| Previous | Contents | Index |
Permanently removes a user from a domain's security database.Be sure you want to remove a user before you do so, because you cannot recover a deleted user account. The server knows every user account by its security identifier (SID), a unique number that identifies it. If you delete a user account and then create another user account with the same name, the new user account will not have any of the permissions that were previously granted to the old user account, because the user accounts have different SID numbers.
REMOVE USER user-name [/qualifiers]
Use of this command requires membership in the Administrators or Account Operators local group. Only members of the Administrators local group can remove an Administrators privilege account.
user-name
Specifies the name of the user account that you wish to remove.
/CONFIRM
/NOCONFIRM
Controls whether you are prompted for a confirmation before the operation is performed. The default is /CONFIRM if running in interactive mode. When the prompt is issued, the default response is shown, and you may accept the default by pressing Return or Enter. If you type YES, TRUE, or 1, the operation is performed. If you type NO, FALSE, 0, or enter Ctrl/Z, no action is performed. If you type anything else, the prompt is repeated until you type an acceptable response. No prompt for confirmation is issued if running in batch mode./DOMAIN=domain-name
Specifies the name of the domain from which to remove the user account. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./SERVER=server-name
Specifies the name of a server that is a member of the domain from which to remove the user. Do not specify both /DOMAIN and /SERVER on the same command line.
LANDOFOZ\\TINMAN> REMOVE USER SCARECROW
Each user account is represented by a unique identifier which is
independent of the user name. Once this user account is deleted,
even creating an identically named user account in the future will
not restore access to resources which currently name this user
account in the access control list.
Remove user "SCARECROW" [YES or NO] (YES) : YES
%PWRK-S-USERREM, user "SCARECROW" removed from domain "LANDOFOZ"
|
This example removes the user named SCARECROW from the domain currently being administered (LANDOFOZ). A confirmation is required.
Saves an event log file to a specified archive file on the local computer. A saved event log file can later be reopened for display by the SHOW EVENTS command.
SAVE EVENTS log-file-spec [/qualifiers]
Use of this command requires membership in the Administrators local group.
log-file-spec
A local file specification for the archived log file. An event log can only be saved to the local computer. On an OpenVMS server, if no device or directory is specified, the archived event log is saved to the path pointed to by the logical name PWRK$LMLOGS:.
/SERVER=server-name
Specifies the name of the server whose event log file is to be saved. The default is the server currently being administered./TYPE=log-type
Specifies the log file to be saved. The log-type keyword can be one of the following:
Log-type Log File APPLICATION The application log file SECURITY The security log file SYSTEM The system log file (the default)
LANDOFOZ\\TINMAN> SAVE EVENTS SYSTEM.BKP/TYPE=SYSTEM/SERVER=DOROTHY
%PWRK-S-ELFSAVE, System Event Log from server "DOROTHY" saved
|
This example saves the system event log file on server DOROTHY to the local file PWRK$LMLOGS:SYSTEM.BKP.
Sends a message to one or more computers on the network, or to all or specific users connected to a server. The message appears in a pop-up window on the workstation.
SEND computer-name[,...] [/qualifiers] [message]SEND/USERS [/qualifiers] [message]
Messages can only be received by client computers running the Messenger service.
computer-name
Specifies the computers that are to receive the message, either a single computer name, or a comma-separated list of computer names.message
Specifies the text of the message to send. The message text must follow all other parameters and qualifiers. To preserve the case of a message, enclose the message in quotation marks. If message is not specified, you are prompted for a multi-line message. When you have finished entering the message, enter Ctrl/Z to terminate the message text.
/NAME=user-name
Use with the /USERS qualifier to send the message to a specific user. user-name is the name of the user to whom to send the message./SERVER=server-name
Specifies the name of the server from which to send the message. If you use the /USERS qualifier, the value of server-name is also used to select the users to which the message is sent. The default is the server currently being administered./SHARENAME=share-name
Use with the /USERS qualifier to restrict sending the message to only users connected to the specified share name./USERS
If included, the /USERS qualifier must immediately follow the SEND verb and is used to send the message to users connected to a server rather than to specific computers. The default is to send the message to all users connected to the server. However, you can use the /NAME and /SHARENAME qualifiers with the /USERS qualifier to send a message to specific users.
| #1 |
|---|
LANDOFOZ\\TINMAN> SEND OZ1,OZ2 "Meeting changed to 3 pm."
|
This example sends the message "Meeting changed to 3 pm." to computers OZ1 and OZ2.
| #2 |
|---|
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=DOROTHY -
_LANDOFOZ\\TINMAN> "Server DOROTHY will be going down at 21:00 hours"
|
This example sends the message "Server DOROTHY will be going down at 21:00 hours" to all users connected to the server DOROTHY.
| #3 |
|---|
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=DOROTHY/SHARENAME=WIZARD -
_LANDOFOZ\\TINMAN> "The WIZARD share will be deleted at 6 pm."
|
This example sends the message "The WIZARD share will be deleted at 6 pm." to all users connected to the share named WIZARD on server DOROTHY.
| #4 |
|---|
LANDOFOZ\\TINMAN> SEND/USERS/NAME=TOTO "Follow the yellow brick road"
|
This example sends the message "Follow the yellow brick road" to user TOTO connected to the server currently being administered (TINMAN).
Sets the account policy, which controls how passwords are used by all user accounts, and whether user accounts are automatically locked out after a series of failed logon attempts.
SET ACCOUNT POLICY [/qualifiers]
Use of this command requires membership in the Administrators local group.
/DOMAIN=domain-name
Specifies the name of the domain for which to set the account policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./FORCE_DISCONNECT
/NOFORCE_DISCONNECT
Controls whether a user's connections to any server in the domain are forcibly disconnected when the user account exceeds its logon hours. This interacts with the logon hours defined for a user account. /NOFORCE_DISCONNECT, the default, specifies that the user is not to be disconnected, but no new connections from that account will be allowed./LOCKOUT=(option[,...])
/NOLOCKOUT
Controls whether users are locked out after a specified number of failed logon attempts. The option keyword can be one or more of the following:
Option Description ATTEMPTS= n Specifies the failed logon count. Account is locked out after the specified number of failed attempts. The value of n can be from 1 to 999. The default is 5. WINDOW= n Specifies the number of minutes from the most recent failed login attempt before the failed login count is reset to zero. For example, if the WINDOW is set to 30 minutes, then thirty minutes after the most recent failed login attempt, the failed logon count is reset to zero. The value of n can be from 1 to 99999. The default is 30. DURATION= n Specifies the number of minutes before a locked out account is automatically unlocked. The value of n can be FOREVER or a value from 1 to 99999. The default is 30. The /NOLOCKOUT qualifier specifies that user accounts are never locked out, no matter how many failed logon attempts are made on a user account. This is the default if you do not specify /LOCKOUT.
Administrators can unlock a locked out account using the MODIFY USER/UNLOCK command.
/PASSWORD_POLICY=(option[,...])
Specifies password policies for the domain. The option keyword can be one or more of the following:
Option Description HISTORY= n Sets the number of new passwords that must be used by a user before an old password can be reused. n specifies the number of passwords to maintain in the password history, from 0 to 8. The default is 0. NOHISTORY Specifies that no password history should be maintained. MAXAGE= n Sets the maximum number of days a user's password can be used before the server requires the user to change it. n specifies the number of days from 1 to 999. The default is 90 days. NOMAXAGE Specifies that a user's password never expires. MINAGE= n Sets the minimum number of days a user's password must be used before a user can change it. Do not allow immediate changes if a password history value is set. n is the number of days from 1 to 999. The default is 1. NOMINAGE Specifies that a user may change his or her password at any time. MINLENGTH= n Sets the minimum length of a password. n is the minimum number of characters required in the password and can be from 0 to 14. A value of 0 means that a blank password is permitted. The default is 0, which permits a blank password.
/SERVER=server-name
Specifies the name of a server that is a member of the domain for which to set the account policy. Do not specify both /DOMAIN and /SERVER on the same command line.
| #1 |
|---|
LANDOFOZ\\TINMAN> SET ACCOUNT POLICY -
_LANDOFOZ\\TINMAN> /LOCKOUT=(ATTEMPTS=3,WINDOW=20,DURATION=25)
%PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ"
|
This example limits users to three failed logon attempts, resets the failed logon count every 20 minutes, and unlocks locked-out accounts after 25 minutes.
| #2 |
|---|
LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/NOLOCKOUT-
_LANDOFOZ\\TINMAN> /PASSWORD_POLICY=(NOHISTORY,MINLENGTH=10)
%PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ"
|
This example disables account lockouts and history checking of passwords, and sets the minimum password length to 10. The account policy is set on the domain currently being administered (LANDOFOZ).
Selects a new default domain or server, or both, to be administered. The command prompt is changed to reflect the new domain and server being administered. The format of the command prompt is DOMAIN\\SERVER>, where DOMAIN is the name of the domain being administered, and SERVER is the name of the server being administered.
SET ADMINISTRATION [/qualifiers]
Use of this command does not require special group membership.
/DOMAIN=domain-name
Selects a new default domain to be administered. Initially, the domain name is set to be the domain where you are logged on, or, if you are not logged on, the domain of the local server. A value for domain-name specifies a different domain to be administered. If you omit the domain-name value, then the initial default domain is reset. The domain-name is used as the default domain for any command that operates on a domain. The /DOMAIN qualifier value on an individual command overrides this default value.If you omit the /SERVER qualifier, the server being administered is set to the local server if the specified domain is the local server's domain; otherwise, it is set to the name of the primary domain controller for the specified domain. If you specify both a domain and a server, the server must be a member of the domain.
You can specify a computer name in place of the domain name, by preceding the computer name with two backslashes (\\). This allows you to manage a computer that maintains its own security database, such as a Windows NT Workstation, or a Windows NT Server computer that is not a domain controller. If you specify a primary or backup domain controller, the specified computer's domain is selected. The /SERVER qualifier is ignored if you specify a computer name.
Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.
/SERVER=server-name
Selects a new default server to be administered. Initially, the server name is set to be the local server if it is a member of the domain being administered; otherwise, it is set to the primary domain controller of the domain being administered. A value for server-name specifies a different server to be administered. If you omit the server-name value, then the initial default server name is reset.The server-name is used as the default server name for any command that operates on a server. The /SERVER qualifier value on an individual command overrides this default value. If you do not also specify the /DOMAIN qualifier, the domain being administered is set to the domain of the specified server. If you specify both a domain and a server, the server must be a member of the domain.
Note: The default domain and server names are recomputed when you log on or log off the network using the LOGON or LOGOFF commands, respectively.
| #1 |
|---|
LANDOFOZ\\TINMAN> SET ADMINISTRATION/SERVER=OZ3
%PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "OZ3"
LANDOFOZ\\OZ3>
|
This example sets the default server to be administered to OZ3. Since OZ3 is a member of the LANDOFOZ domain, the default domain remains unchanged. All further commands which operate on a specific server will be performed against server OZ3. The command prompt is changed to reflect the new default.
| #2 |
|---|
LANDOFOZ\\OZ3> SET ADMINISTRATION/DOMAIN=KANSAS
%PWRK-S-ADMSET, now administering domain "KANSAS", server "TOPEKA"
KANSAS\\TOPEKA>
|
This example sets the default domain to be administered to KANSAS. Since KANSAS is not the domain of the local server, and the /SERVER qualifier was not specified, the default server is set to the primary domain controller for the KANSAS domain, TOPEKA. All further commands will be performed against the new domain and server. The command prompt is changed to reflect the new defaults.
| #3 |
|---|
KANSAS\\TOPEKA> SET ADMINISTRATION/DOMAIN
%PWRK-S-ADMSET, now administering domain "LANDOFOZ", server "TINMAN"
LANDOFOZ\\TINMAN>
|
This example resets the default domain and server to the initial defaults. The command prompt is changed to reflect the new defaults.
Sets the auditing policy for a domain. A server can track selected activities of users by auditing security events and then placing entries in a server's security log. The server can record a range of security event types, from a system-wide event such as a user logging on, to an attempt by a user to read a specific file. You can audit both successful and failed attempts to perform an action. Use the audit policy to establish the types of security events to log.When administering domains, the audit policy affects the security logs of the domain controller and of all servers in the domain, because they share the same audit policy.
SET AUDIT POLICY [/qualifiers]
Use of this command requires membership in the Administrators local group.
/AUDIT
/NOAUDIT
Controls whether auditing events are logged. /AUDIT enables auditing of the specified events, and /NOAUDIT (the default) disables auditing of the specified events./DOMAIN=domain-name
Specifies the name of the domain on which to set the audit policy. The default is the domain currently being administered. Do not specify both /DOMAIN and /SERVER on the same command line./FAILURE=(event[,...])
Specifies events whose failure adds an entry to the security log. Precede the event keyword with NO to disable logging of a failed event. The event keyword can be one or more of the following:
Event Description ALL Selects all possible events. NONE Deselects all possible events. [NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing. [NO]ACCOUNT_MANAGEMENT A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed. [NO]LOGONOFF A user logged on, off, or made a network connection. [NO]POLICY_CHANGE A change was made to the Audit, Trust Relationships, or User Rights policies. [NO]PROCESS Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit. [NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log. [NO]USER_RIGHTS A user exercised a user right, except rights related to logon or logoff. /SERVER=server-name
Specifies the name of a server that is a member of the domain on which to set the audit policy. Do not specify both /DOMAIN and /SERVER on the same command line./SUCCESS=(event[,...])
Specifies events whose success adds an entry to the security log. Precede the event keyword with NO to disable logging of a successful event. The event keyword can be one or more of the following:
Event Description ALL Selects all possible events. NONE Deselects all possible events. [NO]ACCESS A user accessed a directory or a file that is set for auditing, or a user sent a print job to a printer that is set for auditing. [NO]ACCOUNT_MANAGEMENT A user account or group was created, changed, or deleted. A user account was renamed, disabled, or enabled; or a password was set or changed. [NO]LOGONOFF A user logged on, off, or made a network connection. [NO]POLICY_CHANGE A change was made to the Audit, Trust Relationships, or User Rights policies. [NO]PROCESS Process events provide detailed tracking information for events such as program activation, some forms of handle duplication, indirect accesses, and process exit. [NO]SYSTEM A user restarted or shut down the computer, or an event occurred that affects system security, or the security log. [NO]USER_RIGHTS A user exercised a user right, except rights related to logon or logoff.
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/FAILURE=NOLOGONOFF -
_LANDOFOZ\\TINMAN> /SUCCESS=(ACCESS,POLICY_CHANGE)
%PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ"
|
This example enables logging of audit events, disables auditing of failures to log on or log off, and enables logging of successful attempts to access an object or make policy changes.
| Previous | Next | Contents | Index |