access the system files that relate to user and group data. If you attempt to invoke a second instance of any UNIX account management utility, an error message will inform you that the data files are locked.

When using the ASU utilities to add accounts, ASU is able to detect the presence of the lock file, but will be unable to create an associated UNIX account. It will only create a Windows NT domain account. No lock file error message will be displayed, and you will receive no confirmation that the associated account was not created. When using ASU tools, you should always verify the creation of an associated UNIX account by checking the contents of the /etc/passwd file.

7.6.1.1    Using SysMan Menu Accounts and Groups Options

The SysMan Menu Accounts utilities will not show any changes when ASU is running. If synchronized accounts are enabled, you will not see any differences in the windows and screens. However the following behavior should be noted:

• Add a user - You will be able to select from several DOS---- groups when assigning the account holder to a group as part of account creation (the Primary Group option).

  If the creation of associated Windows NT domain accounts is enabled as described in Example 7-1, the associated account will be created automatically and you cannot override its creation.

• Delete a user - The associated Windows NT domain account will be deleted automatically. You do not have an option to override this deletion. If you want to retain the users' Windows NT domain account, do not use this option.

• Add/Modify a group - several DOS---- groups will appear in the list, showing the default Windows NT domain accounts, such as lanman and lmxadmin.

The advantage of the SysMan Menu utilities is that you can use them in a number of different user environments; they present a consistent method of account administration no matter whether you are working in terminal, Microsoft Windows, or X windows. Refer to Chapter 1 for information on using the SysMan Menu.

7.6.1.2    Using the Account Manager

The Account Manager (dxaccounts) is an X11-compliant graphical user interface (GUI) and as such can only be displayed in an X-window user environment such as CDE. The Account Manager shows an option to create PC (Windows NT domain) accounts on the main window. This option is grayed out and unusable unless ASU is running. When ASU is running, the following features are available:

• When creating one type of account in Windows NT domain or UNIX, you can opt to create a synchronized account of the other type.

• You can opt not to create an associated PC (Windows NT domain account) or UNIX account, even if creation is enabled by default as shown in Example 7-1.

• Additional options appear on the View menu, that enable you to display all Windows NT domain accounts and groups. When you select these options, the PC (Windows NT domain) user and group accounts icons are displayed. You can add, modify and delete PC accounts and groups as if they were UNIX accounts.

• From the Options menu, you can use the PC Defaults option to set characteristics that will be inherited by any newly created account. You use the General Options menu item to set account synchronization and to set characteristics for UNIX accounts.

• When removing accounts with the Delete button, you are prompted to select the UNIX account, the PC account, or both.

• When using the View menu, Local Groups option, the PC DOS groups are visible and you can perform administrative tasks on these groups.

• When using the View menu, PC Groups option, the PC domain groups are visible and you can perform administrative tasks on these groups.

You use the using the processes described in Section 7.5.2 to perform administrative operations on PC accounts and groups.

The advantage of using the Account Manager is that it is a native X11 application and can use the features of the windowing environment such as iconic drag-and-drop or cut-and-paste to easily clone new user accounts and groups from existing entities. However, unlike the portable SysMan Menu Account utilities, it can run only under an X-window user environment.

7.6.1.3    Using Command-Line Utilities

The command-line utilities for administering user and group accounts are also used to configure the default account characteristics, as demonstrated in Example 7-1. These characteristics are applied to all newly created accounts, and are referred to as the account policy in the ASU utilities. Unlike the graphical utilities, you can always override the default characteristics and specify customized characteristics for new accounts.

When ASU is installed, the following account and group creation options become available for use.

• useradd, usermod - The following extended options are provided to set the default Windows NT domain account characteristics using the -D option. Also shown are the default values:

  • pc_synchronize= (value: 1, on) - Use this option to determine whether synchronized accounts are created by default when a new account is created either for the Windows NT domain or UNIX. Synchronized accounts are not created if this value is zero.

  • pc_min_password_age= (value: 0, off) - Use this option to specify how many days must elapse before a password can be changed. The user is not allowed to change passwords more frequently than this.

  • pc_max_password_age= (value: 42 days) - Use this option to specify how many days can elapse before a password must be changed. The user must change passwords at least this frequently.

  • pc_passwd_uniqueness= (value: 0, off) - Use this option to force checking of user-supplied passwords, ensuring that users do not reuse passwords.

  • pc_force_logoff= (value: Never, off) - Use this option to set up temporary accounts where the account holder will be logged out automatically after a certain time when the account expires.

  You invoke these extended options with the -D -x options, as shown in Example 7-1. To override the default characteristic, you specify the extended option with the -x flag during an account administration operation, such as account creation:

  # useradd -x pc_passwd_uniqueness=1 guest9 
  

  The following command options are not extended options and do not set default account characteristics. These account characteristics can also be created using the ASU utilities. Use these command options when adding a new account:

• pc_username=name_string

  The user account name in the Windows NT domain. This can be identical to, or different from, the user's UNIX account

• pc_unix_username=login_name

  The synchronized UNIX account name. If no name is entered, it will be the same as the Windows NT domain account name.

• pc_fullname=text_string

  The full name of the user or a description of the account.

• pc_comment=text_string

  A brief description of the account that is modifiable only by the administrator.

• pc_usercomment=text_string

  A brief description of the account. This string can be changed by the user.

• pc_homedir=pathname

  The path to the user's home directory, specified as a Windows NT share format.

• pc_primary_group=group

  The primary group (Windows NT domain) to which the user belongs.

• pc_secondary_groups=group,group....

  The secondary Windows NT domains to which the user belongs. This value is specified as a comma-delimited list.

• pc_logon_workstations=client_name

  A list of client host systems from which the user can log on. This value is specified as a comma-delimited list. A null value (" ") means that the user can log on from all workstations.

• pc_logon_script=pathname

  The directory where the default logon script is located. (This directory is created during ASU configuration.)

• pc_account_type =local|global

  Specifies whether the account is a local or global account in the Windows NT domain.

• pc_account_expiration=date_string

  Specifies the date on which the account will expire and logins will be prevented.

• pc_logon_hours=Dd0000-0000,Dd0000-0000....

  Specifies the days of the week and hours of the day during which logins will expire and logins will be permitted or denied.

• pc_user_profile_path=pathname

  Specifies the pathname to the default user profile directory.

• pc_disable_account=0|1

  Specifies whether the account is initially locked, disabling logins.

• pc_passwd0|1

  A text string that will be the initial account password. Note that you must precede this option with the -x flag and you will be prompted to enter a password, and then confirm the entry. The password will not be echoed to the display.

• pc_passwd_choose_own=0|1

  Controls whether users can set their own passwords.

• pc_passwd_change_required=0|1

  Forces the user to change the password at the initial login.

• userdel - The only supported PC (Windows NT domain) option is Synchronized UNIX/PC Accts.

  Use this option to delete synchronized accounts, as follows:

  
  % userdel -r -x pc_synchronize=1 studentB
  

• groupadd, groupmod

  The following extended options can be used with the -x flag to administer groups in Windows NT domains:

  • pc_group_description=string

    Specifies a text string that provides a description of the group.

  • pc_group_members=user,user....

    Specifies a comma-delimited list of group members.

The advantage of using the command line is that it offers complete control over administrative tasks, enabling you to specify any and all command options and override default characteristics.

Commands can be used as part of a shell script to customize and automate account creation. However, the command options can be lengthy, so it is often easier to set up an account using the graphical utilities.

Refer to the useradd(8) and groupadd(8) reference pages, and the related reference pages identified therein.

7.6.1.4    Using the ASU User Manager for Domains

ASU provides its own utility for administering Windows NT domains, domain user accounts, and groups. This application (usrmgr.exe) must be installed and can only be used from a system running Windows NT. It offers the same features as the net command line options.

Default characteristics for accounts, called policies in the context of this utility, can be set for all newly created accounts. However, you cannot set the default characteristics for synchronized UNIX accounts when using the User Manager for Domains.

Refer to the Installation and Administration Guide, and the User Manager for Domains online help for information.

7.6.1.5    Using ASU net Commands

ASU provides an extensive set of net commands that you enter on the UNIX command line or from a DOS window on a Windows NT Server.

For example, the following command displays the help for net user, the command you can use to add, modify or delete user accounts:

# net help user | more
 
The syntax of this command is:
 
NET USER [username [password | \*] [options]]
          username [password | \*] /ADD [options]
          username [/DELETE]
.
.
.
# net user josef /add
 
 

Type net help view at the command line to display a list of net command options. See also the Installation and Administration Guide and the net(1) reference page for information on using net commands.