You can use the CONTINUE SERVICE command to continue a paused service. When you continue a service, you restore access to the service.

To continue a service:

Use the CONTINUE SERVICE command. For example:

LANDOFOZ\\TINMAN> CONTINUE SERVICE SERVER %PWRK-S-SVCCONT, service "SERVER" continued on server "TINMAN" LANDOFOZ\\TINMAN>

2.4.3.5 Stopping Services

Stopping a service disables all features provided by that service. You can stop the Alerter, Browser, NetLogon, and TimeSource services. You must be a member of the Administrators group or Server Operators group to stop a service. To stop the Server service, use the PWRK$SHUTDOWN.COM command procedure, as described in the PATHWORKS for OpenVMS Server Installation and Configuration Guide.

Before you stop the Server service, you should first pause the service and send a message to users connected to the server's shared resources, warning them that the Server service will be stopped. Your message should ask all users to stop their current activities and close all files. Give users adequate time to close their files before you proceed. If you stop the Server service while users are accessing shared resources, they may lose data.

To stop a service:

Use the STOP SERVICE command. For example:

LANDOFOZ\\TINMAN> STOP SERVICE TIMESOURCE Do you really want to stop service "TIMESOURCE" [YES or NO] (YES): YES %PWRK-S-SVCSTOP, service "TIMESOURCE" stopped on server "TINMAN" LANDOFOZ\\TINMAN>

2.4.3.6 Synchronizing Clocks on All Network Computers

You can designate a PATHWORKS Advanced Server as the network time server in a domain by having it run the TimeSource service. Client computers on the network can synchronize their time with the time server, which makes it possible to synchronize network events. For OpenVMS servers, the operating system maintains the clock, which cannot be set with PATHWORKS Advanced Server commands.

To run the TimeSource service automatically, you can edit the LANMAN.INI file to include TIMESOURCE in the SERVER section as a value for the SRVSERVICES keyword, or you can specify the TimeSource service using the initial configuration procedure, PWRK$CONFIG.COM. For example, the LANMAN.INI file could contain an entry of the following form:

[SERVER] . . . SRVSERVICES=ALERTER,NETLOGON,TIMESOURCE

With this entry in place, the TimeSource service starts automatically whenever you start the server. To activate the TimeSource service after the server is running, you can use the START SERVICE TIMESOURCE command.

2.5 PATHWORKS in an OpenVMS Cluster

Some servers in your network may be configured in an OpenVMS cluster environment. PATHWORKS Advanced Servers running in an OpenVMS cluster share the same copy of the user accounts and shares databases and assume a single role. That is, all members of the OpenVMS cluster assume the role of a primary domain controller or a backup domain controller, as appropriate.

2.5.1 The PATHWORKS Cluster Alias

With PATHWORKS Advanced Server, you must define an alias name that allows an OpenVMS cluster to be addressable by client workstations as a single entity.

Both the PATHWORKS cluster alias and the OpenVMS cluster alias represent the set of server nodes running in an OpenVMS cluster environment. The PATHWORKS alias is transport independent (recognized by all network protocols), while the OpenVMS cluster alias is unique to either TCP/IP or DECnet, depending on the cluster configuration.

2.5.2 Defining a PATHWORKS Cluster Alias

You must define a PATHWORKS cluster alias for each OpenVMS cluster. The alias must be unique among domain names and server names, but the OpenVMS cluster alias and the PATHWORKS alias can be the same.

PATHWORKS Advanced Server users can access resources on the OpenVMS cluster by connecting to the cluster using the PATHWORKS cluster alias. No default alias name is defined when you install PATHWORKS Advanced Server in an OpenVMS cluster environment. During the initial configuration process (that is, when you run the PWRK$CONFIG.COM command procedure), you can accept the default cluster alias (nodename_ALIAS), or you can specify a different alias name. Refer to the PATHWORKS for OpenVMS Server Installation and Configuration Guide for more information about the PWRK$CONFIG.COM command procedure.

2.5.3 OpenVMS Cluster Load Balancing

The PATHWORKS cluster alias provides load balancing. At any given time, only one node in the OpenVMS cluster responds to connection requests sent to the PATHWORKS cluster alias. The responding node is the least loaded among the available nodes. This responsibility changes dynamically.

To gain the benefits of load balancing, clients should connect to the OpenVMS cluster using the PATHWORKS cluster alias; the client is connected to the least-busy server in the OpenVMS cluster. However, to perform administrative functions on a particular node, you must connect to that node specifically.

When a client connects to a server using the PATHWORKS cluster alias, PATHWORKS Advanced Server associates the node's network address with the PATHWORKS cluster alias. Additional connections made from the same client to the alias are made directly to the same node. Once a client is connected, no further load balancing for that client is done.

When the node to which a client is connected using the PATHWORKS cluster alias is shut down or crashes, a client reconnect using the alias reestablishes the client's connections to the node that is the least loaded.

On OpenVMS, you use PATHWORKS Advanced Server ADMINISTER commands to manage user accounts and groups for network domains and computers. You can also use the Windows NT server administration tool, User Manager for Domains, to perform these tasks.

The Upgrade utility lets you upgrade users, groups, shares, and security from a PATHWORKS V5 for OpenVMS (LAN Manager). Refer to the PATHWORKS for OpenVMS (Advanced Server) Server Migration Guide for information about upgrading your server.

The following topics are described in this section:

• Planning PATHWORKS Advanced Server User Accounts --- describes how to plan your user accounts. For more information on planning, see the Advanced Server for OpenVMS Concepts and Planning Guide.
• Managing PATHWORKS Advanced Server User Accounts --- describes how to add, modify, disable, enable, delete, rename, and display user accounts and how to specify passwords, logon hours, scripts, workstations, and other user account information.
• Planning PATHWORKS Advanced Server Groups --- describes how to plan your global and local groups.
• Managing PATHWORKS Advanced Server Groups --- describes how to create, copy, modify, delete, and display groups.

A user account contains all the information that defines a PATHWORKS Advanced Server user. This includes user name, password, and group memberships. It can also include information such as the user's full name, the user account description, user profile information, a list of logon workstations, and a schedule of authorized logon hours.

3.2.1 Built-In User Accounts

Two predefined, built-in user accounts are provided when a PATHWORKS Advanced Server is installed:

• The Administrator user account is used to manage the server's users, groups, and resources. The Administrator account belongs to the Administrators, Domain Admins, and Domain Users built-in groups.
  You can use the Administrator account to administer a new server or workstation before you have had the opportunity to create an account for yourself. You cannot delete or disable the Administrator account. This ensures that you will never lock yourself out of the computer. When you initially configure the PATHWORKS Advanced Server, you are prompted to choose a password for the Administrator account. Always assign a password to the Administrator account to help ensure security.
• The Guest user account belongs to the Domain Guests group and allows logons for users who do not have accounts in the computer's domain, or in a domain trusted by the domain where the Guest account has been enabled. By default, the Guest account is disabled at installation. You can enable it if Guest access is desired.

Every PATHWORKS Advanced Server user account is either a global account or a local account.

Global accounts provide access to resources in the domain where the user account is created, and can also provide access to resources in domains that trust the domain where the user account is created. Most user accounts are global accounts.

Local accounts allow access to users who log on to other domains in cases where a trust relationship has not been established with the domain where the local user account is created.

3.3 Managing PATHWORKS Advanced Server User Accounts

A user who needs access to resources shared on a server must have one of the following:

• A user account in the server's domain
• A user account in a trusted domain
• Access to the Guest account

Resource permissions on the required resources must be set up properly to allow access.

The user account identifies the user to PATHWORKS Advanced Server. The user account is used to authenticate the user both when the user logs on to the domain and when the user requests access to shared resources.

Each user account must have a unique user name in the domain. When you create a user account, you can specify the user account attributes shown in the following table.

Table 3-1 User Account Attributes

Attribute	Contains
User name	The user's account name (up to 20 alphanumeric characters).
Password	The password the user enters to log on to the account (up to 14 uppercase and lowercase alphanumeric characters).
Full name	User's full name, typically more complete than the account name (up to 256 characters).
Description	A brief text string describing the account.
Expiration date	Date when the account expires.
Type	Global or local.
Group names	The names of groups of which the user is a member. Determines privileges and access.
Logon restrictions	Logon hours and valid workstations.
Logon script	A script that is executed when the user logs on.
Home directory	A specified location containing files and programs for the user.
User profile	Setup information for the user's specific environment.

To set up and manage user accounts, you perform the following tasks:

• Create a user account by adding a new account, or by copying an existing account, or by creating the account from an account template.
• Specify passwords for new accounts, and change the passwords for existing accounts.
• Specify logon hours and logon scripts.
• Specify workstations from which the user can log on.
• Specify home directories.
• Specify user account expiration dates.
• Specify user profiles.
• Display and modify user accounts.
• Disable or remove user accounts.
• Map PATHWORKS Advanced Server accounts to OpenVMS accounts.

The next sections describe these tasks.

3.3.1 Creating User Accounts

You create PATHWORKS Advanced Server user accounts with the ADD USER or COPY USER command.

3.3.1.1 Creating a PATHWORKS Advanced Server User Account

When you create a user account, you must provide all the information relevant to that user. You can use the ADD USER command to create a user account, or the COPY USER command to copy another account and modify it to suit the specific user.

When you display user information, the users are listed alphabetically by user name; you can optionally sort the display based on the full name. Therefore, follow the same conventions for all users when you enter full names; for example, Cowardly Lion or Lion, Cowardly.

Passwords for PATHWORKS Advanced Server are case sensitive. Passwords entered on the ADMINISTER command line default to all uppercase characters, unless you enclose them in quotation marks. To preserve lowercase letters, spaces, and other nonalphanumeric characters in passwords when you enter ADMINISTER commands, enclose the password in quotation marks, or enter the password in response to the prompt instead of on the command line.

To create a user account:

Use the ADD USER command. For example:

(LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD - _LANDOFOZ\\TINMAN> /DESCRIPTION= "The Straw Man" - _LANDOFOZ\\TINMAN> /FULLNAME="Man, Straw" Password: Password verification: %PWRK-S-USERADD, user "SCARECROW" added to domain "LANDOFOZ" LANDOFOZ\\TINMAN>

You can let PATHWORKS Advanced Server prompt you for the user name and the password. The password is not displayed as you enter it. You should always supply a password when you add a user account; otherwise the password value is unknown. By default, a user account is created with an expired password. The user must enter a new password at first logon. To remove the need for users to reset their passwords at first logon, use the /FLAGS=(NOPWDEXPIRED) qualifier with the ADD USER command.

You can specify additional details about the user account, including an account description, expiration date, a full name, type of account (global or local), a home directory, logon hours, group membership, user profile, logon script, and workstation names, if any. For details on the ADD USER command, see the Advanced Server for OpenVMS Commands Reference Manual.

The ADD USER command does not create an OpenVMS user account. However, if the user also has an OpenVMS account, you can associate the two user accounts. For more information, see Section 3.3.12, User Account Host Mapping.

Users with both a PATHWORKS Advanced Server account and an OpenVMS account have two passwords: one for each user account. You can enable external authentication for these users, providing automatic password synchronization between the OpenVMS password and the PATHWORKS Advanced Server password. For information about setting up external authentication, see Section 3.3.13, Enabling PATHWORKS External Authentication.

To verify that the user has been added:

Use the SHOW USERS command. You can display details about a user account with the SHOW USER/FULL command. For example:

LANDOFOZ\\TINMAN> SHOW USERS SCARECROW/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------------- -------------------- ------ --------------- SCARECROW Man, Straw Global The Straw Man User Profile: Logon Script: Primary Group: Domain Users Member of groups: Domain Users Workstations: No workstation restrictions Logon Flags: Login script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: (All hours) Total of 1 user account LANDOFOZ\\TINMAN>

3.3.1.2 Creating User Account Templates

You can create a template for user accounts, specifying user account information common to the new user accounts you need to create. Most user account information can be copied from the template to the new user accounts, except for user name and password. For example, you could create a template user account as follows:

LANDOFOZ\\TINMAN> ADD USER TEMPLATE/LOCAL/HOURS=(8-5) - _LANDOFOZ\\TINMAN> /MEMBER_OF_GROUPS=MUNCHKINS %PWRK-S-USERADD, user "TEMPLATE" added to domain "LANDOFOZ"

You can then use the COPY USER command to create many new user accounts that have these same characteristics. Once you have completed adding all your new user accounts, you can then delete or disable the TEMPLATE user account, as described in Section 3.3.11, Disabling and Removing User Accounts.

3.3.1.3 Copying User Accounts

You can use the COPY USER command to create a new user account from an existing account or a template account. Some of the original user account information is copied to the new user account, such as group memberships and logon restrictions. A template account makes it easier to create many similar user accounts with fewer errors than to create them one by one. Some user account information, such as user name and passwords, is not copied to the new user account. You should always supply a password when you create a new user account; otherwise the password value is unknown.

To copy an existing user account:

Use the COPY USER command. Use the /PASSWORD qualifier to specify the password for the new user account. For example, to create a new user LION based on a user account template (TEMPLATE), enter the following command:

LANDOFOZ\\TINMAN> COPY USER TEMPLATE LION /PASSWORD="Roaring1" - _LANDOFOZ\\TINMAN> /FULL_NAME="Cowardly Lion" %PWRK-S-USERCOPY, user "TEMPLATE" copied to "LION" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>

This example copies the TEMPLATE user account information to a new account for user LION and uses the /FULL_NAME qualifier to provide the full name for the new user. The /PASSWORD qualifier specifies the password for the account LION. You can verify that the user is correctly added using the SHOW USERS command.

3.3.2 Specifying Passwords

Users must specify their password when they log on to the domain. The user name and password are validated against the user accounts database.

PATHWORKS Advanced Server passwords characteristics are controlled by the following:

• The /FLAGS qualifier to the ADD USER, COPY USER, and MODIFY USER commands. For example, use ADD USER/FLAGS=(keyword) to specify password characteristics when you create a user account. The keywords that control the password characteristics are:
  • [NO]DISPWDEXPIRATION, which prevents the password from expiring.
  • [NO]PWDEXPIRED, which specifies whether the password is initially expired. This forces users to specify a new password when they log on the first time.
  • [NO]PWDLOCKED, which specifies whether the user is allowed to change the password.
  
  For more information about these commands and qualifiers, refer to the Advanced Server for OpenVMS Commands Reference Manual.
• The SET ACCOUNT POLICY/PASSWORD_POLICY=(option) command sets domain-wide account policy characteristics that pertain to all passwords, where the options include:
  • [NO]HISTORY=n, which specifies the number of new passwords that must be used before an old password can be reused.
  • [NO]MAXAGE=n, which specifies the maximum number of days a user's password can be used before the server requires the user to change it.
  • [NO]MINAGE=n, which specifies the minimum number of days a user's password must be used before the user can change it.
  • MINLENGTH=n, which specifies the minimum length of a password.
  
  For more information about setting the account policy, refer to Section 2.3, Managing Security Policies.

PATHWORKS Advanced Server users who also have OpenVMS user accounts have two passwords, one for each account. If password synchronization is important, as with PATHWORKS external authentication, be careful to observe limitations in password length and characters required by OpenVMS as well as PATHWORKS Advanced Server. PATHWORKS Advanced Server passwords can be up to 14 characters long; OpenVMS passwords can be longer. To help ensure security, select secure passwords using words not found in the dictionary, including numbers or nonalphabetic characters.

When you add a new user or modify the password for an existing user, you specify the password for that user. For example:

LANDOFOZ\\TINMAN> ADD USER SCARECROW/PASSWORD="YellowRoad" %PWRK-S-USERADD, user "SCARECROW" added on domain "LANDOFOZ" LANDOFOZ\\TINMAN>

To preserve case in a password, enclose it in quotation marks. By default, a password entered on the command line that is not enclosed in quotation marks is stored in uppercase letters. However, case is preserved for a password entered in response to a prompt.

To change a user password:

To change a user's password, you can use the SET PASSWORD command or the MODIFY USER/PASSWORD command. For example:

LANDOFOZ\\TINMAN> SET PASSWORD SCARECROW "YellowRoad" "EmeraldCity" %PWRK-S-PSWCHANGED, password changed for user "SCARECROW" in domain "LANDOFOZ" LANDOFOZ\\TINMAN>

In this example, the user name is SCARECROW, the existing password is "YellowRoad" and the password is changed to "EmeraldCity."