PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

2.2.7.2 Removing Trust Relationships

To remove a trust relationship, use the REMOVE TRUST/TRUSTED command and the REMOVE TRUST/PERMITTED command. For example:


LANDOFOZ\\TINMAN> REMOVE TRUST KANSAS/PERMITTED 
Removing domain "KANSAS" from the Permitted Domains List will 
prevent users in domain "LANDOFOZ" from accessing resources in 
domain "KANSAS". If you choose to continue, you must also 
administer domain "KANSAS" and remove "LANDOFOZ" from its list of 
Trusted Domains. 
 
Do you want to continue with the removal [YES or NO] (YES) : YES 
%PWRK-S-TRUSTREM, trust between domains "LANDOFOZ" and "KANSAS" 
removed 
 
LANDOFOZ\\TINMAN> 

When you remove a trust, both sides of the trust relationship must be dissolved. The trusting domain must cease to trust the trusted domain, and the trusted domain must cease to permit the trusting domain to trust it. To reestablish the trust relationship, you again must supply matching passwords for the trusting and trusted domains. If only one side of the trust relationship is broken and reestablished, the trust will appear to work in some ways and fail in others. For example, you can grant resource access to a user from the trusted domain, but the user is not actually granted the indicated access. To eliminate such problems, remove the old trust relationships and establish new trust relationships.

2.3 Managing Security Policies

You can manage the following security policies:

2.3.1 Managing the Account Policy

You manage the account policy for your domain using the SET ACCOUNT POLICY command. You can view the account policy with the SHOW ACCOUNT POLICY command. Changes to the account policy affect every user at the next logon.

The following table lists the qualifiers you can specify with the SET ACCOUNT POLICY command.

Table 2-1 Account Policy Qualifiers
Qualifier Meaning
/[NO]FORCE_DISCONNECT Controls whether or not a user connection to any server in the domain is forcibly disconnected when the user account exceeds the logon hours defined for the user account. This affects only users who are already logged on.

/NOFORCE_DISCONNECT specifies that the user connection is not disconnected, but no new connections are allowed. This is the default.

Regardless of this setting, users cannot make new connections to the server outside their logon hours or after their accounts expire.

/[NO]LOCK_OUT=(ATTEMPTS =n) Controls whether or not an account is locked out after too many failed logon attempts. You can use the ATTEMPTS= n keyword with the /LOCK_OUT qualifier, where n=1 to 999. The account is locked out after the specified number of failed logon attempts. A failed logon attempt occurs when the user supplies an incorrect password when logging on. /NOLOCK_OUT specifies that user accounts are never locked out, regardless of the number of failed attempts. The default is /NOLOCK_OUT.
/PASSWORD_POLICY=( keyword[,...]) Specifies password policies for the domain. You can use the following keywords with this qualifier:
  Keyword Meaning
  [NO]MAXAGE[= n] Specifies the maximum password age: the maximum number of days a password can be used before the server requires the user to change it. You can specify from 1 to 999 days; the default is 42 days.

NOMAXAGE means passwords never expire.

  [NO]MINAGE[= n] Specifies the minimum password age: the minimum number of days a password must be used before the user can change it. You can specify from 1 to 999 days; the default is 1 day.

NOMINAGE means that changes can be made immediately.

  MINLENGTH= n Specifies the minimum password length: the minimum number of characters for a password. You can specify from 0 (blank passwords are allowed) to 14. The default is 0. Be sure to coordinate this value with the OpenVMS password policy if you are using external authorization.
  [NO]HISTORY[= n] Specifies the password history: the number of new passwords that the user must specify before an old password can be reused.

NOHISTORY means that no password history is maintained. You can specify from 1 to 8. The default is 0 (no password history is maintained).

To set the account policy for a domain:

Use the SET ACCOUNT POLICY command. For example, to set up your domain so that users are disconnected when they exceed their logon hours, use the SET ACCOUNT POLICY/FORCE_DISCONNECT command, as follows.


LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/FORCE_DISCONNECT 
%PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" 

To display the account policy for a domain:

Use the SHOW ACCOUNT POLICY command. For example:


LANDOFOZ\\TINMAN> SHOW ACCOUNT POLICY 
 
Account Policy for domain "LANDOFOZ": 
 
Minimum password age (days) : 1 
Maximum password age (days) : 42 
Minimum password length : 0 
Length of password history maintained : None 
Force user logoff after logon hours expire: YES 
Lock out account after how many bad password attempts : Never 
Role of server TINMAN: Primary Domain Controller 
 
LANDOFOZ\\TINMAN> 

2.3.2 Managing the Audit Policy

You specify the audit policy using the SET AUDIT POLICY command. When auditing is enabled, the server records security in the Security event log. The server can record system-wide events, such as a user logging on, and file-specific events, such as a user attempting to access a specific file.

The audit policy affects Security event logging for all servers in the domain, because they share the same audit policy. You can specify whether to log failed events and successful events.

The following table lists events you can audit.

Table 2-2 Events You Can Audit
Audit Event Name Events Audited
ACCESS - A user accessing a directory or file that is set for auditing
- A user sending a print job to a printer that is set for auditing
ACCOUNT_MANAGEMENT - Creating, changing, or deleting a user account or group
- Renaming, disabling, or enabling a user account
- Setting or changing a password
LOGONOFF - A user logging on or logging off
- A user making a network connection
POLICY_CHANGE - Changing the audit policy
- Changing a trust relationship
- Changing user rights policies
PROCESS - Program activation
- Handling duplication
- Indirect object access
- Process exit
SYSTEM - A user starting or restarting a server
- A system security event
- An event that affects the security log
USER_RIGHTS - A user exercised a user right such as accessing a file, except for logon/logoff rights

To display the audit policy for a domain:

Use the SHOW AUDIT POLICY command. For example:


LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 
 
Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Disabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------- --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Disabled  Disabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

To enable auditing and set the audit policy for a domain:

Use the SET AUDIT POLICY/AUDIT command. For example, to enable auditing of successful logon and logoff operations, enter the following command.


LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/SUCCESS=LOGONOFF 
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" 
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY 
 
Audit Policy for domain "LANDOFOZ": 
 
Auditing is currently Enabled. 
 
Audit Event states: 
 
Audit Event         Success   Failure 
------------------  --------  -------- 
ACCESS              Disabled  Disabled 
ACCOUNT_MANAGEMENT  Disabled  Disabled 
LOGONOFF            Enabled   Disabled 
POLICY_CHANGE       Disabled  Disabled 
PROCESS             Disabled  Disabled 
SYSTEM              Disabled  Disabled 
USER_RIGHTS         Disabled  Disabled 
 
LANDOFOZ\\TINMAN> 

To enable auditing of all events, use the following command:

SET AUDIT POLICY/AUDIT/SUCCESS=ALL/FAILURE=ALL

2.4 Managing a Server

When you manage a server, you can display server information, send messages to users, and start and stop services.

2.4.1 Displaying Server Information

You can display information about the server including connections, user sessions, shared resources, and the software version number.

2.4.1.1 Displaying Connections

As you manage your server, you may need to know which connections are active. A connection is a virtual link between a workstation and a shared resource on a server.

To display existing connections:

Use the SHOW CONNECTIONS command. The SHOW CONNECTIONS command displays information about active connections to the server, including:

For example, the following display shows current connections to the shared resource called WIZARD:


LANDOFOZ\\TINMAN> SHOW CONNECTIONS/SHARE=WIZARD 
 
Connections on server "TINMAN" 
 
User name        Computer name    Share name    Opens   Time 
---------------  ---------------- ------------- ------- ----------- 
SCARECROW        DOROTHY          WIZARD            2   0 00:04 
 
   Total of 1 connection 
 
LANDOFOZ\\TINMAN> 

2.4.1.2 Displaying User Sessions

As you manage your server, you may need to know which sessions are active. A session is a network link between a workstation and a server. A session can have one or more connections to shared resources.

To display user sessions:

Use the SHOW SESSIONS command. You can include the /SERVER qualifier to display sessions on a specific server. The display includes:

For example:


LANDOFOZ\\TINMAN> SHOW SESSIONS/SERVER=WOODMAN 
 
User sessions on server "WOODMAN": 
 
Connected Users     Computer      Opens   Time       Idle       Guest 
------------------  ---------     -----   -------    -------    ----- 
ADMINISTRATOR       DOROTHY           1   1 24:54    0 00:00    No 
SCARECROW           DOROTHY           3   0 03:48    0 00:03    No 
 
  Total of 2 connected users 
 
LANDOFOZ\\TINMAN> 

2.4.1.3 Displaying Shared Resources

The PATHWORKS Advanced Server allows you to display information about shares.

To see shared resources from the current server:

Use the SHOW SHARES command. This command displays:

For example, the following command displays the shares on the server currently being administered (TINMAN):


LANDOFOZ\\TINMAN> SHOW SHARES 
 
Shared resources on Server "TINMAN": 
 
Name              Type          Description 
---------       ---------       ---------------------------------- 
NETLOGON        Directory       Logon Scripts Directory 
RAINBOW         Directory       Local Oz Share 
PWLIC           Directory       PATHWORKS Client License Software 
PWLICENSE       Directory       PATHWORKS Client License Software 
PWUTIL          Directory       PATHWORKS Client-based Utilities 
USERS           Directory       Users Directory 
 
   Total of 6 shares 
 
LANDOFOZ\\TINMAN> 

2.4.1.4 Displaying the Software Version Number

You can verify the version number of PATHWORKS Advanced Server software.

To display the version number of server software on your system:

Use the SHOW VERSION command. For example:


LANDOFOZ\TINMAN> SHOW VERSION 
 
PATHWORKS V6.0B for OpenVMS (Advanced Server) 
 
LANDOFOZ\\TINMAN> 

This command is valid for PATHWORKS for OpenVMS Advanced Servers only.

2.4.2 Sending Messages to Users

You should send messages to users before you change the operating characteristics of a server. For example, you might send a message before disconnecting users or if you need to stop sharing a resource on a computer. For a message to be sent and received, the Alerter service must be running on the computer sending the message, and the Messenger service must be running on the computer receiving the message.

Note

PATHWORKS for OpenVMS (Advanced Server) does not support the reception of these types of messages.

To send a message to users:

  1. Identify the computer to which you will send your message.
  2. Enter the ADMINISTER SEND command, including the computer name and the message. Enclose the message in quotation marks.

For example, the following command sends the message "Shutdown at 1 pm today!!!" to the computer called DOROTHY.


LANDOFOZ\\TINMAN> SEND DOROTHY "Shutdown at 1pm today!!!" 
 
LANDOFOZ\\TINMAN> 

The message is displayed in a Messenger Service pop-up window on computer DOROTHY in the following form:


       Message from TINMAN to DOROTHY on 8/31/98 11:20 AM 
       "Shutdown at 1pm today!!!" 

You can also send a message from a specific server in your domain to a specific group of users in your domain with the /SERVER=servername qualifier, and you can send a message to all users on a server with the /USER qualifier.

To send a message to users on a specific server:

Use the /SERVER qualifier. For example, the following command sends the message "Shutdown at 1pm today!!!" to all users connected to server WOODMAN.


LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown at 1pm today!!!" 
 
LANDOFOZ\\TINMAN> 

This command may take a few minutes to complete.

2.4.3 Managing Services

To manage PATHWORKS Advanced Server services, you need to know how to start and stop services and how to configure service startup. Services are set up during server installation and configuration.

You can start and stop each of the services available on the computer and determine whether a service will start up automatically when the system starts. The following table shows the default services provided with PATHWORKS Advanced Server.

Table 2-3 Default PATHWORKS Advanced Server Services
Service Description Starts by Default Can Be Paused Can Be Stopped
Alerter Notifies selected users and computers of administrative alerts that occur on this server. Used by the server and other services. Yes No Yes
Browser Lists network entities, such as domains, computers, and shared resources. Yes No Yes
EventLog Records system, security, and application events in the event logs, and enables remote access to those logs. Cannot be stopped separately; stops together with the Server service. Yes No No
NetLogon Verifies the user name and password of each user who attempts to log on to the network or gain access to the server. Synchronizes security databases. Yes Yes Yes
Server Provides file and print sharing. Yes Yes No
TimeSource Identifies a server as the time server for a domain. Other computers synchronize their clocks with the time server. No No Yes

The Alerter, NetLogon, and TimeSource services can be enabled and disabled using the SRVSERVICES keyword in the LANMAN.INI file, as described in Appendix A, The LANMAN.INI File.

2.4.3.1 Displaying Services

As you manage your server, you may need to know the state of network services.

To display available services:

Use the SHOW SERVICES command. For example:


LANDOFOZ\\TINMAN> SHOW SERVICES 
 
Services on server "TINMAN": 
 
Service           Current State 
--------------    --------------- 
ALERTER           Started 
BROWSER           Started 
EVENTLOG          Started 
NETLOGON          Started 
SERVER            Started 
TIMESOURCE 
 
   Total of 6 services 
 
LANDOFOZ\\TINMAN> 

2.4.3.2 Starting Services

Normally, the services that are listed in the SRVSERVICES keyword of the LANMAN.INI file are started when the server is started. To start a service that has been stopped, use the START SERVICE command. You must spell the service name in full. You must be logged on to a user account that has membership in the Administrator's group to perform these operations.

To start a service:

To start a service, use the START SERVICE command. For example:


LANDOFOZ\\TINMAN> START SERVICE TIMESOURCE 
%PWRK-S-SVCSTART, service "TIMESOURCE" started on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 

2.4.3.3 Pausing Services

You can suspend execution of the Server and NetLogon services. Unlike stopping a service, pausing does not cancel resource sharing or connections or change settings associated with the service.

Pausing the Server service prevents users from making new connections to the server's shared resources; however, users who have already connected to shared resources can continue to use the resources. To pause the Server service, you must be a member of the Administrators or Server Operators groups. Pausing the Server service does not prevent users who are members of the Administrators group from connecting to the service.

To pause a service:

Use the PAUSE SERVICE command. For example:


LANDOFOZ\\TINMAN> PAUSE SERVICE SERVER 
Do you really want to pause service "SERVER" [YES or NO](YES): YES 
%PWRK-S-SVCPAUSE, service "SERVER" paused on server "TINMAN" 
 
LANDOFOZ\\TINMAN> 


Previous Next Contents Index