If you are a system or BackOffice server administrator, the topics in this chapter should be near and dear to your heart. This chapter describes the environment—the tools and services—that you use to keep things running on your server. It
covers topics from the mundane (adding user accounts) to the excessively exciting (diagnosing problems that have brought down one of your critical applications). It also focuses on the tools as opposed to the actual techniques. Although it covers the User
Manager tool, it does not discuss the planning and use of this tool when adding a user who needs, for example, access to the NT operating system and Exchange Server. That information is specific to the individual BackOffice servers with which you are
working. You can find this type of information in the chapters on administering those individual components.
The chapter begins with an introduction to system administration. Although some of you may have been doing system administration, there are others who are new to the task. It also seems that there are a number of different definitions of what a system
administrator is and does.
Next, you look at an overview of the Windows NT administrative environment, a fairly powerful and nicely integrated environment. Although you may not think that you are going to need to use a particular tool, you might when a particularly nasty problem
comes up or someone else is on vacation and you have to fill in.
The third section of this chapter covers the central topic—the tools. By this point, you should be ready to understand what the tools are trying to accomplish. You explore the basics of how to use the tools; the individual strategies for each
individual BackOffice server are covered in the appropriate section of the book.
The next section covers some of the specific tools that are unique to the individual BackOffice servers. Although you do not use these tools a lot, you should understand that they are there and have a basic understanding of what they do. They integrate
well into the overall BackOffice environment and do not duplicate the functions of the basic Windows NT tools. If you are used to traditional application administration tools that relied on command files or something like that, you will really like these
graphical tools.
The final section in this chapter covers the concepts of how you can use the standard Windows NT administration tools to control your applications. Microsoft has gone a long way to provide a tightly integrated environment. It would be a shame if you
developed local applications that broke that integration and forced your poor administrators to have to learn how to use another set of tools. The Microsoft tools may not be perfect, but they are better than almost all the locally developed tools for
application administration. Remember, Microsoft can prorate the costs of building these tools over the many thousands of copies of Windows NT that are sold as opposed to having to build them each time for an application used by 20 people.
The Windows NT 4.0 environment has significant improvements in the administration portions of the operating system. It is not just the more convenient and graphically more appealing changes made to the graphical user interface. It is also not the hidden
internal changes that come in 4.0, such as improvements in the graphics device drivers (which were major). The changes to user administration must have been made by people who actually served as system administrators. They increased the functionality of
the User Manager tool, for example. It is now a one-stop place to go when you want to perform almost all user setup and permissions functions. This section of the chapter uses the new 4.0 administration tools and notes wherever there are differences in the
3.51 products.
What is system administration? I have come across a lot of answers to this question during my consulting travels. Part of this derives from individual manager’s preferences as to how they wish to arrange their departments. Part of it comes from the
amount of work there is for various positions that results in the combining of two jobs into one person. It also often derives from the individual skill sets of the people doing the work. I have seen many different combinations (some of which I will never
understand).
There was actually a document published by IBM in the early days of its mainframe computers that listed suggested staffing for the data center. Many organizations adopted these standards. You can still see its effects on some current organization charts
(where there are small systems and database groups that are separated, and they still have a relatively large operations staff). It would be interesting in this era of more for less to see the huge number of people that it used to take to run those early
computers that were not as powerful as some of the larger PC servers that are available now.
Here are some suggestions of jobs that I either have seen or can conceive of having as a systems administrator under Windows NT:
These and any number of other tasks can fill up your job jar as a system administrator. One of the most difficult task for most computer support types is getting a reasonable list of tasks so that they have time to get the work done properly. This is a
difficult job, even when you have experience in the area. There are so many factors that come into play that you need to consider. Here are a few of them:
It's a good idea to work with your management to make your job description both reasonable and enjoyable. These thoughts may make sense to you, but they may not all be the best ones to present to management when you are trying to justify what you think
your job description should be (leave off the one about you starting a successful consulting practice for example). Computer types might get a lot further in their arguments if they presented their rationale in terms of business goals. They often have
these in the back of their minds, but they never quite express them. Therefore, here is a list of goals and thoughts that you may want to consider for your system, tailored to what might be reasonable for a Windows NT environment:
One of the greatest hindrances to having adequate service from computer support organizations is that they are too busy fighting fires to do any planning. Without planning, they are guaranteed to face more crises in the future. The core technologists are among the most overloaded in this group, and this further impedes user support and general administrative efficiency.
With the generalities out of the way, it is time to move on to the Windows NT administrative environment. You may be anxious to move right into the tools so that you can figure out how to set the callback number for a particular user in remote access.
However, before you start going through the tools, you should review the things that you can control as an administrator. Once you have this, you can then worry about which checkbox on which tab dialog box you use to configure a particular function.
What are the things over which an administrator in the BackOffice environment has control? My list of the things that I consider to be most important includes the following:
There are three key components, generic across the BackOffice environment, that make up the majority of the work performed in system administration. The first of these is maintaining the user environment. This is a combination of the user’s
account, password, group associations, resource privileges, and a few other parameters that can be used to ensure that the users have the accesses they need (and no more). The second is the controls that the administrator has over the background processes
(services) that are running on the server.
The third is tuning parameters, and that discussion is deferred to Chapter 12, "Windows NT Performance Tuning," Chapter 25, "Exchange Server Performance Tuning and Scaling," Chapter 31, "SQL Server Monitoring and Tuning," and Chapter 41, "Optimizing SNA Server." It takes a lot of background material to understand these concepts and it is not that common a system
administration task (which reflects well on the BackOffice suite).
It would be extremely difficult for you to control user accounts properly if you did not know the various things over which you have control. This section discusses the components in the overall user environment. The environment is
basically similar between Windows NT 3.51 and 4.0. The major advantage of NT 4.0 is that it centralizes the administration of the user into the User Manager tool as opposed to scattering them over a couple of tools as is done in NT 3.51. The following is a
simple summary list of control features:
If you want to get fancy, you can find more to tweak, but from my experience, this is the set that will serve you in the vast majority of cases. The preceding items interact with one another to help you accomplish your goals. Each item is incomplete by
itself and requires the other items to control the user’s interactions with resources properly. The rest of this section provides an overview of each of the tools that you will need to understand in order to become a full-fledged Windows NT system
administrator.
The first user attribute topic is the user login ID and password. The concepts actually are relatively simple and resemble those on most other operating systems. This is the first instance of how the various properties of the user environment will
interact, however. Many security types set limitations on the passwords that are selected in order to make them difficult to guess. The rule of thumb usually is "at least seven characters long." Even if you, as the administrator, create the user
login ID and password following this rule, what will stop the users from using the password change utilities to choose a password such as 12345? To prevent this, you need to use the policy features of Windows NT.
The group feature is a powerful tool in the user administration process, and the key is that resource accesses can be given to either individuals or groups. When given to groups, a user who is made a member of that group automatically inherits
all the privileges of the group itself. This enables you to quickly give users the privileges they need to complete their jobs. Another advantage of this is that you can choose the group names to be meaningful to you. This enables you to quickly scroll
through the list of groups and determine which groups are appropriate for a new user.
The account policy feature is not always used by NT administrators, but can be quite powerful. The user policy under Windows NT sets up facets of the user operating environment other than the group privileges related to what the user is allowed
to do on the system. This is where you set up the system to ensure that the password is complex and secure enough for your organization’s security needs. Some of the features controlled by the user profile include the following:
Closely related policies made by the system administrator are user rights. These focus primarily on what the user is allowed to do with the operating system. This is discussed in detail in the User Rights section, but for now you should
have a feel for a few of the functions of the User Rights tool:
A closely related user control feature is the user profile. This feature specifies the available program groups. It also controls whether the Run command is allowed on the File menu. You can create a number of profiles and assign them to various
users.
There used to be some confusion over having to work with multiple tools that were needed to set up the profile of operation for a given user. The good news about Windows NT 4.0 is that Microsoft has consolidated almost all the user setup controls in the
User Manager tool. When you call up the properties screen for a given user under User Manager, you will find a button labeled Profile, which discusses many of the features discussed in the next couple of paragraphs. Some enhanced fine tuning over the
user’s working environment can be made using the System Policy Editor on the Administrative Tools menu. You get to control some low-level details, such as which wallpaper graphic will be displayed as the desktop for a given user. The System Policy
Editor allows you to assign a policy to a given user or group. These profiles are not enforced when the user accesses resources from other workstations running Windows 95, DOS, and so forth.
The next control feature of the user environment is the home directory. You have the option of specifying a directory that the user will access by default for all save operations that are directly controlled by the operating system. If you open a
DOS prompt, for example, the home directory is the default. Note, however, that many applications (such as Microsoft Word) have their own Settings panel in which they set up the default storage and retrieval directories for their files.
Another useful environmental control feature is the login script. Suppose that there is an action you want performed every time the user logs in, but you cannot find any operating system setting to accomplish your goal. An alternative is to
create a batch file (or an executable program) that performs the action you want and then specify that file or program to be the login script for a given set of users. This also is a nice alternative in environments in which you want to force the users
into a menu program or perhaps even just a single application when they log in. In these cases, you can enhance security and usability by not allowing the users to get to the desktop and have the full power of the Windows NT operating system.
Rounding out the list of environmental control features, you come to the capability of controlling when a user can log in to the system. A major security concern in some organizations is that a user could come in after hours and access the system in an
illegal manner. Other environments might contain large batch jobs or have system maintenance activities that occur during specified periods. If these maintenance activities require that all users be logged off, it would be helpful to have a utility that
keeps disallowed users from logging in during these periods. Windows NT provides such a utility in the User Manager tool that gives you a control over the hours that users can access the system.
You use the RAS administrative utilities to specify whether a given user has access to RAS. You also can implement additional security by requiring a callback to a specified number when a user dials into your system. This way, the only way someone can
hack in, using one of your user’s IDs, is to call from the user's house (add breaking and entering to the computer hacking crimes). Remote access to computer resources such as data files and electronic mail is a wonderful convenience; however, it can
also be a major security hole. Anyone with a modem and telephone connection can dial up your server (assuming that they know the telephone number) and gain access to your network, bypassing all the physical security controls of your building. You need to
consider the impact of security against productivity when implementing RAS dial-in.
An interesting note for version 4.0 of NT is that RAS security is now integrated into the User Manager tool. In version 3.51, you set up the properties of your user (with the exception of remote access) using the User Manager tool. You then had to use
the RAS Admin tool to grant dial-in privileges (which were defaulted to prevent remote access). Although you can still use the RAS Admin tool to set up dial-in privileges, the User Properties page enables you to set up dial-in permissions for the section
user from within User Manager.
Finally, the user environment is rounded out by rights and privileges set up for the applications provided on your server. Depending on the application, rights and privileges might simply enhance the environmental parameters you set up for the users as
the Windows NT administrator, or they might form a complete environment of their own. If you are using a client-server architecture to access information on a Windows NT Oracle database, for example, the database will provide all security and control the
user environment. In many cases, users do not even need an operating system account to access the database.
There are a several parameters associated with services over which the administrator has control. Here are the two key parameters:
The tools that are at your disposal to help you get your job done are fairly impressive, even by modern operating system standards. They are well-integrated. They also have the advantage of a graphical user interface and a unified architecture and
approach to administration. The screens shown here reflect NT 4.0. I have made notes where there are significant differences between 3.51 and 4.0. The tools that I will be covering in this section are the following:
The main tool that enables you to control your users is User Manager, which is available on the Administrative Tools menu. User Manager has one of two titles, depending on whether you are using a server, a workstation in a domain, or a workstation in a
workgroup. The server always uses the User Manager for Domain tools (even when you are in a workgroup). The workstation uses User Manager (without the Domains) when you are in a workgroup, but can use User Manager for Domains (loaded from the NT resource
kit or as a part of NT 4). if it is in a domain. In the domain environment, the updates are sent to the domain controllers rather than the local security database.
My first impression of the administrative environment in Windows NT 3.5 was based on the Control Panel mind set. When you have a function that you want to perform, you build a small application to perform the function and slap it into a program group
with the other administrative tools. I am impressed with the trend in Windows NT 4.0, and especially in the User Manager tool, toward building integrated tools. The User Manager tool sets almost all the administrative properties for a user. It even
integrates with Microsoft Exchange Server (their electronic mail system in BackOffice) to bring up properties pages to configure the person’s electronic mail account when you add a new user to the operating system. With all the power built into User
Manager, I like to place a shortcut to the application on my desktop so that I have ready access to it.
Most of the tools in Windows NT 4.0 seem determined to use an explorer-like tree control somewhere in their display. User Manager is one exception to this rule (at least for now). Its interface adheres to the basic premise of a relatively clean
interface that provides access to all the necessary control features using pull-down menus and simple controls, such as double-clicking. Figure 5.1 shows the basic User Manager display. Note that if you are not part of a domain, you do not get the Logon
To, Hours, and Account options.
FIGURE 5.1. User Manager for domains display.
This review of User Manager begins by going through the key pull-down menu items that you will be using, beginning with the User menu. Here, you will see a couple of clues that say you are using a Windows NT 4.0 server, which gives you the User Manager
for Domains utility. The clues are that there are menu picks to add a New Global Group and Select Domain. These menu picks typically display a dialog box that enables you to fill in the details of the action you are taking or prompts you to confirm that
you really want to do what you asked for (such as delete a user). The actions on these menus are taken for the user that is highlighted in the case of copy, delete, rename, and properties. The remaining items, such as New User, by their very definition,
imply that you should see a dialog box to create a new item or perform an action, such as select domain.
The next menu is the Policies menu. (The View menu was skipped because it is pretty much what you expect—it controls the way in which items are sorted in the display and provides an option to refresh the lists.) The Policies menu provides you with
access to most of the user environmental parameters that do not involve resource access discussed in the last section. It also includes a function that enables you to set your Trust Relationships.
Now it is time to go over some of the functions that are activated by these menus. The first function enables you to add or modify groups. You can add a new group by choosing either New Local Group or New Global Group from the User menu. To modify an
existing group, highlight the group and choose Properties from the User menu or double-click the group name. Figure 5.2 shows the panel that appears when you modify the properties of an existing group. The only difference you will see when adding a new
group is that you are allowed to enter the group name; otherwise, the panels are identical.
FIGURE 5.2. Global Group Properties dialog box under User Manager.
The Group Properties pane is very simple to work with. You have the group name, a text description to help you out in the future, and two sets of lists. The first list shows the users who are members of the group. The second list shows the users who are
not members of the group. To move users between the members and nonmembers categories, use the Add or Remove buttons.
The User Properties panel is shown in Figure 5.3. It enables administrators to add or modify the basic login properties of a user and, therefore, is one of the most commonly used tools in User Manager. As you can see, it is a simple panel that enables
you to enter the user name (when adding users, this becomes a noneditable field when modifying the properties of an existing user), full name, description of the user, and two fields that enable the administrator to modify the user’s password. In
addition, the checkboxes control the following features:
FIGURE 5.3. User Properties page of User Manager.
At the bottom of the User Properties page are important buttons with which you need to become familiar. These buttons access dialog boxes that enable you to set many of the other environmental parameters for the user’s account.
The first of these properties is the group affiliation of the user. Figure 5.4 shows the Group Memberships dialog box. As you can see, it provides you with two lists: one showing the groups to which the user belongs, and one that shows the groups to
which the user does not belong. The Add and Remove buttons enable you to move a group from one list to the other.
FIGURE 5.4. Group Memberships dialog box of User Manager.
The User Environment Profile is activated by the Profile button. Figure 5.5 shows the panel that appears. Be careful not to confuse this button with the User Profile Editor that is provided in the Administrative Tools Start Menu group. The Profile
button enables you to select the user profile file (as edited by the User Profile Editor) that applies to this user. It also enables you to specify a login script that runs every time the user logs onto the system or domain. At the bottom of this panel are
fields that enable you to specify the home directory the operating system will use as a default for those times when the applications do not provide their own fully qualified path.
FIGURE 5.5. User Environment Profile panel of User Manager.
Continuing on with the user environmental parameters that are controlled from the buttons on the bottom of the User Properties page, you come to the Login Hours panel (see Figure 5.6). To set the hours of operations, using your mouse, highlight the
range of hours you want to work with and then click on the allow or disallow buttons. The sections with the blue lines through the middle are the allowed hours of operation. The sections that are black are the hours in which the user is not allowed to log
on. The key here is that these are the hours when the system will allow the login (connection) process to occur. It does not automatically log off users who are on the system if they are still on the system after the allowed hours.
FIGURE 5.6. Logon Hours panel of User Manager.
Another useful feature on the User Properties page is the capability of restricting workstations from which a particular user is allowed to log in. Figure 5.7 shows the basic data entry panel, which is a very simple interface. You can allow the user to
log on from all workstations in the domain or you can specify the list of workstations from which the user can log on. This is helpful in operational environments where users should be at a specific console when performing certain critical tasks. You
should ensure that people can log into enough workstations to ensure system access in the event of hardware or network failures.
FIGURE 5.7. Logon Workstations panel of User Manager.
The next dialog box that you can access from the buttons at the bottom of the User Properties page controls certain parameters related to the user’s account (see Figure 5.8). The first parameter controls when the user’s account expires. This
usually is implemented as a safeguard to prevent you from forgetting to disable the accounts of contractors or permanent employees when they leave. I tend not to use this parameter, but there are some environments in which this parameter might be mandatory
(such as access to a computer that requires a security clearance to be updated at regular intervals so that access is not denied). The other parameter enables you to specify whether this is a Global Account (which is the normal account that you create) or
a local account for users from nontrusted domains.
FIGURE 5.8. Account Information panel of User Manager.
The Dialin button in User Manager enables you to set up permissions for the user to utilize the remote access facilities to dial into your Windows NT 4.0 server. You used to have to run the Remote Access Admin utility to set up this important user
account property under NT 3.51. Whichever version you are using, the basic functions are the same. Figure 5.9 shows the properties that can be set with this panel. The first checkbox indicates whether the user will be allowed to use his or her account to
dial into this RAS server. The next three buttons determine whether the server will call the user back to complete the connection. The Set By Caller button can be used to save long distance phone charges to individuals who are working from home or are on
the road (hotels really mark up phone calls). The Preset To button and edit box enable you to indicate that the only way that certain users can connect is if the system dials them back at a specified number. This can be used to increase security because
you program in only the users' home numbers to prevent a hacker from being able to use a compromised account ID and password via the telephone (unless they also break into a user’s house, that is).
FIGURE 5.9. Dialin Information panel of User Manager.
This section provides a review of the attributes of the user environment that are controlled from the Policies pull-down menu, where you set the global policies for your domain or server as a whole, as opposed to the properties that you set for
individual users. The first of these properties pages is the Account Policy page (see Figure 5.10). Most of the features you see in this figure determine whether you are going to implement those complex security features that Microsoft had to put into
Windows NT to receive C2 security certification. The good news is that you can turn them all off, turn them all on, or select the features that will be operational, based on your needs.
FIGURE 5.10. Account Policy dialog box of User Manager.
The User Rights Policy editor facilitates granting users and groups the ability to perform certain sensitive system functions. Figure 5.11 shows the dialog box that appears. You need to select the function that you wish to grant or revoke privileges on
and then use the add or remove buttons to add or remove users or groups from this privilege. The following list discusses the privileges you can control with the User Rights Policy dialog box:
FIGURE 5.11. User Rights Policy dialog box of User Manager.
The final policy editor that you will work with sets up the events to be audited by your system. Chapter 4, "Monitoring Environment," discusses auditing in greater detail. For now, look at Figure 5.12. As you can see,
you have the option of disabling auditing (you still have the basic security and system event monitoring provided by Event Viewer) or activating only the pieces that interest you.
Before activating any of these menu choices, you need to think about the times per day the event you are going to audit occurs. For example, although security policy changes are rare (and also extremely important from a security point of view), use of
user rights occurs many times per minute. Each time the event occurs, you will have a record written to the audit trail that you have to review (this also takes up space on your hard disk drives). It is a balancing act of getting enough information without
creating more information than you can review or store.
FIGURE 5.12. Audit Policy dialog box of User Manager.
The Trust Relationships dialog box enables you to say that you trust another domain or that you permit another domain to trust you (see Figure 5.13). Remember that both sides must agree to a trust relationship (I trust you and you allow me to trust you)
before anything happens with it. You should be sure that you are comfortable with the implications of trust relationships and discuss the setup with the other domain administrators before you set up trust relationships. The key to a successful multiple
domain configuration is having an agreed-to plan before the network is implemented.
FIGURE 5.13. Trust Relationships dialog box of User Manager.
There are a few other minor panels that you can find on the User Manager display, but the ones discussed in this section are the ones that you need to get your day-to-day job done. Before moving on, there are a few topics to clean up. First are the
following groups created by default when you set up a Windows NT 4.0 server:
You also will have the following accounts set up for you:
Almost all the properties of a user’s environment are set by the User Manager tool. Microsoft has continued to enhance this feature so that it is a complete tool for administrators. The System Policy Editor (which is not yet integrated into User
Manager) enables you to set a series of parameters that relate to the appearance of the user’s desktop, which operating system functions (Control Panel, for example) they are allowed to access, and other very fine controls over user activity (see
Figure 5.14). If you are running servers exclusively using a client-server architecture, you probably will not use the System Policy Editor often, because your users will access the server through the network for shared resources (see Figure 5.14). If you
have a number of users who actually work on NT workstations, you might want to take the time to become familiar with the functionality that this editor enables you to control on your user accounts.
FIGURE 5.14. System Policy Editor.
The Remote Access Service (RAS) monitoring and configuration tool is accessed from the Administrative Tools menu. Its purpose is to control the service that monitors your modems for dial-in requests. It also enables you to specify which users are
allowed to access the modems, although the User Manager tool can also be used in NT 4.0 to set up user access to RAS. Another key change in NT 4.0 is that the dial-out utilities are no long called RAS. Instead, they are located under the Dial-Up Networking
tool in the Accessories menu or in the My Computer display. The Remote Access Admin tool has a simple display that shows you the status of the RAS server on the computer that you have selected, as shown in Figure 5.15. Note that you can control and monitor
the RAS services on another computer by choosing the Server menu, Select Domain, or Server option.
FIGURE 5.15. Remote Access Admin display.
The first task you might want to accomplish is to start or stop the RAS, which might be necessary to run other communication packages that will not run as long as your modem is dedicated to listening for incoming calls to RAS. The start and stop
functions are located on the Server menu, along with a pause (which means don’t take calls, but don’t shut down the server or free up the modem). An interesting thing to note is that you can select the domain and server you are administrating
when you are in a domain environment. This is another example of how Microsoft is integrating remote administration into its basic tools as opposed to building separate remote access tools. (Just wait until you see the next version of the operating system
and applications that Microsoft will use to integrate Web access.)
You can also set user access permissions for RAS using the RAS Admin tool. This option functions exactly like the panel in User Manager. I personally prefer to work within the User Manager environment so that I can quickly see all the factors related to
a particular user’s account. However, there may be situations when you are in the RAS Admin tool and you want to check out a particular user’s setup. This panel will let you do that.
There is one final topic left in my RAS discussion. Suppose that you see the lights on your modem and know that someone has dialed in. How do you find out who logged in? The Active Users menu item on the Users menu shows you who is connected, to which
server the user is connected, and when that user's connection started (see Figure 5.16). The buttons at the right of the display enable you to get more information on the user account, send that user a message, (such as "the system is going down in 10
minutes"), or even disconnect the user.
FIGURE 5.16. Remote Access Users display.
So far, we have classified users into groups and set environmental parameters for them. However, they still have next to nothing in terms of shared network resources unless they are connected to their local machines. The other half of the user
administration picture is the access grants to resources. This actually is quite simple under the new Windows NT 4.0 interface. For example, to grant a user access to a directory, you follow a simple two-step process. First, you select the directory that
is to be shared using Explorer or My Computer tools and create a share name for it (see Figure 5.17). The easiest way to create a share name is to highlight the directory of interest and then right-click your mouse and select the sharing option from the
pop-up menu that appears.
FIGURE 5.17. Creating a share name for a folder.
Step two in this process is to select the permissions button on the Sharing tab dialog and fill in the Permissions dialog box (see Figure 5.18). This functions like most of the other administrative control tools. To delete permissions, highlight that
user and click the Remove button. To add permissions, click the Add button, select first the user or group to give the permission to, and then choose the type of access permission. For files, the permissions are Full Control, which allows directory
modification, Read, which allows users to look but not touch, Change, which allows them to look but not change, and No Access, which does not allow them to even look at the list of files. Note that you may have to give permissions to the appropriate users
or groups through the Security Properties page under the given files or directories if you have implemented file-level security restrictions on some of your directories or files under NTFS.
FIGURE 5.18. Access Through Share Permissions dialog box.
The concepts in the preceding paragraph apply to printers also. You select the Printers options of the Settings selection on the Start menu and then highlight the printer with which you want to work. Specify the share name under the Sharing tab of the
tab dialogs that are presented to you when you right-click on that printer and select the Sharing menu option. You control who has access to the printer on the security tab dialog. The enhanced NT 4.0 printer setup options provide the fine degree of printer control that is provided by mainframes and minicomputer systems, which is pretty impressive for a little PC-based server.
To control whether a particular service is running and also to set the startup parameters for that service, you use the Services tool under the Windows NT Control Panel (see Figure 5.19). To start or stop a service, select the service from the list and
click on the start or stop buttons. To control whether and how the user starts up, you select the startup button, which brings up the dialog box shown to the right of the Services dialog box in Figure 5.19. As mentioned earlier, almost all your major
services will be set to start automatically when the operating system starts.
FIGURE 5.19. Service tool from Control Panel.
This concludes the basic discussion of the administrative tool set for the BackOffice environment. Not all the many options that are available have been covered, and this chapter hasn't gone into any of the details as to what values you would want to
pick when setting up a given user. The setup configurations needed to allow users to work with a given application are shown for each of the BackOffice applications later in this book.
To pick up some of the finer points of using the tools (working with the View menu to improve the display appearance, for example), try out the other options and see what they can do for you.
As you can see, Windows NT provides a pretty comprehensive set of administrative tools. These tools meet all the general administrative needs of most applications. However, there are always a few specific functions (such as setting parameters that
control how the application is performing) that you need application-specific administrative tools to handle. I use these tools rarely, and the basic tools such as User Manager meet almost all my routine administrative needs.
Recall that the tools that are mentioned previously and the Windows NT security/administrative environment are accessible through API calls for applications that you develop. You can use the tools that are already in place to help configure security within your application. This can make life much easier for the poor, suffering system administrator and the developers.
There are still a few details about the administrative environment that need to be worked out to make you a proficient administrator on the individual components of BackOffice. There are chapters that cover the administration of each of these tools later. They will make a lot more sense to you after you have read the introductions to the individual products. However, the basic Windows NT administrative tool set provides a comprehensive and easy-to-use tool set that will meet most of your needs.
