home *** CD-ROM | disk | FTP | other *** search
Text File | 2013-11-08 | 628.8 KB | 17,666 lines |
- Microsoft LAN Manager - Administrator's Guide
-
-
-
-
-
-
-
-
- ────────────────────────────────────────────────────────────────────────────
- Microsoft(R) LAN Manager - Administrator's Guide
-
- VERSION 2.0
- ────────────────────────────────────────────────────────────────────────────
-
-
- for the MS(R) OS/2 Operating System
-
-
-
-
-
-
-
- Microsoft Corporation
-
- Information in this document is subject to change without notice and does
- not represent a commitment on the part of Microsoft Corporation. The
- software described in this document is furnished under a license agreement
- or nondisclosure agreement. The software may be used or copied only in
- accordance with the terms of the agreement. It is against the law to copy
- the software on any medium except as specifically allowed in the license or
- nondisclosure agreement. No part of this manual may be reproduced or
- transmitted in any form or by any means, electronic or mechanical, including
- photocopying and recording, for any purpose without the written permission
- of Microsoft Corporation. The LAN Manager Remoteboot service does not in
- any way amend nor supersede the provisions of the end user license
- agreements for MS-DOS or MS OS/2 ("Microsoft Software"). Those end user
- license agreements limit the use of a given copy of Microsoft Software to a
- single terminal connected to a single computer. They also prohibit the use
- of such Microsoft Software on a network or otherwise on more than one
- computer or computer terminal at the same time. Accordingly, Microsoft
- Software may not be remotely loaded to terminals or workstations unless you
- have a valid Microsoft end user license for each such remoteboot
- workstation. U.S. Government Restricted Rights The SOFTWARE and
- Documentation are provided with RESTRICTED RIGHTS. Use, duplication, or
- disclosure by the Government is subject to restrictions as set forth in
- subparagraph (c) (1) (ii) of The Rights in Technical Data and Computer
- Software clause at 252.227-7013 or paragraphs (c) (1) and (2) of Commercial
- Computer Documentation─Restricted Rights at 48 CFR 52.227-19, as applicable.
- Contractor/Manufacturer is Microsoft Corporation/One Microsoft Way/Redmond,
- Washington 98052-6399. (C)1990 Microsoft Corporation. All rights reserved.
- Printed in the USA.
-
-
- Microsoft, MS, MS-DOS, XENIX, and the Microsoft logo are registered
- trademarks of Microsoft Corporation.
-
- PostScript is a registered trademark of Adobe Systems,
- Inc.
-
- IBM is a registered trademark of International Business
- Machines Corporation.
-
- 386 is a trademark of Intel Corporation.
-
- Document Number: SY10058-0590
- OEM-P787-2Z
-
-
-
-
-
-
- Table of Contents
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Before You Begin
- How To Use This Manual
- Notational Conventions
- Finding Further Information
-
-
- PART I Learning the Basics
- ────────────────────────────────────────────────────────────────────────────
-
-
- Chapter 1 Overview
-
- How LAN Manager Works
- Administrator's Responsibilities
- Planning a LAN Manager Network
- Setting Up the Network
- LAN Manager Features
- Managing the Network
- Maintaining the Network
- Working with Other Network Software
-
- Chapter 2 Getting Started
-
- Starting LAN Manager
- Starting the Workstation and Server Services
- Logging On
- Using the LAN Manager Screen
- Using Menus and Menu Commands
- Using Dialog Boxes
- Getting Help with the LAN Manager Screen
- Getting Help from the Command Line
- Getting Help with Error Messages
- Administering Remote Servers
- Setting the Current Focus
- Controlling LAN Manager Services
- Pausing a Service
- Continuing a Service
- Stopping a Service
- Starting a Service
- Quitting LAN Manager
- Logging Off from the Network
- Stopping the Workstation and Server Services
- Exiting the LAN Manager Screen for Administrators
-
-
- PART II Managing Security
- ────────────────────────────────────────────────────────────────────────────
-
-
- Chapter 3 Understanding and Planning Security
-
- Domains
- Basics of User-Level Security
- Logon Security
- Local Security
- Security in Single-Server Domains
- Protecting 286 Servers
- The Console Version of the LAN Manager Screen
- Physically Secure Servers
- Hidden Servers
- Planning Security
- Using the Domain Worksheet
- Using the Server Worksheet
- Setting Up a Server
- Setting Up a Domain
-
- Chapter 4 User-Level Security
-
- Administering a Server with User-Level Security
- The Default Administrative Account
- Setting Up Logon Security
- Setting Up the Primary Domain Controller
- Setting Up a Backup Domain Controller or Member Server
- Setting Up the Domain's Workstations
- Promoting a Backup or Member
- Changing a Server's Role
- Logon Scripts
- User Accounts
- Contents of User Accounts
- The Guest Account
- Creating a User Account
- Cloning a User Account
- Viewing and Changing Account Settings
- Disabling or Enabling a User Account
- Deleting a User Account
- Groups of Users
- Creating a Group
- Cloning a Group
- Changing a Group's Membership
- Deleting a Group
- Security Settings
- Adjusting Security Settings
- Resource Permissions and Auditing
- Types of Permissions
- How Resource Permissions are Applied
- Setting Permissions and Auditing for a Directory or File
- Setting Permissions and Auditing for a Non-Disk Resource
- Local Security on 386 Servers
- Starting a Server with Local Security
- File Access with Local Security
- Local Security Guidelines
- Background Processes
- SECURESH.EXE and the CONFIG.SYS File
- Upgrading MS OS/2 or LAN Manager
-
- Chapter 5 Share-Level Security
-
- Administering a Server with Share-Level Security
- Setting Resource Permissions
-
-
- PART III Sharing Resources
- ────────────────────────────────────────────────────────────────────────────
-
-
- Chapter 6 Administrative Resources
-
- Using the Administrative Resources
- ADMIN$
- IPC$
- Disk Administrative Resources
- Sharing an Administrative Resource
- Sharing ADMIN$ and IPC$
- Sharing a Disk Administrative Resource
- Changing Administrative Resource Options
- Stop Sharing an Administrative Resource
-
- Chapter 7 Disk Resources
-
- Directory Access with User-Level Security
- Assigning Inherited Permissions
- Assigning Default Permissions
- Auditing Disk Use
- Directory Access with Share-Level Security
- Auditing Disk Use
- Sharing a Directory with User-Level Security
- Sharing a Directory with Share-Level Security
- Stop Sharing a Directory
-
- Chapter 8 Printers
-
- How Printer Queues Work
- Printer Queue Setups
- Printer Queue Options
- Printer Queue Security
- Sharing a Printer Queue
- Adding a Printer Queue to a Server's Shared Resources
- Setting Options for a Printer Queue
- Setting Permissions and Audited Events
- Including a Remote Printer in a Printer Queue
- Changing Options for a Printer Queue
- Stop Sharing a Printer Queue
- Deleting a Printer Queue
- Managing Printers, Queues, and Print Jobs
- Viewing Queues and Job Information
- Holding and Releasing a Printer Queue
- Purging Print Jobs from a Printer Queue
- Holding and Releasing a Print Job
- Restarting a Print Job
- Moving a Print Job in a Printer Queue
- Deleting a Print Job
- Canceling a Print Job that Is Printing
- Pausing and Continuing a Printer
-
- Chapter 9 Communication Devices
-
- How Comm Queues Work
- Comm Queue Setups
- Priority Levels
- Setting Up Comm Queues
- Sharing a Comm Queue
- Setting Permissions and Audited Events
- Changing Options for a Comm Queue
- Stop Sharing a Comm Queue
- Managing Comm Queues and Requests
- Viewing Comm Queues
- Purging Requests from a Comm Queue
-
- Chapter 10 Profiles
-
- How Profiles Work
- Saving a Server Profile
- Loading a Server Profile
- Loading and Saving Profiles Automatically
-
-
- PART IV Advanced Features
- ────────────────────────────────────────────────────────────────────────────
-
-
- Chapter 11 Running an Unattended Server
-
- Administering an Unattended Server
- Using the Console Screen
- Starting the Console Screen
- Removing the Console Screen
- Screen Menus and Commands
- Printer Queues
- Viewing Printer Queue Information
- Changing the Status of a Printer Queue
- Viewing Print Job Information
- Changing the Position of a Print Job
- Changing the Status of a Print Job
- Comm-device Queues
- Exit
- Send a Typed Message
- Device Status
- Viewing Device Status Information
- Changing the Status of a Device
- Changing Your Password
-
- Chapter 12 Sharing Processing Power
-
- Using the Netrun Service
- Creating a Run Path
- Controlling Access to Netrun and Distributed Applications
- User-Level Security
- Share-Level Security
- Controlling the Number of Netrun Users
- Managing the Netrun Service
- Setting Up the Server for the Netrun Service
- Starting the Netrun Service
- Starting Netrun Automatically
- Stopping the Netrun Service
- Adding a Program
- Removing a Program
-
- Chapter 13 Replicating Files and Directories
-
- How Replication Works
- The REPL.INI File
- Preparing an Export Server
- Assigning Permissions for Replication
- Preparing an Import Server
- Maintaining Replication
- Stopping Replication
-
- Chapter 14 Using the Remoteboot Service
-
- Adding a Remoteboot Workstation to the Network
- Creating Remoteboot Directories
- Adjusting User-Level Security
- Adding a Workstation Record
- Adding a .FIT File for the Workstation
- Adjusting Configuration Files for an MS OS/2 Workstation
- Enabling the Remoteboot Process on a Workstation's Hard Disk
- Disabling the Remoteboot Process on a Workstation's Hard Disk
- Booting More than One Version of MS-DOS
- Adding Device Drivers
- Adding Device Drivers to MS-DOS Workstations
- Adding Device Drivers to MS OS/2 Workstations
- Booting from One Server and Sharing Work Directories from Another
- Server
-
- Chapter 15 Guarding Against Data Loss
-
- Understanding the Fault-Tolerance System
- The Fault-Tolerance Utilities
- Configuring Drive Mirroring or Duplexing
- Using the ftadmin Screen
- Focusing ftadmin on a Remote Server
- Viewing Drive Statistics
- Viewing Information about Logical Drives
- Changing the Error Information Display
- Turning Disk Alerts On and Off
- Verifying Drives
- Correcting Disk Errors
- Disk Error Correction Codes
- Using an Uninterruptible Power Supply
- Using the UPS Service
- Configuring the UPS Service
- Starting the UPS Service
-
- Chapter 16 Monitoring the Network
-
- Auditing a Server on the Network
- Establishing Audited Events in LANMAN.INI
- Modifying Audited Events
- Viewing, Saving, and Clearing the Audit Trail
- The Alert System
- Starting the Alerter Service
- Configuring Alerts
- The Statistics Display
- Viewing and Clearing Statistics
- The Error Log
- Viewing the Error Log
- Saving and Clearing the Error Log
- Using Session Information
- Modifying Session Entries
- Viewing Session Information
- Closing Sessions
- Closing Files
- Synchronizing Network Clocks
- Synchronizing with the Time Server
-
- Appendix A The LANMAN.INI File
-
- Summary Tables
- Workstation
- Messenger
- Netshell
- Server
- Alerter
- Netrun
- Replicator
- UPS
- Netlogon
- Remoteboot
-
- Appendix B Menu Commands
-
- The LAN Manager Screen for Administrators
- View Menu
- Message Menu
- Config Menu
- Status Menu
- Accounts Menu
- Help Menu
- Console Version of the LAN Manager Screen
- View Menu
- Message Menu
- Status Menu
- Accounts Menu
- Help Menu
-
- Appendix C Country Codes
-
-
- Appendix D Using the MS OS/2 Print Manager with LAN Manager
-
- The MS OS/2 Print Manager Window
- Using MS OS/2 Print Manager with Network Printers
- Viewing Printers
- Setting Up a Printer
- Changing the Settings for a Printer
- Viewing Queues
- Adding a Queue
- Changing Options for a Queue
- Updating Information in the MS OS/2 Print Manager Window
-
- Glossary
-
-
- Index
-
-
-
-
- Before You Begin
- ────────────────────────────────────────────────────────────────────────────
-
- The Microsoft(R) LAN Manager Administrator's Guide is for new and
- experienced administrators of Microsoft LAN Manager. It explains the
- terminology and concepts behind administering a LAN Manager network, and
- describes how to perform administrative tasks. Tasks can be performed using
- either the LAN Manager Screen or commands and utilities typed at the
- operating system prompt. This manual emphasizes use of the LAN Manager
- Screen, noting command-line equivalents. For full explanations of how to use
- typed commands and utilities, see the Microsoft LAN Manager Administrator's
- Reference.
-
- This manual assumes that you understand Microsoft Operating System/2 (MS(R)
- OS/2). If you are not familiar with MS OS/2, see your MS OS/2 manual(s).
-
- For an explanation of terms and concepts specific to a local-area network
- and to LAN Manager, read Getting To Know Microsoft LAN Manager and the
- Microsoft LAN Manager User's Guide.
-
-
- How To Use This Manual
-
- This manual contains the following parts:
-
- Part 1, "Learning the Basics"
- Part 1 provides general information about administering a LAN Manager
- network. Additionally, it explains how to start and stop the server, how
- to log on to the local-area network, and how to use the LAN Manager Screen
- for administrators. Read this part if you are not familiar with LAN
- Manager and for an overview of the responsibilities of an administrator.
-
- Part 2, "Managing Security"
- Part 2 tells how to plan and implement security on LAN Manager servers. It
- introduces the basic concepts and terms of LAN Manager security. There are
- two types of security─user-level and share-level. Read this part to learn
- how to plan and implement security on the LAN Manager network.
-
- Part 3, "Sharing Resources"
- Part 3 tells how to share the server's special administrative resources,
- disk resources, printers, and communication devices with network users.
- Additionally, it explains how to use profiles to automate sharing of the
- server's resources. Read this part to find out how to share resources on
- the LAN Manager network.
-
- Part 4, "Advanced Features"
- Part 4 goes beyond the basics to advanced features that enhance the LAN
- Manager network. This part describes how to use the console version of the
- LAN Manager Screen and the Netrun, Replicator, and Remoteboot services.
- Additionally, it explains how to use the LAN Manager fault-tolerance
- features and the UPS service. Information about auditing network activity
- and auditing shared resources on a server with share-level security is
- also included. Read this part to learn how to use the advanced services
- and features available with the LAN Manager network.
-
-
- Notational Conventions
-
- This manual uses different type styles and special characters for different
- purposes:
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Convention Use
- ────────────────────────────────────────────────────────────────────────────
- Bold Represents commands, command options, and
- file entries. Type the words exactly as
- they appear, for example, net use.
-
- Italic Introduces new terms and represents
- variables. For example, the variable
- computername indicates that you supply the
- name of a workstation or server.
-
- Monospace Represents examples, screen displays,
- program code, and error messages.
-
- FULL CAPS Represent filenames and pathnames in text.
- You can, however, type entries in
- Convention Use
- ────────────────────────────────────────────────────────────────────────────
- You can, however, type entries in
- uppercase or lowercase letters.
-
- SMALL CAPS Represent key names (such as CTRL or F2).
-
- KEY+KEY Indicates that you must press two keys at
- the same time. For example, "Press CTRL+Z"
- means to hold down CTRL and press Z.
-
- {braces} Enclose required items in syntax
- statements. For example, {yes | no}
- indicates that you must specify yes or no
- when using the command. Type only the
- information within the braces, not the
- braces themselves.
-
- [brackets] Enclose optional items in syntax
- statements. For example, [password]
- indicates a password may be needed with
- Convention Use
- ────────────────────────────────────────────────────────────────────────────
- indicates a password may be needed with
- the command. Type only the information
- within the brackets, not the brackets
- themselves.
-
- | (vertical bar) Separates items within braces or brackets.
- For example, {/hold | /release | /delete}
- indicates that only one of the three
- options can be used.
-
- ... (ellipsis) In syntax statements, indicates that you
- can repeat the previous item(s). For
- example, /route:devicename[,...] indicates
- that you can specify more than one device,
- putting a comma between the devicenames.
-
- <Command> Indicates a command button to be chosen
- within a dialog box.
-
- Convention Use
- ────────────────────────────────────────────────────────────────────────────
- Indicates the procedure for performing a
- task using the LAN Manager Screen.
-
- Command Line Indicates the procedure for performing a
- LAN Manager task using commands at the
- operating system prompt.
-
-
-
-
- Finding Further Information
-
- In addition to this manual, the LAN Manager manual set includes the
- following:
-
- Getting To Know Microsoft LAN Manager
- Gives first-time network users an introduction to local-area networks and
- to LAN Manager.
-
- Microsoft LAN Manager User's Guide for MS OS/2
- Provides guide and reference information about using LAN Manager on MS
- OS/2 workstations.
-
- Microsoft LAN Manager User's Guide for MS-DOS(R)
- Provides guide and reference information about using LAN Manager Enhanced
- and Basic on MS-DOS workstations.
-
- Microsoft LAN Manager Installation Guide
- Provides information about installing LAN Manager software and using the
- Setup program to configure workstations and servers.
-
- Microsoft LAN Manager Administrator's Reference
- Provides reference information about LAN Manager commands and utilities
- for MS OS/2 computers, and about the LAN Manager program directory and
- initialization file.
-
- Microsoft LAN Manager Network Device Driver Guide
- Provides information about network device drivers that can be used with
- LAN Manager.
-
- Microsoft LAN Manager Programmer's Reference
- Provides information about LAN Manager application program interfaces
- (APIs). (This manual is optionally available.)
-
- Quick references are also available for users and administrators.
-
-
-
-
- PART I Learning the Basics
- ────────────────────────────────────────────────────────────────────────────
-
- Microsoft LAN Manager offers a flexible system for administering a
- local-area network. This part introduces you to the basics of LAN
- Manager─how it works, how to plan a network, how to manage a network, and
- how to stop and start LAN Manager.
-
- Chapter 1 outlines the tasks involved in administering the server's
- resources and introduces some LAN Manager features that can simplify your
- job as an administrator.
-
- Chapter 2 introduces the LAN Manager Screen for administrators, and shows
- how to start and stop LAN Manager, how to log on to the network, and how to
- perform tasks using the screen's menus and dialog boxes.
-
-
-
-
-
-
- Chapter 1 Overview
- ────────────────────────────────────────────────────────────────────────────
-
- This chapter describes Microsoft LAN Manager. It explains the features of
- LAN Manager and the tasks you'll perform as administrator to plan, set up,
- and maintain the local-area network.
-
-
- How LAN Manager Works
-
- LAN Manager expands the features of MS OS/2 to transform it into a powerful,
- easy-to-use network operating system. When you install the appropriate
- hardware and software on your company's computers, then connect those
- computers with cable, you create a local-area network that lets computer
- users share applications, files, and directories, plus printers, modems, and
- other devices, in an organized, efficient way.
-
- A LAN Manager network is made up of servers and workstations. Servers are
- computers that control equipment and information that people on the network
- can use. Workstations are computers that enable people to use the network
- resources provided by servers.
-
- A LAN Manager server runs MS OS/2. A workstation can run either MS OS/2 or
- MS-DOS. An MS OS/2 computer can be used as both a server and a workstation.
-
-
- The process of making equipment and information available to users is called
- sharing. The servers on a LAN Manager network share resources─applications,
- disk drives, directories, printers, modems, scanners, and so on─with users.
- One server might share all types of resources, or just one resource. A
- server can use a variety of security features to control access to the
- resources it shares.
-
- A user gains access to a shared resource by connecting his or her
- workstation to the server that is sharing the resource. The user then uses
- the resource as though it were physically attached to his or her
- workstation.
-
- Sharing resources is at the core of your work as an administrator. You'll
- define which resources to share, which users can connect to them, and the
- extent of each user's access. The rest of this chapter explains more about
- what your job as an administrator involves.
-
-
- Administrator's Responsibilities
-
- As an administrator, you'll set up workstations and servers, share resources
- on servers, and control access to those resources by managing security on
- the network. Once the network is operating, you'll maintain it, making
- changes to add new users and new resources as they become available.
-
- One network can have several administrators. An administrator can give
- another person the full privileges of an administrator or give users partial
- administrative privileges. These operator privileges let others control
- specific areas of LAN Manager administration (such as the sharing of
- printers).
-
- Your job requires you to be an experienced user of MS OS/2 and MS-DOS. You
- should be able to use a text-editing program, such as Microsoft Word or the
- MS OS/2 System Editor. And you should be a proficient user of Microsoft LAN
- Manager. For information about using a LAN Manager workstation, see the
- Microsoft LAN Manager User's Guide for MS OS/2 and the Microsoft LAN Manager
- User's Guide for MS-DOS.
-
-
- Planning a LAN Manager Network
-
- The first step in setting up LAN Manager is to decide how you want the
- network organized. Once the hardware and software are installed on the
- computers on the network, you'll share resources on servers and determine
- how security will be arranged to control access. After that, you'll maintain
- the network and help users.
-
-
- Organize the Network
-
- Think about the hardware the network will accommodate, the needs of the
- people who will use it, and the best approaches to securing network
- resources while enabling people to use them with maximum flexibility.
-
- Make the following decisions:
-
-
- ■ How many servers and workstations will the network have?
-
- There's no optimal ratio of servers to workstations; the best ratio
- depends on the demands the users make on the network. Be sure to allow
- for future growth of the network.
-
- ■ Which files, printers, modems, or other resources do you and your
- coworkers need on a regular basis? How should these resources be
- distributed?
-
- Estimate the demand for these resources, and then think about how to
- spread them around the network to distribute the work load among
- servers.
-
- ■ How secure do the network resources need to be? Can everyone be
- allowed to use everything? Should some resources, such as confidential
- files, be restricted, while other resources, such as printers, be
- available to all?
-
- As administrator, you control who has access to every resource on the
- network, specifying what each user can do with each resource.
-
-
-
- Draw Up a Plan
-
- When you have decided how to organize the network, draw up a plan.
-
- If the network is large, group servers into domains (separate groups of
- servers, workstations, and users). Domains are explained later in this
- chapter. You can set up one domain for everything, or set up many domains.
- In general, separate the network into domains if users or computers fall
- into separate groups (for example, if your company has different divisions
- or work groups).
-
- Be sure to decide which servers will share resources, and which type of
- security will be used at each server. Chapter 3, "Understanding and Planning
- Security," includes two worksheets to help you plan domains and set up
- servers.
-
- Figure 1.1 shows a sample layout of a network with three domains.
-
- (This figure may be found in the printed book).
-
-
- Setting Up the Network
-
- Part of your job as administrator is to ensure that the correct hardware and
- the LAN Manager software are installed on all servers and workstations on
- the network.
-
- For information about installing LAN Manager software, see the Microsoft LAN
- Manager Installation Guide. For hardware installation instructions, see the
- manual that accompanies your network hardware.
-
- You may also need to install MS OS/2 or MS-DOS on some computers before
- installing LAN Manager. For information about installing MS OS/2 or MS-DOS,
- see your operating system manual(s).
-
-
- LAN Manager Features
-
- As you plan and set up the network, LAN Manager provides many features that
- make your job easier and let you efficiently control access to shared
- resources. This section introduces some of these features.
-
-
- LAN Manager Screen for Administrators
-
- The LAN Manager Screen for administrators is a menu-oriented screen that
- allows you to perform administrative tasks without memorizing command
- syntax. It is similar to the LAN Manager Screen for users, but it includes
- features that let you share and control resources as well as use the
- workstation.
-
- For information about how to use the LAN Manager Screen for administrators,
- see Chapter 2, "Getting Started."
-
-
- Command-Line Commands
-
- In addition to using the LAN Manager Screen for administrators to perform
- administrative tasks, you can also type LAN Manager commands at the MS OS/2
- or MS-DOS prompt. On an MS OS/2 computer, this can be done from another MS
- OS/2 session or by exiting the LAN Manager Screen. In this manual,
- procedures for performing administrative tasks are shown with the LAN
- Manager Screen for administrators, followed by the equivalent command-line
- command. When there is no LAN Manager Screen equivalent for a task, the
- command-line command is discussed in more detail.
-
- For detailed information about each LAN Manager command, see the Microsoft
- LAN Manager Administrator's Reference.
-
-
- Flexible Security
-
- LAN Manager provides security features that let you control access to shared
- resources. Servers can use either of two security modes: user-level security
- or share-level security. For information about each type of server security,
- see Chapter 3, "Understanding and Planning Security."
-
- User-Level Security - User-level security gives you precise control over
- each of a server's shared resources. Before sharing a resource on a server
- with user-level security, you set up a user account for each user who can
- have access to the server. Then you set permissions for each resource you
- plan to share.
-
-
- ■ A user account contains a username and password that identify a user.
- It can also include information about how the person can use the
- server. For example, you can limit the hours during which the user can
- access the server's resources and the workstations from which the user
- can connect to the server. A country code specifies the language in
- which the server sends error and alert messages to the user.
-
- ■ Permissions define the extent to which each user can use a resource.
- For shared directories, you can define separate permissions for
- individual subdirectories and files.
-
-
- With user-level security, you can also take advantage of the following
- security features:
-
-
- ■ Logon security, in which only specified users can log on to the
- network. The username and password that a user supplies when logging
- on at a workstation are checked on a server to verify that they match
- those in a user account, and that the user is allowed access to the
- network. You can also create a logon script that automatically runs a
- program or makes network connections at the user's workstation when
- the user logs on.
-
- Logon security is used to maintain domains within a network.
-
- ■ Local security, which extends the controls of user-level security to
- apply to local users (users working at the server itself), in addition
- to users working at separate, or remote, workstations. With local
- security, not even a user at the server's keyboard can access the
- server's files without proper permissions, regardless of whether LAN
- Manager is running. Local security runs on 386(tm) servers and uses
- the high-performance file system 386 (HPFS386).
-
-
- For more information about user-level security, see Chapter 4, "User-Level
- Security."
-
- Share-Level Security - Share-level security uses a single password to limit
- access to a shared resource, which has only one set of permissions. Any user
- who can supply the password can use the resource. For more information about
- share-level security, see Chapter 5, "Share-Level Security."
-
-
- Domains
-
- To easily manage a large or diverse network, LAN Manager lets you create
- separate groups of servers, workstations, and users, called domains. Domains
- provide a simple way to control user access to the network, and they allow
- each user to work primarily with a specific group of servers and other
- users.
-
- You can set up one or more domains, and include servers with user-level
- security as well as servers with share-level security within them. If the
- domain has a server with user-level security, then logon security can run in
- the domain. A user can have accounts in multiple domains but can log on in
- only one domain at a time. Being logged on in one domain, however, doesn't
- preclude using resources in other domains.
-
- For more information about domains, see Chapter 3, "Understanding and
- Planning Security."
-
-
- Remote Administration
-
- You don't need to be sitting at a server to perform administrative tasks.
- You can manage a server from any LAN Manager for MS OS/2 or LAN Manager
- Enhanced for MS-DOS workstation, provided you have administrative privileges
- at the server. Using the LAN Manager Screen for administrators at an MS OS/2
- workstation, you can administer a remote server simply by setting the focus
- on the server's computername.
-
- For information about remote administration, see Chapter 2, "Getting
- Started."
-
-
- Services
-
- A service is a program that performs one of the major functions of LAN
- Manager. Services are started, paused, continued, and stopped using the LAN
- Manager Screen or command-line commands.
-
- The Workstation service lets a user log on to the network and use a
- workstation. The Server service lets an administrator share resources with
- other users. The Peer service gives an MS OS/2 workstation many of the
- features of a server, including the ability to share a queue and directories
- with another user.
-
- Services also control the following LAN Manager features:
-
-
- ■ File replication. The Replicator service lets you maintain an
- identical, up-to-date set of directories and files on selected servers
- and workstations. Replication saves you the time of updating files on
- many servers, spreads out the demand for heavily used files, and
- decreases the processing load on individual servers. For more
- information, see Chapter 13, "Replicating Files and Directories."
-
- ■ Remote booting. Your network can include workstations without hard
- disk drives. These workstations can operate on software provided by
- servers. Using the Remoteboot service, a server can send boot software
- to enable a workstation without a hard disk to run MS OS/2 or MS-DOS.
- For more information, see Chapter 14, "Using the Remoteboot Service."
-
-
- For more information about services, see Chapter 2, "Getting Started."
-
-
- Fault Tolerance
-
- If a disk drive fails or the power goes out, the LAN Manager fault-tolerance
- system can protect against data loss. The fault-tolerance system includes
- utilities to ensure that there are always two copies of data available for
- hard-disk read and write operations.
-
- For more information about fault tolerance, see Chapter 15, "Guarding
- Against Data Loss."
-
-
- Uninterruptible Power Supply (UPS) Service
-
- The UPS service lets you attach a battery to the server to protect data
- should a power failure occur. The UPS service provides for orderly shutdowns
- when the power fails.
-
- For more information about the UPS service, see Chapter 15, "Guarding
- Against Data Loss."
-
-
- Queues
-
- To manage printers, modems, and other devices, servers can share queues to
- handle tasks for many users.
-
-
- ■ A printer queue stores print jobs, which are spooled from users'
- workstations. Printer queues send print jobs (usually in the order
- received) to printers as they become available. For information about
- how to share and control printer queues, see Chapter 8, "Printers."
-
- ■ A communication-device queue stores requests for the use of modems,
- scanners, or printers that use serial processing. Users wanting to
- connect to the device send a request to the queue. When the device
- becomes available, the queue connects the user's workstation to the
- device. For information about how to share and control
- communication-device queues, see Chapter 9, "Communication Devices."
-
-
-
- Console Screen
-
- To maintain security at an unattended server while allowing users to view
- the contents of queues, LAN Manager features a console screen.
-
- The console version of the LAN Manager Screen displays the contents of a
- server's printer queues or communication-device queues. Users cannot use the
- server in any way except to monitor and modify their own requests. A
- password must be supplied to exit the screen.
-
- For more information about the console screen, see Chapter 11, "Running an
- Unattended Server."
-
-
- Profiles
-
- LAN Manager allows you to share resources and set permissions for them at a
- server, and then save a record of those shares in a profile. Also, the
- workstation's connections to shared resources can be recorded in the
- profile. The profile can be loaded at any time to restore shares and
- connections. Shares and connections specified in a profile can replace
- existing ones or be added to them.
-
- For information about creating and using profiles, see Chapter 10,
- "Profiles."
-
-
- LANMAN.INI File
-
- Many aspects of a workstation's or a server's performance are predefined,
- and are set automatically at startup. For example, when the LAN Manager
- Screen is started, a username for logging on is suggested. Likewise, a
- workstation or server is started by default with a unique name, called the
- computername, which identifies it on the network.
-
- Such settings are determined by a file called LANMAN.INI, which resides in
- the LANMAN directory. (For LAN Manager for MS-DOS, the LAN Manager software
- is stored in the LANMAN.DOS directory.)
-
- LANMAN.INI is an initialization file that contains a separate entry with a
- default value for each setting (such as the computername). You can
- temporarily change settings by using the net start or net config command, or
- by using the LAN Manager Screen to start a service. You can permanently
- change settings by using the Setup program or by editing the LANMAN.INI file
- with a text editor.
-
- The default values and ranges of LANMAN.INI settings are shown in Appendix
- A, "The LANMAN.INI File." They are defined in the Microsoft LAN Manager
- Administrator's Reference.
-
-
- Online Help
-
- Help is available both from the LAN Manager Screen for administrators and
- from the MS OS/2 command line. The LAN Manager Screen for administrators
- provides context-sensitive help for most tasks, as well as a glossary of
- terms.
-
- For information about getting online help, see Chapter 2, "Getting Started."
-
-
-
- Other Features and Utilities
-
- To let you expand the power of your network, LAN Manager offers these
- features and utilities:
-
-
- ■ Monitoring features. LAN Manager maintains records of events that
- occur on the network and lets you audit a variety of activities. For
- more information, see Chapter 16, "Monitoring the Network."
-
- ■ Utilities. LAN Manager features utilities that let you schedule
- programs to run on a server at a specified time (the at utility),
- detect errors as they occur (the errpopup utility), and check the
- storage space on a server sharing users' home directories (the chkstor
- utility). For more information, see the Microsoft LAN Manager
- Administrator's Reference.
-
- ■ HPFS386. To take advantage of the 80386 microprocessor, LAN Manager
- features HPFS386, which provides extremely fast access to a very large
- shared disk or partition. The backacc, cache, logoff, logon, priv,
- restacc, and SECURESH.EXE utilities help you use HPFS386. For more
- information, see the Microsoft LAN Manager Administrator's Reference.
-
-
-
- Managing the Network
-
- An important part of your job as administrator is to manage user accounts
- and resource permissions, and to share resources.
-
-
- Managing User Accounts
-
- It's your job as administrator to create user accounts, which let users log
- on in a domain and gain access to resources on a server with user-level
- security.
-
- You can simplify the job of managing security on the network by creating
- groups of users, and then setting permissions for each group. With groups,
- you can assign one set of permissions for many users. You can also set up a
- guest account to allow access for users who do not have an account.
-
- For information about how to work with user accounts and groups, see Chapter
- 4, "User-Level Security."
-
-
- Managing Resource Permissions
-
- After you set up accounts, you assign permissions for individual resources.
- For a given resource, such as a directory, you define who can use it and
- what the user can do with it (read, write, delete, and other actions). For
- information about permissions and how to set them, see Part 3, "Sharing
- Resources."
-
- To properly protect the resources, you should set permissions before
- sharing. Think through the security needs of each resource, adjust the
- permission settings, and then share the resource. The permissions can be
- adjusted at the time that you share the resource, or even while the resource
- is being shared.
-
- On a server with user-level security, setting permissions is separate from
- actually sharing a resource; the permissions exist whether the resource is
- currently shared or not.
-
- On a 386 server with local security, permissions are set for all directories
- and files─including those that you don't intend to share. These permissions
- apply to users working at the server's keyboard as well as to users at
- remote workstations with connections to the server.
-
- Although MS-DOS workstations using LAN Manager Basic, MS-Net, or PC-LAN
- software have no allowance for usernames, you can include these workstations
- on your network by setting up accounts with the workstations' computernames.
- The MS-DOS user interacts with the LAN Manager server as if the server were
- an MS-Net or PC-LAN server, but the user is subject to LAN Manager security.
-
-
-
- Sharing Resources
-
- Having established security for resources on the servers, you share the
- resources so that people can use them. For more information about how to
- share and control each type of resource, see Part 3, "Sharing Resources."
-
- In addition to sharing devices, you can share a server's processor and
- memory, letting users run programs on the server while doing other work at
- their workstations. You decide which programs can be run, who can run them,
- and how many can run at one time. For information about how to share the
- server's processing and memory capabilities using the LAN Manager Netrun
- service, see Chapter 12, "Sharing Processing Power."
-
-
- Maintaining the Network
-
- Your job as administrator is not over once the network is set up and all of
- the user accounts and groups are in place. Maintaining the network and
- monitoring its activities is an ongoing role. For information about how to
- use LAN Manager server statistics to diagnose problems, see Chapter 16,
- "Monitoring the Network." Chapter 16 also describes how to synchronize the
- clocks in all of the computers on the network.
-
- Over time, network needs change. You'll need to add and remove computers,
- resources, and user accounts. As changes occur, you'll need to tune the LAN
- Manager server software. For information about improving the way a server
- functions, see the Microsoft LAN Manager Administrator's Reference; it
- explains how you can improve the way a server functions by modifying entries
- in the LANMAN.INI file (the configuration file for LAN Manager software).
-
-
- Working with Other Network Software
-
- LAN Manager works with other types of networking software to let you combine
- old and new software on one network.
-
- MS-DOS computers with MS-Net or PC-LAN network software can use resources
- shared by LAN Manager servers. Similarly, LAN Manager workstations can use
- the resources of MS-Net, PC-LAN, and XENIX(R) servers.
-
- Where it is needed, this manual describes special considerations for other
- network software that might be integrated with LAN Manager.
-
-
-
-
-
-
- Chapter 2 Getting Started
- ────────────────────────────────────────────────────────────────────────────
-
- This chapter explains how to set up your local-area network. It describes
- how to start the first server on a new network and how to start a server on
- an existing network.
-
- It also provides procedures for starting the Workstation and Server
- services, and for logging on to the network. The LAN Manager Screen for
- administrators is described, with instructions for moving around in it using
- the keyboard and the mouse. Information is also provided about getting
- online help, administering remote servers, controlling services, and
- quitting LAN Manager.
-
- The procedures in this chapter use the LAN Manager Screen. For more
- information about each LAN Manager command, see the Microsoft LAN Manager
- Administrator's Reference. For information about the LAN Manager features
- discussed in this chapter, see Chapter 1, "Overview."
-
-
- Starting LAN Manager
-
- Starting LAN Manager to perform administrative tasks involves two separate
- procedures:
-
-
- ■ Starting the Workstation and Server services
-
- ■ Logging on to the network
-
-
- Starting the Workstation service loads software into your computer's memory
- that lets you use the workstation. Starting the Server service lets you
- share, control, and monitor your computer's resources.
-
- When you start LAN Manager for the first time at the first server on the
- network, the procedures you follow for logging on are unique. This section
- explains how to start the first server on the network and how to start
- servers on an existing network.
-
- Logging on establishes you as the user of the workstation and server. When
- you log on, you supply your username and password. If you are logging on at
- the first server on the network, you must supply a special username and
- password.
-
- If you are logging on at a server on an existing network running logon
- security─in which servers share a common database of user accounts to verify
- logons─your username and password identify you as a member of a domain. You
- don't need to include a domain name to log on in the workstation domain,
- which is specified in the workstation's LAN Manager software.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If you are using a 386 computer with HPFS386 and local security, you will
- see the following message when you turn on your computer:
- ────────────────────────────────────────────────────────────────────────────
-
- LAN Manager local security has started.
-
- Press ESC to log on now, or press ENTER to start the computer with no one
- logged on.
-
-
- If you plan to log on when you start the computer, press ESC. For
- information about local security and situations in which you would want to
- press ENTER instead of ESC, see Chapter 4, "User-Level Security."
-
- Starting the Workstation and Server Services
-
- Command Line To start both the Workstation and Server services, type
-
- net start server
-
- This command starts both the Workstation service and the Server service.
- Separate messages appear, telling you that each service is starting. The
- Workstation and Server services can be started individually using
- command-line commands or the LAN Manager Screen for administrators.
-
- Once the Workstation and Server services are started, you must log on. You
- can log on using the LAN Manager Screen for administrators or by typing LAN
- Manager commands from the command line.
-
-
- Logging On
-
- You use different procedures for logging on for the first time at the first
- server on the network and for logging on at a server on an existing network.
-
-
-
- Logging On at the First Server on the Network
-
- Use the following procedure for logging on for the first time at the first
- server on the network.
-
- To log on using the LAN Manager Screen for administrators:
-
-
- 1. From the command line, start the LAN Manager Screen for administrators
- by typing
-
- net admin
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Typing net admin /mono improves the LAN Manager Screen display for some
- computer screens. Try the command with and without /mono to determine which
- display you
-
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- A username appears in the "Username" text box. (This is from the
- username entry in the [netshell] section of the LANMAN.INI file, or,
- if that entry is blank, it is the workstation's computername.)
-
- 2. In the "Username" text box, type
-
- admin
-
- 3. Press TAB to move to the "Password" text box.
-
- 4. In the "Password" text box, type
-
- password
-
- 5. Press TAB to move to <OK>.
-
- 6. Press ENTER.
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- 7. Press ESC or ENTER.
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- This message box should tell you that you have administrative
- privileges at your server. If not, log off and try this procedure
- again (see "Quitting LAN Manager," later in this chapter).
-
- 8. Press ESC or ENTER.
-
-
- If you are not using the LAN Manager Screen for administrators, you can type
- commands from the command line to perform administrative tasks.
-
- Command Line To log on using command-line commands, type
-
- net logon admin password
-
- See Net Logon, Microsoft LAN Manager Administrator's Reference.
-
- First Server Account - If you logged on at the first server on the network
- with the username admin and the password password, you are using the default
- administrative account. This account is created by the Setup program when
- LAN Manager is installed, and it is the only user account on the server when
- you start.
-
- This account gives you administrative privileges. It cannot be deleted
- unless you create another account with administrative privileges. You can
- change the password. To keep this account secure, you might want to change
- the password before setting up other servers and workstations. You also
- might want to add a new account with administrative privileges for yourself.
-
-
- For more information about accounts and changing passwords, see Chapter 4,
- "User-Level Security."
-
- For information about setting up the network, read the rest of this chapter,
- and then Chapter 3, "Understanding and Planning Security."
-
-
- Logging On to an Existing Network
-
- Use the following procedure for logging on at a server on an existing
- network.
-
- To log on using the LAN Manager Screen for administrators:
-
-
- 1. From the command line, start the LAN Manager Screen for administrators
- by typing
-
- net admin
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Typing net admin /mono improves the LAN Manager Screen display for some
- computer screens. Try the command with and without /mono to determine which
- display you
-
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- A username appears in the "Username" text box. (This is from the
- username entry in the [netshell] section of the LANMAN.INI file, or,
- if that entry is blank, it is the workstation's computername.)
-
- 2. In the "Username" text box, supply a username.
-
- You can type a different username, or log on with the username
- displayed by leaving the text box alone. Pressing any key removes the
- name displayed in the text box.
-
- 3. Press TAB to move to the "Password" text box.
-
- 4. Type a password.
-
- The password is not displayed as you type it.
-
- 5. Press TAB to move to the "Domain" text box.
-
- Leave this text box blank to log on in the workstation domain, or type
- a domain name to specify a different logon domain.
-
- 6. Press TAB to move to <OK>.
-
- 7. Press ENTER.
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- This message box displays the computername of the server that verified
- your logon, the date and time you last logged on in the domain, and
- the time by which you must log off.
-
- 8. Press ESC or ENTER.
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- This message box should tell you that you have administrative
- privileges at your server. If not, log off and try this procedure
- again (see "Quitting LAN Manager," later in this chapter). Be sure to
- type the correct password.
-
- 9. Press ESC or ENTER.
-
-
- If you are not using the LAN Manager Screen for administrators, you can type
- commands from the command line to perform administrative tasks.
-
- Command Line To log on using command-line commands, type
-
- net logon username password [/domain:name]
-
- See Net Logon, Microsoft LAN Manager Administrator's Reference.
-
- Existing Network Accounts - When you log on to an existing network, you may
- receive messages that you are logged on standalone.
-
- If the domain into which you log on is not running logon security, you are
- logged on standalone. If the domain is running logon security, being logged
- on standalone probably means that you specified an incorrect username and
- password. It could also indicate that the server that verifies logons is not
- running. Try logging on again. If you are still unsuccessful, check to
- ensure that the server verifying logons is running properly, and that it has
- an account for you.
-
- For information about logon security, see Chapter 4, "User-Level Security."
-
-
-
- Using the LAN Manager Screen
-
- The LAN Manager Screen for administrators lets you perform administrative
- and other network tasks without having to memorize commands or syntax.
-
- Figure 2.1 shows the LAN Manager Screen.
-
- (This figure may be found in the printed book).
-
- The LAN Manager Screen for administrators contains these elements:
-
- Menu bar
- Displays the names of menus from which you can choose commands.
-
- Current focus
- Shows the computername of your workstation or the server that is the focus
- of activity when using LAN Manager Screen commands.
-
- Workstation information
- Provides the following information about your workstation:
-
- Your username
- The username specified when you logged on to the network.
-
- Your computername
- The computername specified when the workstation was started.
-
- Your domain
- The name of your logon domain. This is the domain name specified when
- you logged on to the network. If you didn't specify a domain name, you
- automatically logged on in the workstation domain, which is specified
- in the LANMAN.INI file. Note that the workstation domain and the logon
- domain are the same if you logged on in the workstation domain.
-
- Servers visible at the workstation
- Lists the servers in the logon and workstation domains, and in the other
- domains listed in the othdomains entry of the LANMAN.INI file.
-
- Scroll bar
- Lets you scroll through the servers using the mouse.
-
- Message line
- Provides a brief statement about the current menu, command, or task.
-
- To use the LAN Manager Screen for administrators, you select a menu, which
- displays a list of commands, and then you choose a command. A dialog box
- then appears, in which you enter information to perform a task.
-
- The following sections explain menus and dialog boxes and tell you how to
- use the keyboard and the mouse to move through them and perform tasks.
-
-
- Using Menus and Menu Commands
-
- Menus are the starting point for any LAN Manager Screen operation. The names
- of all six menus appear in the menu bar across the top of the LAN Manager
- Screen. When you select a menu, a list of commands appears. You can then
- choose a command to tell LAN Manager the type of task you want to perform.
- Except for Exit on the View menu, each command leads to a dialog box. If a
- menu command does not contain a highlighted letter, that command is not
- available (for example, commands requiring administrative privileges are not
- available to users with user privileges).
-
- From menus on the LAN Manager Screen, you can perform the following tasks:
-
- View menu
- View, control, and connect to resources shared by servers, view the
- connections of the workstation or server of current focus, view
- information about users on the network, and exit the LAN Manager Screen.
-
- Message menu
- Send, log, and read messages, and manage aliases (names used to receive
- messages).
-
- Config menu
- Log on, log off, use profiles, view the workstation configuration, set the
- server configuration, and control services.
-
- Status menu
- View the status of shared resources, view workstation and server
- statistics and errors, and read the audit trail and error log.
-
- Accounts menu
- Change user accounts and groups, view and set permissions and security
- settings for shared resources, and change the options and password for
- your account at a server.
-
- Help menu
- Access different types of online help.
-
- When viewing or selecting menus, and choosing menu commands, use these keys:
-
- ╓┌───────────────────┌───────────────────────────────────────────────────────╖
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- ALT Activates menu names on the menu bar.
-
- Highlighted letter When menu names are activated or menu commands are
- displayed,selects the menu or chooses the menu command
- that contains the highlighted letter.
-
- When a menu is displayed,moves from one menu to
- another.
-
- When a menu is displayed,moves from one command to
- another.
-
- ENTER Selects a menu or chooses a menu command.
-
- ESC Removes a menu from the screen.
-
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- To select a menu with the mouse, click the menu name (position the mouse
- pointer on the menu name, and then press and release the left mouse button).
- The menu appears; you can then choose a menu command by clicking it.
-
-
- Using Dialog Boxes
-
- Dialog boxes request information needed to perform a task. Dialog boxes
- contain as many as five areas, or fields. Each dialog box has a name
- displayed at the top.
-
-
- Dialog Box Fields
-
- Dialog boxes contain one or more of the following fields:
-
-
- ■ Text boxes, which receive typed information
-
- ■ List boxes, which present a list of items to select from
-
- ■ Check boxes, which let you mark or unmark an option
-
- ■ Option buttons, which let you select one of multiple options
-
- ■ Command buttons, which perform an action
-
-
- Figure 2.2 shows four dialog box fields and the dialog box title.
-
- (This figure may be found in the printed book).
-
- Use the following keys to move around in dialog boxes:
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- Highlighted letter Moves the cursor to the highlighted
- letter's field. If the cursor is in a list
- box or a text box,you must hold down the
- ALT key while you press the highlighted
- letter. Pressing the highlighted letter in
- a command button chooses that command
- button.
-
- TAB Moves the cursor to the next field.
-
- SHIFT+TAB Moves the cursor to the previous field.
-
- ENTER Carries out the actions you specified.
-
- ESC Cancels any actions and removes the dialog
- box from the screen.
-
- ────────────────────────────────────────────────────────────────────────────
-
- Key Action
- ────────────────────────────────────────────────────────────────────────────
-
-
- The five dialog box fields are described in the following sections.
-
- Text Boxes - You type information in a text box. A text box is surrounded by
- brackets and contains a series of dots that are replaced with characters as
- you type. It can sometimes hold more characters than appear between the
- brackets by scrolling characters to the left. A text box may appear with
- information provided, such as your username. If so, pressing any character
- removes the information.
-
- Use the following keys to move around in a text box:
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- Moves the cursor one space to the left.
-
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- Moves the cursor one space to the right.
-
- HOME Moves the cursor to the first character in
- the text box.
-
- END Moves the cursor to the last character in
- the text box.
-
- DEL Deletes the character that the cursor is
- on.
-
- BACKSPACE Deletes the character to the left of the
- cursor.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- If you are using the mouse, you can scroll the characters in the text box by
- clicking a bracket (position the mouse pointer on the bracket, and then
- press and release the left mouse button).
-
- List Boxes - In a list box, you view items by scrolling through a list. For
- example, there can be lists of resources available on a server or lists of
- print jobs waiting to be printed.
-
- Use the following keys to move around in a list box:
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- Moves the cursor up one line.
-
- Moves the cursor down one line.
-
- PG UP Moves the cursor up one page. (A page is
- the portion of the list that appears on
- the screen.)
-
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- PG DN Moves the cursor down one page.
-
- HOME Moves the cursor to the top of the list.
-
- END Moves the cursor to the bottom of the
- list.
-
- F5 Refreshes a list of items.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Pressing a letter while the cursor is in a list box moves the cursor to the
- next item that begins with that letter. This includes the list box of server
- computernames on the LAN Manager Screen.
-
- A scroll bar and a scroll box appear at the right of the list box. The
- scroll bar lets you use the mouse to move through a list with more than one
- screen of information. Click the up or down arrow (position the mouse
- pointer on the arrow, and then press and release the left mouse button) to
- move the view up or down one line.
-
- The position of the scroll box on the scroll bar reflects the position of
- the information in the window relative to the total contents of the list.
- You can move through the list by positioning the mouse pointer on the scroll
- box, holding the left mouse button down, then dragging the scroll box.
-
- To select an item in a list box with the mouse, click the item. If the
- dialog box has a <Zoom> command button, double-clicking an item zooms in on
- it. Otherwise, double-clicking performs the action that corresponds to the
- first command button listed. To double-click, position the mouse pointer,
- and then press and release the left mouse button twice with a quick motion.
-
-
- Check Boxes - With a check box, you turn an option on or off. When a check
- box is marked with an X, the option is turned on. Use the SPACEBAR as a
- toggle switch to mark or unmark a check box.
-
- To mark or unmark a check box with the mouse, click the check box (position
- the mouse pointer within the brackets, and then press and release the left
- mouse button).
-
- Option Buttons - An option button lets you select one option from a group of
- options. One option button is always preselected, and only one option button
- can be selected at a time.
-
- To select an option button, use the following keys:
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Key Action
- ────────────────────────────────────────────────────────────────────────────
- Changes the selected option to the
- previous option.
-
- Changes the selected option to the next
- option.
-
- ────────────────────────────────────────────────────────────────────────────
-
- Key Action
- ────────────────────────────────────────────────────────────────────────────
-
-
- To select an option button with the mouse, click it (position the mouse
- pointer within the parentheses, and then press and release the left mouse
- button).
-
- Command Buttons - A command button lets you perform a specific action. A
- command button that does not contain a highlighted letter is not active.
-
- To choose a command button, press the TAB key to move to the button, and
- then press ENTER. You can also press the letter highlighted in the command
- button to choose a command button. (If the cursor is in a list box or text
- field, you must hold down the ALT key while pressing the highlighted
- letter.)
-
- To choose a command button with the mouse, click it (position the mouse
- pointer on any character within the command button, and then press and
- release the left mouse button).
-
-
- Getting Help with the LAN Manager Screen
-
- There are two ways to get help while using the LAN Manager Screen for
- administrators: by selecting the Help menu or by pressing F1. The Help menu
- provides access to help topics.
-
- To get more information about a particular menu, command, or dialog box:
-
-
- 1. Press F1 while that item is displayed.
-
- For example, if you press F1 while the LAN Manager Screen for
- administrators is displayed, the following message box appears:
-
- (This figure may be found in the printed book).
-
- 2. Choose <Done> or press ESC.
-
- This removes help boxes from the screen.
-
-
-
- Getting Help from the Command Line
-
- You can also get several types of help from the command line.
-
- Command Line To get help from the command line:
-
-
- ■ Display a list of commands and topics for which help is available by
- typing
-
- net help
-
- ■ Display help for a particular command by typing
-
- net help command
-
- ■ Display only the options of a command by typing
-
- net help command /options
-
- ■ Display a command's syntax by typing
-
- net command /?
-
-
- For more information about getting help from the command line, see the
- Microsoft LAN Manager Administrator's Reference.
-
-
- Getting Help with Error Messages
-
- You can get help with errors that occur while you are using the LAN Manager
- Screen for administrators.
-
- To get help with an error message:
-
- Press F1 when the message box is displayed.
-
- Command Line To get help with an error message, type
-
- net helpmsg message#
-
- See Net Helpmsg, Microsoft LAN Manager Administrator's Reference.
-
-
- Administering Remote Servers
-
- If you have administrative privilege on a server, you can perform
- administrative tasks at that server from any LAN Manager workstation or
- server on the network.
-
- To administer a remote server, log on at a server or workstation with your
- username and password. Use the net admin command to start a command
- processor that lets you type command-line commands at the server or to start
- the LAN Manager Screen for administrators (MS OS/2 workstations only). If
- you are administering a remote server with the LAN Manager Screen for
- administrators, you must set the current focus on the remote server. For
- information about remote administration, see the net admin command in the
- Microsoft LAN Manager Administrator's Reference.
-
- The server you are administering must be sharing the ADMIN$ and IPC$
- resources. These resources let you establish a session with the server.
- Servers with user-level security share these resources automatically;
- servers with share-level security must explicitly share these resources. For
- more information about sharing ADMIN$ and IPC$, see Chapter 6,
- "Administrative Resources."
-
- To administer a remote server with the LAN Manager Screen for
- administrators, you must set the current focus on the server (see the
- following section, "Setting the Current Focus").
-
- Remote administration cannot be done at a LAN Manager Basic for MS-DOS
- workstation.
-
-
- Setting the Current Focus
-
- When you start the LAN Manager Screen for administrators, the "Current
- focus" line and the "Set current focus on" text box display the server's
- computername. This means the server is the focus of activity when you use
- menus and dialog boxes.
-
- Using the LAN Manager Screen for administrators, you can administer servers
- remotely, manage their shared resources, and connect them to other
- resources. The first step in performing such tasks is to set the current
- focus on the server you want to administer remotely or whose resources you
- want to view or use. This makes the server the focus of activity.
-
- To set the current focus on a server:
-
-
- 1. Select the computername of a server.
-
- Scroll through the list box or press the first letter of the server's
- computername until the name appears in the "Set current focus on" text
- box. Or you can type the server's computername in the "Set current
- focus on" text box. The server does not need to be listed to set the
- focus on it.
-
- 2. Press ENTER.
-
- 3. If a dialog box appears prompting you for a password, in the
- "Password" text box, type the password needed to gain access to the
- server.
-
- The server's computername is then displayed on the "Current focus"
- line, and a message box that shows your privileges at that server
- appears.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- You can monitor several servers simultaneously by establishing different MS
- OS/2
-
-
-
-
- Controlling LAN Manager Services
-
- Along with the Workstation and Server services, LAN Manager, by default,
- starts these other services at a server:
-
-
- ■ The Messenger service, which lets you send, receive, and log messages.
-
- ■ The Netpopup service, which displays a message box on your computer's
- screen when a message is received from another user or a server on the
- network. Unlike the message boxes that are displayed during logon, the
- Netpopup service message boxes are not part of the LAN Manager Screen;
- they appear regardless of what application you are using.
-
- ■ The Alerter service, which sends messages to specified users about
- activity at the server.
-
-
- The following services can also be run at a server:
-
- Netlogon
- Verifies the username and password supplied by each person who attempts to
- log on to the network or gain access to the server. See Chapter 4,
- "User-Level Security."
-
- Netrun
- Enables users at workstations to run programs on the server. See Chapter
- 12, "Sharing Processing Power."
-
- Remoteboot
- Enables a server to boot workstations with MS OS/2 or MS-DOS software. See
- Chapter 14, "Using the Remoteboot Service."
-
- Replicator
- Duplicates a master set of directories and files, or designated
- directories and files, on other servers and workstations. See Chapter 13,
- "Replicating Files and Directories."
-
- Timesource
- Enables an administrator to designate a server as a central time server
- for synchronizing computer clocks on the network. See Chapter 16,
- "Monitoring the Network."
-
- UPS
- Provides an uninterruptible power supply to keep the server operating in
- the event of a power failure. See Chapter 15, "Guarding Against Data
- Loss."
-
- An MS OS/2 workstation can run the Peer service instead of the Server
- service. The Peer service lets the workstation share its resources with one
- user at a time at a remote workstation. The Peer service is installed by the
- Setup program. When starting and using the Peer service, the terms "Peer"
- and "Server" are synonymous. Note, however, that a workstation cannot run
- the Peer service and the Server service at the same time.
-
- Once a LAN Manager service is running, you can pause, continue, stop, and
- restart it.
-
-
- Pausing a Service
-
- You can pause, or suspend, the Server, Workstation, and other services.
- Unlike stopping, pausing does not cancel resource sharing or connections, or
- change settings associated with the service.
-
- Pausing the Server service prevents users from making new connections to the
- server's shared resources. However, users who have connections to shared
- resources before the service is paused can continue using the resources
- after the service is paused.
-
- Pausing the Workstation service lets you use the computer's devicenames for
- local resources instead of network resources. Pausing the Workstation
- service also pauses the Messenger and Netpopup services.
-
- To pause a service:
-
-
- 1. From the Config menu, choose Control services.
-
- The dialog box shown in Figure 2.3 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box displays a list of LAN Manager Services. The "Services
- in LANMAN.INI" column lists service names. Each service name
- corresponds to a section of the LANMAN.INI file that contains entries
- that control the service. The "Status" column displays the status of
- the service. If no status is displayed, the service is not running.
-
- 2. Select the service you want to pause.
-
- 3. Choose <Pause>.
-
- 4. Choose <Done>.
-
-
- Command Line To pause a service, type
-
- net pause service
-
- See Net Pause, Microsoft LAN Manager Administrator's Reference.
-
-
- Continuing a Service
-
- Continuing a service restores resource sharing, connections, and other
- associated services that were previously paused.
-
- To continue a service:
-
-
- 1. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 2.3) appears.
-
- 2. Select the service you want to continue.
-
- 3. Choose <Continue>.
-
- 4. Choose <Done>.
-
-
- Command Line To continue a service, type
-
- net continue service
-
- See Net Continue, Microsoft LAN Manager Administrator's Reference.
-
-
- Stopping a Service
-
- Stopping disables a service and removes software from your computer's
- memory. Depending on the service, stopping may cancel resource sharing and
- connections, and delete message aliases.
-
- ────────────────────────────────────────────────────────────────────────────
- CAUTION
-
- Do not stop a LAN Manager server by pressing CTRL+ALT+DEL. With MS OS/2,
- many processes, along with LAN Manager, may be running. Stop LAN Manager
- services, then use the Presentation Manager Shutdown procedure before
- restarting or turning off your computer.
- ────────────────────────────────────────────────────────────────────────────
-
- To stop services with the LAN Manager Screen, you must set the current focus
- on your (*Local*) workstation.
-
- Before stopping a service, LAN Manager displays a message box that lists
- connections to resources associated with the service and prompts you for
- confirmation to stop the service.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Before stopping the Server service, it's a good idea to first pause the
- service and send a message to users connected to the server's shared
- resources, warning them that the Server service will be stopped. For
- information about sending messages, see the Microsoft LAN Manager User's
- Guide.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Stopping All Services
-
- To stop all LAN Manager services:
-
-
- 1. From the Config menu, choose Stop LAN Manager services.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. Choose <OK>.
-
-
- LAN Manager displays a series of message boxes telling you that your
- username is logged off from the network and that the workstation is stopped.
-
-
-
- Stopping an Individual Service
-
- You can stop any service to remove LAN Manager software from your computer's
- memory. Stopping has different effects, depending on the service:
-
-
- ■ Stopping the Server service cancels any shared resources and cancels
- other users' connections to shared resources. Only a user with admin
- privilege can stop the Server service.
-
- ■ Stopping the Workstation service removes all LAN Manager software and
- logs you off from the network. It stops all other services, cancels
- network connections, and deletes message aliases.
-
- ■ Stopping the Messenger service prevents your workstation from
- receiving messages and stops the Netpopup service.
-
- ■ Stopping the Netpopup service prevents your workstation from
- displaying a message box when a message is received.
-
-
- To stop a service:
-
-
- 1. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 2.3) appears.
-
- 2. Select the service you want to stop.
-
- 3. Choose <Stop>.
-
- A dialog box similar to the following one appears:
-
- (This figure may be found in the printed book).
-
- 4. Choose <OK>.
-
-
- Command Line To stop a service, type
-
- net stop service
-
- See Net Stop, Microsoft LAN Manager Administrator's Reference.
-
-
- Starting a Service
-
- To start a service:
-
-
- 1. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 2.3) appears.
-
- 2. Select the service you want to start.
-
- 3. Choose <Start>.
-
- If you are starting the Server service, the dialog box shown in Figure
- 2.4 appears.
-
- (This figure may be found in the printed book).
-
- 4. Choose <OK>.
-
- This starts the service with LAN Manager default settings. If you want
- to start the service with a setting other than the default value, see
- the following section, "Adjusting Service Performance."
-
- 5. Choose <Done>.
-
-
-
- Adjusting Service Performance
-
- The performance of a service is determined by a group of entries (or
- options) in the LANMAN.INI initialization file. Each entry has an assigned
- value that determines how a specific aspect of the service performs. For
- example, the computername entry in the [workstation] section specifies the
- server's computername, and the maxusers entry in the [server] section
- specifies the maximum number of users who can use a server's shared
- resources simultaneously. Entries are arranged in the LANMAN.INI file
- according to the service they control. Each entry has a default value.
-
- When you start a service, you can override the default value for an entry.
- The revised value remains in effect for as long as the service is running.
- When you stop and restart the service, the default value is restored.
-
- To permanently change a setting for a service, use the Setup program or use
- a text editor to edit the LANMAN.INI file. The new settings take effect
- after the file is edited and the service is restarted. For a summary of
- LANMAN.INI entries, see Appendix A, "The LANMAN.INI File." For a full
- description of LANMAN.INI entries, see the Microsoft LAN Manager
- Administrator's Reference.
-
- To override LANMAN.INI option values when starting a service:
-
-
- 1. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 2.3) appears.
-
- 2. Select the service you want to start.
-
- 3. Choose <Start>.
-
- The "Start a LAN Manager Service" dialog box (Figure 2.4) appears. The
- "Option" column displays the entries in the LANMAN.INI file that
- control the service. The default values are displayed in the "Value"
- column.
-
- 4. Scroll through the list of options to select an option or, in the
- "Option" text box, type the name of the option you want to change.
-
- 5. In the "Value" text box, type the value you want to assign to the
- option.
-
- 6. Choose <Set>.
-
- If you want to change another option, repeat steps 4, 5, and 6.
-
- To restore default settings, choose <Reset> for a selected option or
- <Reset all> for all options.
-
- 7. Choose <OK>.
-
- If you specify an illegal value, LAN Manager displays an error
- message, and the "Start a LAN Manager Service" dialog box (Figure 2.4)
- reappears.
-
-
- Command Line To override LANMAN.INI option values when starting a
- service, type
-
- net start service [options]
-
- See Net Start, Microsoft LAN Manager Administrator's Reference.
-
-
- Stopping and Starting Administrative Services
-
- Here is another way to stop and start the Server service and other
- administrative services.
-
- To stop and start administrative services:
-
-
- 1. From the Config menu, choose Server options.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The "Start server services" check boxes control the following
- services:
- ╓┌─────────────────────────────────┌─────────────────────────────────────────╖
- Check Box Service Controlled
- ────────────────────────────────────────────────────────────────────────────
- Check Box Service Controlled
- ────────────────────────────────────────────────────────────────────────────
- Server Server
-
- Admin alerter Alerter
-
- Netrun service Netrun
-
- Central logon Netlogon
-
- Remote boot Remoteboot
-
- File replicator Replicator
-
- SQL database SQL Database Server (optional)
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- If the check box is marked with an X, the service is running. If the check
- box is empty, the service is not running.
-
- 2. Select the appropriate check box; use the SPACEBAR to toggle between
- on and off.
-
- 3. Choose <OK>.
-
- NOTE If you use this procedure to start a service, LAN Manager uses
- default LANMAN.INI values to configure the service.
-
-
-
- Stopping and Starting the Messenger and Netpopup Services
-
- Here is another way to stop and start the Messenger and Netpopup services.
-
- To stop and start the Messenger and Netpopup services:
-
-
- 1. From the Config menu, choose Workstation options.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. Select the Messenger or Netpopup check box; use the SPACEBAR to toggle
- between on and off.
-
- If the check box is marked with an X, the service is running. If the
- check box is empty, the service is not running.
-
- 3. Choose <OK>.
-
-
-
- Quitting LAN Manager
-
- Quitting LAN Manager involves two steps:
-
-
- ■ Logging off from the network
-
- ■ Stopping the Workstation and Server services
-
-
-
- Logging Off from the Network
-
- Logging off removes your username and password from the server and cancels
- any resource sharing or connections, but it does not stop LAN Manager
- services. You should log off when you won't be using the server and
- workstation for a while. That way, no one can use your network identity to
- share or use resources to which you have access.
-
- To log off from the network:
-
-
- 1. From the Config menu, choose Log off from LAN.
-
- If you have any connections, the following message box appears:
-
- (This figure may be found in the printed book).
-
- 2. Choose <OK>.
-
- The following message box appears:
-
- (This figure may be found in the printed book).
-
- 3. Choose <OK>.
-
-
- After you log off, you can't use any shared resources. However, the
- Workstation and Server services are still running.
-
- Command Line To log off from the network, type
-
- net logoff
-
- See Net Logoff, Microsoft LAN Manager Administrator's Reference.
-
-
- Stopping the Workstation and Server Services
-
- When you stop the Workstation and Server services, all network services are
- stopped and all connections to the network end. If you are logged on,
- stopping the Workstation service logs you off. You must restart the services
- and log on if you want to use the network and share resources again.
-
- For information about stopping services, see the "Stopping a Service"
- section, earlier in this chapter.
-
- ────────────────────────────────────────────────────────────────────────────
- CAUTION
-
- Do not stop a LAN Manager server by pressing CTRL+ALT+DEL. With MS OS/2,
- many processes, along with LAN Manager, may be running. Stop LAN Manager
- services, then use the Presentation Manager Shutdown procedure before
- restarting or turning off your computer.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Exiting the LAN Manager Screen for Administrators
-
- Exiting the LAN Manager Screen returns you to the MS OS/2 prompt. If the
- Workstation and Server services are still running and you are logged on,
- exiting the LAN Manager Screen does not log you off, stop LAN Manager
- services, or cancel any resource sharing or connections you've established.
-
-
- To exit the LAN Manager Screen for administrators:
-
-
- 1. Press ESC to close all dialog boxes until only the LAN Manager Screen
- is displayed.
-
- 2. Press F3 or, from the View menu, choose Exit.
-
-
- The LAN Manager Screen for administrators disappears and the MS OS/2 prompt
- appears on your computer's screen.
-
-
-
-
-
-
- PART II Managing Security
- ────────────────────────────────────────────────────────────────────────────
-
- Part 2 explains LAN Manager security. One of two types of
- security─user-level or share-level─protects each server's resources. A
- local-area network can include a mixed set of servers running either type of
- security.
-
- The default security is user-level security, discussed in Chapter 4.
- User-level security controls each person's access to each shared resource
- and provides local security on 386 servers with high-performance file system
- 386 (HPFS386).
-
- Using share-level security, discussed in Chapter 5, permissions are assigned
- for the resource, which is protected by a password. All users who know the
- password get the same level of permissions for the resource.
-
-
-
-
-
-
- Chapter 3 Understanding and Planning Security
- ────────────────────────────────────────────────────────────────────────────
-
- When setting up the network, you must decide how to enforce network security
- to protect resources from unauthorized use. You decide which of LAN
- Manager's two forms of security to use on each server:
-
-
- ■ User-level security. With user-level security, you set permissions for
- each directory, file, printer queue, communication-device queue, and
- named pipe shared on the server, specifying exactly which users can
- use them and how. You can assign each user a password, which the user
- must type to be able to access the server.
-
- ■ Share-level security. With share-level security, you assign a password
- to each resource you share, instead of specifying by name who can use
- the resource. All users who know a resource's password can use the
- resource.
-
-
- A server runs either user-level or share-level security; it can't run both.
- The default is user-level security. Servers with user-level security and
- servers with share-level security can be on the same network.
-
- User-level security is LAN Manager's recommended security mode. User-level
- security lets you take advantage of other LAN Manager security features,
- including logon security, which checks users' names and passwords when they
- log on to the network, and local security, which extends access restrictions
- on a 386 server's files to users working at the server itself.
-
- This chapter introduces LAN Manager security. It also introduces domains,
- which are servers and workstations grouped together for administrative
- purposes. Chapter 4, "User-Level Security," and Chapter 5, "Share-Level
- Security," describe user-level and share-level security in detail.
-
- At the end of this chapter are instructions for filling out two worksheets
- that guide you through the decisions you must make when setting up security.
-
-
-
- Domains
-
- The basic administrative unit in LAN Manager is the domain. Divide your
- network into domains according to how people work together─for example, the
- servers and workstations in each department or on each floor can be grouped
- into one domain.
-
- Dividing large networks into domains keeps them manageable. For example,
- when users type the net view command to display a list of available servers,
- they see only servers in their domain, not those on the whole network.
- However, they can still access resources on servers in any domain.
-
- Domains are also involved in how logon security simplifies network
- administration. With logon security, each domain becomes an administrative
- unit; administrators can use a single command to change a user account on
- all of the domain's servers that participate in logon security, and users
- have a single password that gives them access to resources on servers
- throughout the domain.
-
- Logon security is implemented in domains with the Netlogon service and is
- explained in the "Logon Security" section, later in this chapter.
-
-
- Basics of User-Level Security
-
- On a server with user-level security, you create a user account for each
- person who will be using the server's resources. The account contains
- information about the user, including a username and password. The username
- identifies the user to LAN Manager; each user of the network must have a
- unique username. The password is used by LAN Manager to confirm that a user
- actually is who he or she claims to be. The user must type it to access any
- of the server's resources.
-
- Before sharing a resource, you specify which users are allowed to use the
- resource and what permissions they have. Permissions define the types of
- actions the user can perform on the resource. You can define a different set
- of permissions for each user. You can even define permissions differently
- for each file in the directories the server shares.
-
- For example, suppose you share the directory REPORTS, containing files
- called STATUS and PAYROLL. You could give the user shirleyj permission to
- read from and write to both files and to create and delete files in the
- directory; give johnv permission to read both files but not to write to,
- create, or delete files; give roberty permission to read only the STATUS
- file; and give lizp no permissions at all.
-
- To make assigning permissions simpler, you can create groups of users and
- assign permissions to these groups. Granting permissions to groups rather
- than to individual users saves administration time.
-
- The user accounts and groups you create make up the user accounts database,
- which is kept in the NET.ACC file in the LANMAN\ACCOUNTS directory.
-
- When a user tries to access a resource shared by a server with user-level
- security, the server checks the username and password. If the username
- matches an account in the server's user accounts database, and the supplied
- password matches the password of that account, and the user (or a group the
- user is a member of) has been given adequate permissions for the resource,
- then the user is granted access.
-
- By providing a way to specify exactly who is allowed to use each resource
- and in what way, user-level security gives you a precise form of security.
- Its flexibility in setting permissions differently for each user and each
- file makes it a good choice for servers that share files.
-
- Another benefit of user-level security is that it lets you run logon
- security and local security on the server. The following sections describe
- logon security and local security.
-
-
- Logon Security
-
- Logon security, implemented by LAN Manager's Netlogon service, provides two
- benefits: distribution of a domainwide user accounts database, and
- validation of logon requests.
-
-
- Distribution of a Domainwide User Accounts Database
-
- In a domain with logon security, the servers that participate in logon
- security keep and use identical copies of a domainwide user accounts
- database. This makes administration easier─especially if the domain has many
- servers. You create a master user accounts database for the domain on one
- server, and this database is copied automatically to the other servers in
- the domain that participate in logon security. You don't have to create user
- accounts separately on each server.
-
- When you need to make changes or additions to the domainwide database, you
- make them only on the server that holds the master copy of the database, and
- they are copied automatically to the other servers. Using LAN Manager's
- remote administration feature, you can make these changes to the master
- database from any workstation with LAN Manager for MS OS/2 or LAN Manager
- Enhanced for MS-DOS, further simplifying administration.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- When adding user accounts or changing users' passwords during remote
- administration, it is better to use a workstation with MS OS/2. When you use
- an MS OS/2 workstation to add a user account or change a user's password,
- the password is encrypted before it is sent over the network; when you do so
- from an MS-DOS workstation, the password is not encrypted.
-
- However, when a user at an MS-DOS workstation changes his or her own
- password, the password is encrypted before being sent over the network.
- ────────────────────────────────────────────────────────────────────────────
-
- In a domain with logon security, using the network is easier for users as
- well. Each user has a single password that gives him or her access to all
- the servers participating in logon security in the domain.
-
- Each server participating in logon security and running the Netlogon service
- has one of three roles:
-
-
- ■ Primary domain controller─Each domain with logon security must have
- one primary domain controller. This server has the master copy of the
- domain's user accounts database. Changes to the domain's user accounts
- database are made to the database of this server. The primary domain
- controller can also validate logon requests in the domain.
-
- ■ Backup domain controller─Each domain can have one or more backup
- domain controllers. Backup domain controllers have and use copies of
- the domain's user accounts database, and like the primary domain
- controller can validate logon requests. Having backup domain
- controllers improves performance and reliability: the load of logon
- processing can be spread among several servers instead of resting
- solely on the primary domain controller, and logon validation in the
- domain continues even if the primary domain controller is unavailable.
-
-
- ■ Member server─Each domain can have one or more member servers. Member
- servers have and use copies of the domainwide user accounts database
- but don't validate logon requests. Because a member server doesn't
- spend time processing logon requests, this role may be a good choice
- for servers that have heavy work loads.
-
-
- At each backup domain controller and member server, the Netlogon service
- ensures that its local copy of the domainwide user accounts database stays
- identical to the master copy kept at the primary domain controller. At
- regular intervals, the primary domain controller sends each backup and
- member the update information required to keep the databases of those
- servers up to date.
-
- If the primary goes down or is stopped, no changes to the domain's user
- accounts database can be made, but logon request processing continues as
- long as one or more backup domain controllers are running in the domain.
- Because the primary, backups, and members keep their own copies of the
- database, and because the primary and all backups can validate logon
- requests, there isn't a single point of failure in the domain.
-
- Not all servers in a domain with logon security have to participate in logon
- security and use the domainwide user accounts database. Servers that have
- user-level security but don't run the Netlogon service are standalone
- servers. Each standalone server has its own user accounts database instead
- of keeping a copy of the domainwide database. LAN Manager servers are
- installed as standalone servers. Chapter 4, "User-Level Security," explains
- how to change the roles of servers and set up a domain.
-
- Servers with share-level security can also be in a domain with logon
- security. To use a resource on one of these servers, a user must have logged
- on to the network and must know the password of the desired resource.
- Servers with share-level security don't have user accounts databases, don't
- check the identity of users, and don't participate in logon
- validation─knowledge of the resource's password is all that is necessary for
- a user to access a resource shared on a server with share-level security.
-
- Servers running earlier versions of LAN Manager (1.x) can be in domains with
- LAN Manager 2.0 servers. However, LAN Manager 2.0 logon security is not
- interoperable with LAN Manager 1.x logon security; if the Netlogon service
- is running on any LAN Manager 2.0 server in the domain, no LAN Manager 1.x
- server can run its version of the Netlogon service. When LAN Manager 2.0
- logon security is running, each 1.x server with user-level security in the
- domain has its own user accounts database and is treated as a standalone
- server.
-
- However, if a domain is using LAN Manager 2.0 logon security, logon security
- can be enforced for users using the domain's 1.x workstations as well as
- those with 2.0 workstations. For information about how to set up LAN Manager
- 1.x workstations to be controlled by LAN Manager 2.0 logon security, see
- Chapter 4, "User-Level Security."
-
-
- Validation of Logon Requests
-
- Running the Netlogon service on at least one server in the domain forces
- users' logon requests to be validated. Each time a user logs on at a
- workstation in the domain, a logon request is sent to the domain's logon
- servers─the primary and backup domain controllers. One of these servers will
- process the logon request:
-
-
- ■ If the user's account specifies a certain logon server, then that
- logon server is given the first chance to process the logon request.
- However, if that server is unavailable, another logon server (if one
- exists) will process the request.
-
- ■ If the user's account does not specify a particular logon server, then
- the logon server with the lightest work load at the time will process
- the request.
-
-
- The logon server that processes the request checks its copy of the
- domainwide user accounts database for the username and password given in the
- logon request, and does one of the following:
-
-
- ■ If the username and password match an account in the database, and the
- account's logon restrictions allow the user to log on at this hour and
- at this workstation, the user is logged on.
-
- ■ If the username matches an account in the database but the password
- provided doesn't match the password of that account, or the account is
- disabled or not allowed to log on at this time or from this
- workstation, the user is not logged on.
-
- ■ If the username doesn't match an account in the database, the user is
- logged on as a standalone logon. The user is not logged on in the
- domain─when an administrator views the list of users logged on in the
- domain, the user's username will not appear. The logon is not
- validated by any logon server and is separate from any domain on the
- network.
-
- The user won't be able to access the domain's servers that participate
- in logon security (except by using a guest account; see Chapter 4,
- "User-Level Security," for details about guest accounts). However, the
- user is logged on to the network so that he or she can access
- resources at standalone servers, servers with share-level security, or
- servers in other domains.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- In domains where logon security is not implemented, or where all of the
- domain controllers are unavailable, all logon requests are processed as
- standalone
-
-
-
- A user who has logged on to the network can then try to access shared
- resources. Whenever the user tries to access a resource shared by a server
- with user-level security, the server checks for the user's username and
- password in its user accounts database. Thus, the domainwide user accounts
- database (a copy of which is kept on the primary and each backup and member)
- serves a dual role: the primary and backups use their copies to check logon
- requests of users logging on in the domain, and each server of each type
- (primary, backup, and member) uses its copy of the database to check each
- user who tries to access a resource on that server.
-
- You can also set up the Netlogon service to run a logon script whenever a
- logon server allows a user to log on in the domain. A logon script can be a
- batch file containing LAN Manager and operating system commands, or an
- executable file. The script is run on the workstation at which the user is
- logging on and configures the workstation for the user. Different scripts
- can be made for each user. Typical logon scripts contain commands to make
- network connections and start applications.
-
- For more information about logon scripts, see Chapter 4, "User-Level
- Security."
-
-
- Local Security
-
- Normally, permissions you set for a resource apply only to remote
- users─users accessing the resource while working at a different computer.
- With LAN Manager, local security can be run on 386 servers with HPFS386 and
- user-level security. Local security extends user-level security to local
- users (users working at the server itself).
-
- When LAN Manager is installed on a 386 server, the server's high-performance
- file system (HPFS) is replaced with LAN Manager's HPFS386, which features
- better performance than HPFS and is necessary for local security. Local
- security protects all files on the server's HPFS386 partitions from
- unauthorized local access. You set permissions for all files on the server,
- not just those in shared directories.
-
- A user working at a server with local security can access a file on that
- server only if he or she has been given adequate permissions for the file.
- When a program running on the server tries to access a file, it is subject
- to the file permissions of the local user currently logged on at the server
- (unless an administrator started the program and gave it special
- privileges).
-
-
- Security in Single-Server Domains
-
- In a domain or network with only one server, there is no need to set up a
- domainwide user accounts database for use by different servers. In this
- case, you have three options for setting up security:
-
-
- ■ Set up the server to run user-level security and the Netlogon service.
- The server will be the primary domain controller. The Netlogon service
- will check usernames and passwords of users when they log on to the
- network in this domain (and as always, the username and password will
- also be checked when users try to access shared resources). The
- Netlogon service also lets you use a logon script for users who log on
- in the domain.
-
- To take advantage of the full range of features of LAN Manager,
- including logon validation and logon scripts, it is recommended that
- you choose this option.
-
- ■ Set up the server to run user-level security without the Netlogon
- service. The server will be a standalone server, and all logon
- requests in the domain will be approved as standalone logons. The
- usernames and passwords will be checked only when a user tries to
- access resources.
-
- ■ Set up the server to run share-level security.
-
-
- Also, if the domain's server is a 386 server with user-level security, you
- can run local security on it.
-
-
- Protecting 286 Servers
-
- Since local security is available only for 386 servers, LAN Manager provides
- other ways of protecting 286 servers, in addition to the security mode
- (user-level or share-level) and logon security:
-
-
- ■ Run the console version of the LAN Manager Screen on the server.
-
- ■ Physically isolate the server.
-
- ■ Configure the server as "hidden."
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- LAN Manager also allows you to use each of these features on a 386 server.
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
- The Console Version of the LAN Manager Screen
-
- Some servers, such as those that share printer queues, may need to be in a
- public place. To protect these servers from unauthorized local access, use
- the console version of the LAN Manager Screen.
-
- The console version, which is especially suited for servers that share
- printer queues or communication-device queues, displays queue information
- but doesn't allow access to the server's files. When starting the console
- version, you create a password that must be typed to exit the screen. Users
- who don't know the console screen password won't be able to exit the screen
- and access the server's files.
-
- For more information about the console version, see Chapter 11, "Running an
- Unattended Server."
-
-
- Physically Secure Servers
-
- Another way to protect servers from unauthorized local access is to
- physically isolate them in a locked room. You can then use LAN Manager's
- remote administration feature to administer these servers from any
- workstation with LAN Manager for MS OS/2 or LAN Manager Enhanced for MS-DOS.
- Remote administration is explained in Chapter 2, "Getting Started," and in
- the Microsoft LAN Manager Administrator's Reference.
-
-
- Hidden Servers
-
- To further protect a server from unauthorized remote access, you can "hide"
- it. Hidden servers are not listed when users display the list of servers in
- the domain. Users can still access the server and its resources if they know
- the server's name, but they have no way of using LAN Manager to find out
- that the server exists.
-
- To hide a server, use the srvhidden entry in the [server] section of the
- LANMAN.INI file. For more information about the LANMAN.INI file, see the
- Microsoft LAN Manager Administrator's Reference.
-
-
- Planning Security
-
- At the end of this chapter you'll find two worksheets on network security.
- The worksheets guide you through the decisions you'll make as you plan each
- domain on your network.
-
- It is a good idea to take time to carefully plan how the network will be set
- up─the type of security that will be used on each server, the resources each
- server will share, and what users and groups need access to those resources.
- It is important that you have a full understanding of LAN Manager security
- before you make your decisions. It is recommended that you take the
- following steps:
-
-
- 1. Read this chapter for an introduction to LAN Manager security.
-
- 2. Look at the worksheets at the end of the chapter and read the
- instructions in this section for filling them out. This will let you
- know what kinds of decisions you will be making when you set up
- security on the network.
-
- 3. For a detailed explanation of how user-level security and share-level
- security work, read Chapter 4, "User-Level Security," and Chapter 5,
- "Share-Level Security."
-
- 4. Fill out the worksheets. If you have any questions about the
- worksheets, reread the necessary sections of Chapters 3, 4, and 5.
-
-
- Make as many photocopies of each worksheet as you need. The following
- section contains procedures to help you fill out the worksheets.
-
- The worksheets help you decide what network configuration to set up
- initially. Once the network is set up and running, it is easy to modify the
- network for performance or reliability, add new servers, change the roles of
- servers, or account for any other changes in the way the network is used.
-
- Once you have completed the worksheets, you may want to keep them on file
- for future reference.
-
-
- Using the Domain Worksheet
-
- The first worksheet, "Setting Up a Domain," helps you plan a domain with
- logon security. The numbers next to the questions on the worksheet
- correspond to the step numbers in the following procedure. Although the
- steps are numbered, they are not necessarily sequential. You can skip steps
- if you like.
-
-
- 1. Note the name of the domain.
-
- 2. Note the number of servers in the domain.
-
- 3. Note the number of workstations in the domain.
-
- 4. Decide how many servers of each type, or role, will be in the domain.
-
- There will be one primary domain controller. It is recommended that
- you have at least one backup domain controller. The backup helps the
- primary validate logon requests, so having a backup lessens the
- average time it takes for validation of a logon request. Also, if the
- primary goes down or is stopped, backup domain controllers continue
- the validation of logon requests. If there are no backups in the
- domain and the primary goes down, all logon requests in the domain
- will be processed as standalone logons.
-
- To ensure good performance, have at least one domain controller per 50
- users in the domain (if you have enough servers available). For
- example, a domain with 200 users should have at least four domain
- controllers─one primary and three backups.
-
- Servers that have heavy work loads should be set up as member servers
- so that they won't have to validate logon requests.
-
- If you want a server to have user-level security and a user accounts
- database that is different from the domainwide database, set it up as
- a standalone server.
-
- Servers that won't run logon security will be either a standalone
- server with user-level security or a server with share-level security.
-
-
- 5. On another sheet of paper, list users who will need accounts in the
- domainwide user accounts database, and consider what groups you should
- create. Putting users into groups and assigning resource permissions
- to the groups saves administration time. Each group should be made up
- of users with similar resource needs. The domainwide database can have
- as many as 253 groups, in addition to the special groups users,
- admins, and guests. For more information about the special groups, see
- Chapter 4, "User-Level Security."
-
- You will create these user accounts and groups on the domain's primary
- domain controller, and they will be copied to the domain's backup
- domain controllers and member servers.
-
- 6. On the list of users you just made, note who will be made
- administrators. Administrators can perform all network actions,
- including creating and modifying user accounts, starting and stopping
- services, sharing resources, and monitoring network activity. You will
- give these people user accounts with admin privilege.
-
- Also, consider which users should be given operator privileges for the
- domain's servers. Operator privileges let a user perform certain
- administrative tasks. There are four types of operator privileges, and
- any user (with user privilege) can be given one or more of these four
- types:
-
- ■ server─lets the operator start and stop services, share resources,
- read the error log, and close users' sessions
-
- ■ accounts─lets the operator create, remove, and modify user
- accounts (except those with admin privilege) and groups
-
- ■ print─lets the operator create, share, and modify printer queues
- and control print jobs
-
- ■ comm─lets the operator create, share, and modify
- communication-device queues and requests
-
- 7. Decide whether to use logon scripts in the domain. If logon scripts
- will be used and more than one server in the domain will be validating
- logon requests, you will need to set up the Replicator service to
- maintain an identical set of scripts on each server. For information
- about how to set up the replication of logon scripts, see Chapter 4,
- "User-Level Security." For a full explanation of the Replicator
- service, see Chapter 13, "Replicating Files and Directories."
-
- 8. Note the computernames of the domain's primary domain controller,
- backup domain controllers, and member servers.
-
-
- Chapter 4, "User-Level Security," contains instructions on how to set up
- user accounts, groups, logon security, and local security.
-
-
- Using the Server Worksheet
-
- The second worksheet, "Setting Up a Server," helps you plan the security and
- resources of a server. The numbers next to the questions on the worksheet
- correspond to the step numbers in the following procedure. Although the
- steps are numbered, they are not necessarily sequential. You can skip steps
- if you like.
-
- Complete steps 9 and 10 only for 386 servers that will be using local
- security.
-
-
- 1. Note the server's computername.
-
- 2. Note the name of the domain the server is in.
-
- 3. If logon security will be running in the domain, note the name of the
- primary domain controller.
-
- 4. Note whether the server will have user-level or share-level security.
-
- 5. If the server has user-level security, specify its role in the domain:
- primary, backup, member, or standalone.
-
- 6. Decide whether the console version of the LAN Manager Screen will be
- used on the server. The console version is recommended for servers
- that share printer queues or communication-device queues and are
- physically accessible by users.
-
- 7. On another sheet of paper, list the resources the server will share
- and note which users and groups will need access to those resources.
-
- 8. If this is a 386 server with HPFS386, decide whether it will have
- local security. Local security must be installed with the Setup
- program. If it wasn't, you will need to use the Setup program to
- install local security. For information about the Setup program, see
- the Microsoft LAN Manager Installation Guide.
-
- 9. Decide which access permissions to set for the server's directories
- and files. Access permissions will apply to users working at the
- server itself. Permissions are set for users and groups, as well as
- for the special group local. Permissions for local apply to any user
- who is working at the server, whether or not the user has logged on.
-
- If permissions for a particular file are not granted to any users, then
- no users can even see that the file exists. Only administrators can see
- or access these files.
-
- 10. Decide which processes (programs and commands) will start
- automatically and be given "privileged" status when the computer
- starts. Privileged processes ignore file access permissions and can
- use any file on the server. Put the commands to start these processes
- in the PRIVINIT.CMD batch file.
-
- Be careful when putting commands in PRIVINIT.CMD─the only processes you
- should start with PRIVINIT.CMD are those that need unrestricted access
- to the server's files and which you can be sure won't damage any files.
-
-
- Chapter 4, "User-Level Security," contains instructions for setting up user
- accounts, groups, logon security, and local security.
-
-
-
-
-
- Setting Up a Server
-
-
- 1. Server name:
-
- 2. Server's domain:
-
- 3. If logon security will be running in the server's domain, which server
- is the primary domain controller?
-
- 4. What is the server's security mode?
-
- User-level security
-
- Share-level security
-
- 5. If the server has user-level security, what is its role?
-
- Primary domain controller
-
- Backup domain controller
-
- Member server
-
- Standalone server
-
- 6. Will the console version of the LAN Manager Screen normally be used on
- this server?
-
- Yes
-
- No
-
- 7. On another sheet of paper, list the resources the server will share.
- Also, note which users and groups will need to be given access to each
- resource.
-
- 8. If this is a 386 server with HPFS386 and user-level security, will it
- run local security?
-
- Yes
-
- No
-
-
-
- The rest of this worksheet applies only to 386 servers running local
- security.
-
-
- 1. List important files on the server and decide which access permissions
- need to be set on them. Note the permissions to be given to users and
- groups, and to the special group local. Use additional paper, if
- needed.
-
- 2. Which programs and commands need to be started automatically and be
- given privilege when the computer is started? These will be put in the
- PRIVINIT.CMD batch file.
-
-
-
- Setting Up a Domain
-
-
- 1. Domain name:
-
- 2. Number of servers in the domain:
-
- 3. Number of workstations in the domain:
-
- 4. Number of each type of server in the domain:
-
- Primary domain controller 1
-
- Backup domain controllers
-
- Member servers
-
- Standalone servers
-
- Servers with share-level security
-
- 5. On another sheet of paper, list users and groups who will need
- accounts in the domain's master user accounts database, and list
- groups of users that will need to be created.
-
- 6. Note on the above list who will be given administrative privilege or
- operator privileges.
-
- 7. Will logon scripts be used in the domain?
-
- Yes
-
- No
-
- 8. List the servers that will be running logon security:
-
- Primary
-
- Backups
-
- Members
-
-
-
-
-
-
- Chapter 4 User-Level Security
- ────────────────────────────────────────────────────────────────────────────
-
- With user-level security on a server, you can specify exactly which users
- can use the server's resources and in what ways. It also lets you run logon
- security and local security on the server.
-
- Read Chapter 3, "Understanding and Planning Security," before reading this
- chapter. Chapter 3 outlines LAN Manager security, gives an introduction to
- user-level security, logon security, and local security, and explains how
- these types of security interact.
-
- This chapter builds on the security concepts introduced in Chapter 3, going
- into more detail about each topic. It also contains procedures for setting
- up and administering user-level security, logon security, and local
- security.
-
- The chapter begins with an explanation of how to implement logon security in
- a domain, followed by a section on user accounts and how to create them.
- This is followed by a section on setting up groups of users and a discussion
- of resource permissions and auditing. The final section of the chapter
- explains local security.
-
-
- Administering a Server with User-Level Security
-
- For a user to run an administrative command at a server with user-level
- security, the user must be logged on to the network with an account in the
- server's user accounts database. Also, the user's account must have an
- adequate privilege level (either admin privilege or an appropriate operator
- privilege). This is true whether the command is issued locally at the
- server's keyboard or from another workstation during remote administration.
-
-
- The description of privilege levels and operator privileges in the "User
- Accounts" section, later in this chapter, describes the abilities given to
- users with each of these privilege levels.
-
-
- The Default Administrative Account
-
- When a LAN Manager server is installed, one user account with admin
- privilege is created. The username for this account is admin, and the
- account's password is password. To administer a new server for the first
- time, log on as admin by typing
-
- net logon admin password
-
- Until you change this default account, anyone will be able to log on using
- the account and administer the server. To prevent security breaches, once
- you log on as admin, do one of two things:
-
-
- ■ Create a new user account for yourself. Give the account admin
- privilege. Log off from the admin account and log on using your own
- account. Then delete the account named admin.
-
- ■ Use the net password command to change the password of the account
- named admin by typing
-
- net password admin password newpassword
-
-
- User accounts and how to create them are explained in the "User Accounts"
- section, later in this chapter.
-
-
- Setting Up Logon Security
-
- This section describes how to implement logon security. It describes how to
- set up the domain's primary domain controller, backup domain controllers and
- member servers, and workstations.
-
- Running logon security in a domain makes it easier to administer user
- accounts in the domain. The domain's servers that participate in logon
- security keep and use identical copies of a single, domainwide user accounts
- database. When you make a change to the database of the primary domain
- controller, the change is automatically copied to the other servers
- participating in logon security.
-
- Logon security also adds another level of security to the system; users who
- log on in the domain have their usernames and passwords checked when they
- log on.
-
- Chapter 3, "Understanding and Planning Security," explains the different
- roles each server can play in logon security (primary domain controller,
- backup domain controller, and member server). It explains how the domainwide
- user accounts database is replicated between the domain's servers, and how
- logon requests in the domain are processed by the domain controllers.
-
- If you don't plan to install logon security in the domain, you can skip to
- the "User Accounts" section, later in this chapter, and begin setting up
- user accounts on each server in the domain.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- When the Netlogon service starts, two directories on the server are shared
- automatically. The LANMAN\ACCOUNTS\USERDIRS directory, containing logon
- scripts for LAN Manager 1.x workstations and users' home directories, is
- shared with the sharename USERS. The directory specified by the scripts
- entry in the [netlogon] section of the LANMAN.INI file (the directory
- containing logon scripts for LAN Manager 2.0 workstations) is shared with
- the sharename NETLOGON. To ensure that logon scripts work and home
- directories can be accessed, do not use these sharenames for any other
- resources on servers that run the Netlogon service.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Setting Up the Primary Domain Controller
-
- The first server to set up in the domain is the primary domain controller.
- The primary stores the master copy of the domain's user accounts database
- and, along with the backup domain controllers, validates users' logon
- requests.
-
- Setting up the primary domain controller includes creating user accounts for
- the domain's backup domain controllers and member servers, as well as for
- the primary itself. LAN Manager uses these accounts while sending updates on
- the domain's user accounts database from the primary to the backups and
- members. Once you have set up these accounts, do not change or delete them.
- (If a server is removed from logon security in the domain and no longer
- needs database updates, you can remove the account of that server.)
-
- To set up the domain's primary domain controller:
-
-
- 1. Specify the domain this server will be in by typing the domain name as
- the value of the domain entry in the [workstation] section of the
- LANMAN.INI file.
-
- For the Netlogon service to start, you must check two additional
- entries in the LANMAN.INI file. The scripts entry in the [netlogon]
- section must specify a directory path that exists on the server. The
- directory specified by the userpath entry in the [server] section must
- have a subdirectory named SCRIPTS.
-
- To change LANMAN.INI, use a text editor. For more information about
- the LANMAN.INI file, see the Microsoft LAN Manager Administrator's
- Reference.
-
- 2. Stop and restart the Workstation service by typing
-
- net stop workstation /y
-
- net start workstation
-
- 3. Log on to the network, using the default administrative account, by
- typing
-
- net logon admin password
-
- (If you have created a new account with admin privilege for yourself,
- or changed the password of the admin account, then use the new
- username and/or password you created instead of admin and password.)
-
- 4. Start the LAN Manager Screen for administrators by typing
-
- net admin
-
- 5. Create a group called servers.
-
- This group will contain the accounts of each server participating in
- logon security in this domain. To create the group:
-
- ■ From the Accounts menu, choose Groups.
-
- The "Select a User Group" dialog box (Figure 4.7) appears.
-
- ■ Choose <Add group>.
-
- The "Add a New User Group" dialog box (Figure 4.8) appears.
-
- ■ In the "Groupname" text box, type servers.
-
- ■ In the "Comment" text box, optionally type a comment for the
- group.
-
- Do not put any users in the group.
-
- ■ Choose <OK>.
-
- ■ Choose <Done>.
-
- 6. Create a user account for the primary domain controller:
-
- ■ From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- ■ Choose <Add user>.
-
- The "Create a New User Account" dialog box (Figure 4.4) appears.
-
- ■ In the "Account name" text box, type the computername of the
- primary domain controller.
-
- ■ In the "Password" text box, type a password with as many as 14
- characters.
-
- Do not let other network users know the password for this account,
- so they can't log on using the account. Once logon security is
- running in the domain, LAN Manager will change this password
- periodically to ensure that the account remains secure.
-
- ■ From the "Privilege level" option buttons, select "User."
-
- ■ Choose <Groups>.
-
- The "Group Memberships for User (New user)" dialog box (Figure
- 4.5) appears.
-
- ■ In the "Not a member of" list box, select "Servers," then choose
- <Join>.
-
- "Servers" moves to the "Member of" list box.
-
- ■ Choose <OK>.
-
- ■ Choose <OK>.
-
- ■ Choose <Done>.
-
-
- 7. Each of the domain's backup domain controllers and member servers also
- needs accounts on the primary. If you know what the computernames of
- these computers will be, you can create user accounts now for each of
- them (the username of each server's account will be the computername
- of that server). Be sure to note the passwords you assign to each of
- these accounts, as you will need to know them when setting up the
- backups and members.
-
- To create each of the accounts for the domain's backup domain
- controllers and member servers, follow the procedures shown in step 6.
- Be sure to add each account to the servers group.
-
- 8. Change the server's role to primary. To do this:
-
- ■ From the Accounts menu, choose Security settings.
-
- The dialog box shown in Figure 4.1 appears.
-
- (This figure may be found in the printed book).
-
- ■ From the "Role in domain" option buttons, select "Primary."
-
- ■ Choose <OK>.
-
-
- 9. Exit the LAN Manager Screen. From the View menu, choose Exit, or press
- F3.
-
- 10. Start the Server service by typing
-
- net start server
-
- 11. Start the Netlogon service by typing
-
- net start netlogon
-
- If Netlogon starts, the primary is configured correctly. If not, check
- to be sure you have completed the preceding steps. Also be sure that no
- other server in this domain has been configured as the primary; the
- Netlogon service won't start if it finds that another primary domain
- controller is running in the domain.
-
- 12. To have the Netlogon service start automatically each time the Server
- service starts, edit the LANMAN.INI file to add netlogon to the list
- of services in the srvservices entry in the [server] section.
-
- If the srvservices entry lists the names of more than one service, use
- a comma to separate service names.
-
-
- Command Line To set up the domain's primary domain controller:
-
-
- 1. Edit LANMAN.INI, specifying the name of the domain as the value of the
- domain entry in the [workstation] section, making sure that the
- scripts entry in the [netlogon] section specifies a directory path
- that exists on the server and the userpath entry in the [server]
- section specifies a directory that has a subdirectory named SCRIPTS.
-
- 2. Start the Workstation service by typing
-
- net start workstation
-
- 3. Log on to the network, using the default administrative account, by
- typing
-
- net logon admin password
-
- 4. Create a group called servers by typing
-
- net group servers /add
-
- 5. Create a user account for the primary domain controller by typing
-
- net user computername password /add
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Use the computername of the primary domain
-
-
- 6. Add the user account to the servers group by typing
-
- net group servers computername /add
-
- 7. If you know the computernames for the domain's backup and member
- servers, create user accounts for each one and add them to the servers
- group.
-
- 8. Change the server's role to primary by typing
-
- net accounts /role:primary
-
- 9. Start the Server service by typing
-
- net start server
-
- 10. Start the Netlogon service by typing
-
- net start netlogon
-
- 11. Edit the [server] section of the LANMAN.INI file, adding netlogon to
- the list of services in the srvservices entry.
-
-
- See Net Accounts, Net Group, Net Logon, Net Start, and Net User, Microsoft
- LAN Manager Administrator's Reference.
-
-
- Setting Up a Backup Domain Controller or Member Server
-
- Once the primary is set up and running, you can set up each backup domain
- controller and member server in the domain. Use the following procedure for
- each backup and member.
-
- To set up a backup domain controller or member server:
-
-
- 1. Specify the domain this server will be in by typing the domain name as
- the value of the domain entry in the [workstation] section of the
- LANMAN.INI file.
-
- For the Netlogon service to start, you must check two additional
- entries in the LANMAN.INI file. The scripts entry in the [netlogon]
- section must specify a directory path that exists on the server. The
- directory specified by the userpath entry in the [server] section must
- have a subdirectory named SCRIPTS.
-
- To change LANMAN.INI, use a text editor. For more information about
- the LANMAN.INI file, see the Microsoft LAN Manager Administrator's
- Reference.
-
- 2. Stop and restart the Workstation service by typing
-
- net stop workstation /y
-
- net start workstation
-
- 3. Log on to the network, using the default administrative account, by
- typing
-
- net logon admin password
-
- (If you have created a new administrative account, or changed the
- password of the admin account, then use the new username and/or
- password you created instead of admin and password.)
-
- 4. Synchronize the internal clock of the new backup or member with that
- of the domain's primary domain controller. The internal clocks of the
- primary and all backups and members in a domain must be set to within
- 10 minutes of each other. To synchronize the local server's clock,
- type
-
- net time /domain /set
-
- When prompted for confirmation, type Y.
-
- 5. Start the LAN Manager Screen by typing
-
- net admin
-
- 6. If you haven't done so already, create a user account for the new
- backup or member on the primary domain controller.
-
- To create the account:
-
- ■ Set the current focus on the primary domain controller. From the
- list box, select the servername and press ENTER.
-
- ■ From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- ■ Choose <Add user>.
-
- The "Create a New User Account" dialog box (Figure 4.4) appears.
-
- ■ In the "Account name" text box, type the computername of the new
- backup or member.
-
- ■ In the "Password" text box, type a password with as many as 14
- characters.
-
- Do not let other network users know the password for this account
- so that they can't log on using the account. Once logon security
- is running in the domain, LAN Manager will automatically change
- this password periodically to ensure that the account remains
- secure.
-
- ■ From the "Privilege level" option buttons, select "User."
-
- ■ Choose <Groups>.
-
- The "Group Memberships for User (New user)" dialog box (Figure
- 4.5) appears.
-
- ■ In the "Not a member of" list box, select "Servers," then choose
- <Join>.
-
- "Servers" moves to the "Member of" list box.
-
- ■ Choose <OK>.
-
- ■ Choose <OK>.
-
- ■ Choose <Done>.
-
- ■ Set the current focus on the new backup or member. From the list
- box, select "*Local*" and press ENTER.
-
- 7. On the new backup or member, create a group called servers:
-
- ■ From the Accounts menu, choose Groups.
-
- The "Select a User Group" dialog box (Figure 4.7) appears.
-
- ■ Choose <Add group>.
-
- The "Add a New User Group" dialog box (Figure 4.8) appears.
-
- ■ In the "Groupname" text box, type servers.
-
- ■ In the "Comment" text box, optionally type a comment for the
- group.
-
- Do not put any users in the group.
-
- ■ Choose <OK>.
-
- ■ Choose <Done>.
-
-
- 8. On the new backup or member, create a user account for the backup or
- member.
-
- The account must be identical to the account you created on the
- primary domain controller in step 6 of this procedure─the username
- will be the computername of the backup or member, and the password
- will be the same as the password of this computer's account on the
- primary.
-
- To create the account:
-
- ■ From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- ■ Choose <Add user>.
-
- The "Create a New User Account" dialog box (Figure 4.4) appears.
-
- ■ In the "Account name" text box, type the computername of the new
- backup or member.
-
- ■ In the "Password" text box, type the password for the account.
-
- This password must be the same as the password in this computer's
- account on the primary domain controller (which you created in
- step 6 of this procedure). Once logon security is running in the
- domain, LAN Manager will change this password periodically to
- ensure that the account remains secure.
-
- ■ From the "Privilege level" option buttons, select "User."
-
- ■ Choose <Groups>.
-
- The "Group Memberships for User (New user)" dialog box (Figure
- 4.5) appears.
-
- ■ In the "Not a member of" list box, select "Servers," then choose
- <Join>.
-
- "Servers" moves to the "Member of" list box.
-
- ■ Choose <OK>.
-
- ■ Choose <OK>.
-
- ■ Choose <Done>.
-
- 9. Change the new server's role to backup or member:
-
- ■ From the Accounts menu, choose Security settings.
-
- The "Security Settings on \\server" dialog box (Figure 4.1)
- appears.
-
- ■ From the "Role in domain" option buttons, select either "Backup" or
- "Member."
-
- ■ Choose <OK>.
-
-
- 10. Exit the LAN Manager Screen. From the View menu, choose Exit, or press
- F3.
-
- 11. Start the Server service by typing
-
- net start server
-
- 12. Start the Netlogon service by typing
-
- net start netlogon
-
- If Netlogon starts, the server is configured correctly. If not, check
- to be sure you have completed the preceding steps. Also be sure that
- there is a primary domain controller running in the domain; the
- Netlogon service won't start on a backup domain controller or member
- server if the domain's primary domain controller isn't running.
-
- 13. To have the Netlogon service start automatically each time the Server
- service starts, edit the LANMAN.INI file to add netlogon to the list
- of services in the srvservices entry in the [server] section.
-
- If the srvservices entry lists the names of more than one service, use
- a comma to separate the service names.
-
-
- Command Line To set up a backup domain controller or member server:
-
-
- 1. Edit LANMAN.INI, specifying the name of the domain as the value of the
- domain entry in the [workstation] section, making sure that the
- scripts entry in the [netlogon] section specifies a directory path
- that exists on the server and the userpath entry in the [server]
- section specifies a directory that has a subdirectory named SCRIPTS.
-
- 2. Start the Workstation service by typing
-
- net start workstation
-
- 3. Log on to the network, using the default administrative account, by
- typing
-
- net logon admin password
-
- 4. Synchronize the internal clock of the new backup or member with that
- of the domain's primary domain controller by typing
-
- net time /domain /set
-
- 5. Start a remote command processor (to perform remote administration) at
- the primary by typing
-
- net admin \\computername /command
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Use the computername of the primary domain controller.
- ────────────────────────────────────────────────────────────────────────────
-
-
- 6. Create a user account for the new backup or member on the primary by
- typing
-
- net user computername password /add
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Use the computername of the new backup or
-
-
- 7. Add the user account for the new backup or member to the servers group
- by typing
-
- net group servers computername /add
-
- 8. Exit the remote command processor by typing
-
- exit
-
- 9. Create a group called servers on the new backup or member by typing
-
- net group servers /add
-
- 10. Create a user account on the new backup or member for the backup or
- member by typing
-
- net user computername password /add
-
- 11. Add the user account to the servers group by typing
-
- net group servers computername /add
-
- 12. Change the role for the new backup or member by typing
-
- net accounts /role:{backup | member}
-
- 13. Start the Server service by typing
-
- net start server
-
- 14. Start the Netlogon service by typing
-
- net start netlogon
-
- 15. Edit the [server] section of the LANMAN.INI file, adding netlogon to
- the list of services in the srvservices entry.
-
-
- See Net Accounts, Net Admin, Net Group, Net Logon, Net Start, Net Time, Net
- User, Microsoft LAN Manager Administrator's Reference.
-
-
- Setting Up the Domain's Workstations
-
- To set up workstations running LAN Manager 2.0 to be part of a domain, just
- specify the domain name as the value of the domain entry in the
- [workstation] section of the workstation's LANMAN.INI file.
-
- On workstations with LAN Manager 1.x, specify the domain name as the value
- of the langroup entry in the LANMAN.INI file. Also, to have the Netlogon
- service validate logon requests from this workstation, specify the
- computername of a logon server (the primary domain controller or one of the
- backup domain controllers) as the value of the logonserver entry in the
- [workstation] section of the workstation's LANMAN.INI file. If the domain
- has many 1.x workstations, don't specify the same server as the logon server
- for each workstation─instead, spread the processing of these logon requests
- among the domain's logon servers.
-
- If the logon server specified in the 1.x workstation's LANMAN. INI file is
- unavailable when a user logs on at that workstation, no other logon server
- can process the logon request, and the user won't be able to log on at that
- workstation (unless he or she restarts the workstation, specifying another
- logon server). To have workstations fully participate in logon security, it
- is recommended that you upgrade them to LAN Manager 2.0.
-
-
- Promoting a Backup or Member
-
- Changes to the domain's master user accounts database can be made only to
- the database of the primary domain controller. All changes made to this
- database are then copied to the databases of the backup domain controllers
- and member servers. No changes can be made directly to the databases of the
- backups or members.
-
- If the primary is stopped for some reason (such as hardware problems), and
- you want to make changes to the domain's user accounts database, you can
- promote a backup or member to primary by using the procedure described in
- the following section. However, note the following before doing so:
-
-
- ■ Changes to the domain's user accounts database made at the primary are
- not instantly sent to each backup and member. Instead, at regular
- intervals (specified by the pulse entry in the [netlogon] section of
- the primary's LANMAN.INI file), each backup and member receives the
- updates it needs.
-
- If changes are made just before the primary is stopped, the backups
- and members may not receive the changes. If you promote a backup or
- member to primary, these changes are lost.
-
- ■ If you promote a backup or member to primary, you must then change the
- role of the old primary to backup or member before you restart it.
- This way its user accounts database will be updated by the new
- primary.
-
- Once you have started the old primary as a backup or member, and you
- are sure that its database is updated and is identical to that of the
- new primary, you can switch the roles of these two servers: change the
- new primary back to backup or member, then change the old primary back
- to primary again. Or, you can keep the domain as it is, leaving the
- old primary as a backup or member.
-
- To be sure that the old primary's database is identical to the new
- primary's database before switching their roles, check the pulse entry
- in the [netlogon] section of the new primary's LANMAN.INI file. This
- entry specifies (in seconds) how often the primary sends database
- updates to the domain's backups and members. If you know that this
- amount of time has passed since changes were last made to the database
- of the new primary, then you can be sure the domain's other servers
- are up to date.
-
- ■ If logon scripts are used in the domain, the primary domain controller
- must have a copy of them. Therefore, promoting a backup domain
- controller to primary requires less work than does promoting a member
- server. If you promote a member server, the scripts must be copied
- from one of the backup domain controllers to the member server that is
- being promoted. Backup domain controllers should already have copies
- of the logon scripts. For more information about how to set up the
- domain's logon scripts, see the "Logon Scripts" section, later in this
- chapter.
-
-
-
- Changing a Server's Role
-
- This section describes how to change the role (primary, backup, member, or
- standalone) of a server with user-level security once logon security has
- been running in the domain. Use this procedure to promote a backup or member
- to primary when the original primary becomes unavailable, or any other time
- you want to change a server's role. However, when changing roles keep the
- following in mind:
-
-
- ■ A domain can have only one primary domain controller. If the domain's
- primary domain controller is currently running, you can't change
- another server's role to primary without first stopping the existing
- primary.
-
- ■ For the Netlogon service to start for the first time on a server after
- the server's role has been changed to backup or member, the domain's
- primary domain controller must be running.
-
- ■ If you are switching the roles of the primary domain controller and
- another server, you must do so in three steps. First, stop the Server
- service on the current primary. Then switch the backup or member to be
- the new primary, and start the Netlogon service on it. Finally, change
- the old primary to its new role.
-
-
- To change the role of a server:
-
-
- 1. If the server is currently a primary, backup, or member, you must stop
- the Netlogon service. To do this, from the Config menu, choose Control
- services.
-
- The dialog box shown in Figure 4.2 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box shows the status of each LAN Manager service.
-
- 2. In the list box, select "NETLOGON," then choose <Stop>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
- 5. From the Accounts menu, choose Security settings.
-
- The "Security Settings on \\server" dialog box (Figure 4.1) appears.
-
- 6. In the "Role in domain" option buttons, select the new role of the
- server.
-
- 7. Choose <OK>.
-
- If the new role of the server is standalone, you are done. If the new
- role is primary, backup, or member, continue with the rest of this
- procedure.
-
- 8. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 4.2) appears.
-
- 9. In the list box, select "NETLOGON," then choose <Start>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box shows the options of the service you are starting. For
- more information about the options, see the Microsoft LAN Manager
- Administrator's Reference.
-
- 10. Choose <OK>.
-
- To start the Netlogon service after switching a server's role to backup
- or member, the domain's primary must be running.
-
- 11. Choose <Done>.
- Command Line
-
- To change the role of a server:
-
-
-
- 1. If the server is a primary, backup, or member, stop the Netlogon
- service by typing
-
- net stop netlogon
-
- 2. Change the role of the server by typing
-
- net accounts /role:{primary | backup | member | standalone}
-
- 3. If the server's new role is primary, or if the domain's primary is
- running and the server is a backup or member, start the Netlogon
- service by typing
-
- net start netlogon
-
-
- See Net Accounts, Microsoft LAN Manager Administrator's Reference.
-
-
- Logon Scripts
-
- In domains with logon security, you can specify that logon scripts be run
- for users who log on in the domain. When a user logs on, his or her logon
- script is run on the workstation. Scripts typically contain commands to make
- network connections and/or start applications.
-
- A logon script can be a batch file, executable file, or profile. For
- information about workstation profiles, see the Microsoft LAN Manager User's
- Guide.
-
- The following batch file, which makes two network connections and starts
- Microsoft Excel, is an example of a logon script:
-
- net use d: \\production\accountfiles
- net use lpt1: \\production2\laser
- excel
-
- You can create a single script for all users in a domain or different
- scripts for each user. Each user's account specifies the name of the logon
- script for that user, which will be run any time that user logs on in the
- domain.
-
- Scripts are kept on primary and backup domain controllers. When a user logs
- on, LAN Manager checks the user's account on the user's logon server─the
- server that validated the user's logon request─for the name of a script.
-
- The [netlogon] section of each server's LANMAN.INI file contains a scripts
- entry, which specifies the directory that contains the server's logon
- scripts. The value of scripts can be either a pathname relative to the
- LANMAN directory or an absolute pathname. The default value of scripts is
- repl\import\scripts.
-
- Users must have access to their logon scripts, or the scripts can't run. For
- a user to have access to his or her script, the directory containing the
- script must be shared and the user must have R (Read) permission for the
- script.
-
- LAN Manager does this automatically. When the Netlogon service starts, LAN
- Manager shares the directory specified by scripts with the sharename
- NETLOGON. Also, LAN Manager gives the special group users RX (Read and
- Execute) permissions for the directory specified by scripts. For logon
- scripts to run, you must not stop sharing the NETLOGON resource.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Permissions automatically assigned for the directory specified by scripts
- affect only scripts stored in that directory. If you keep scripts in a
- subdirectory of the directory specified by scripts, be sure to give the
- appropriate users R permission for these scripts.
- ────────────────────────────────────────────────────────────────────────────
-
- For more information about permissions, see the "Resource Permissions and
- Auditing" section, later in this chapter. For more information about the
- special group users, see the "User Accounts" section, later in this chapter.
-
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- MS OS/2 and MS-DOS use different filename extensions for batch files. If you
- use batch files as logon scripts on a network with both MS OS/2 and MS-DOS
- workstations, keep each script under two filenames. Give the first filename
- a .CMD extension, and the second filename a .BAT extension.
-
- When specifying a batch file to be used as a user's logon script while
- creating or modifying that user's account, type just the first part of the
- filename (the part before the extension). When the user logs on, LAN Manager
- will add the appropriate extension (depending on whether the user logs on at
- an MS OS/2 or MS-DOS workstation) and run the script. For example,
- specifying "CLERK" as the script for a user causes CLERK.CMD to run when the
- user logs on at an MS OS/2 workstation, and CLERK.BAT to run when the user
- logs on at an MS-DOS workstation.
- ────────────────────────────────────────────────────────────────────────────
-
- LAN Manager provides a simple logon script under the filename NETLOGON.CMD
- for workstations with MS OS/2 and NETLOGON.BAT for workstations with MS-DOS.
- This script simply displays the following message:
-
- Welcome to LAN Manager 2.0. You have successfully logged on to a domain.
-
- The following sections describe how to use LAN Manager's Replicator service
- to maintain identical sets of logon scripts on each logon server in the
- domain and how to set up logon scripts for users of workstations running
- earlier versions of LAN Manager.
-
-
- Replicating Logon Scripts
-
- In domains that have backup domain controllers, you need to keep identical
- sets of logon scripts on the primary domain controller and each backup
- domain controller. When a user logs on, either the primary or one of the
- backups validates the logon request; this will not necessarily be the same
- server each time the user logs on. The logon script that is run when the
- user logs on comes from the server validating the logon request.
-
- The Replicator service makes it easy to maintain an identical set of scripts
- on the logon servers. Adding or updating scripts is simplified: you make
- updates on just one server, and they are copied automatically to the other
- servers.
-
- For replication, you designate one server as the "export" server (usually
- the primary domain controller) for the scripts; this server is where you
- make changes to the scripts, and it copies the scripts to the "import"
- servers (usually the backup domain controllers) whenever changes have been
- made. Do not make changes directly to the scripts on the import servers.
-
- The following procedure is for domains where only LAN Manager 2.0 is
- running. In domains with computers running LAN Manager 2.0 and computers
- running earlier versions of LAN Manager (1.x), see the following section.
-
- To set up the replication of logon scripts (with the primary domain
- controller being the export server):
-
-
- 1. On the primary domain controller, create a directory called SCRIPTS as
- a subdirectory of the LANMAN\REPL\EXPORT directory.
-
- 2. Change the following entries in the primary domain controller's
- LANMAN.INI file:
-
- ■ In the [netlogon] section:
-
- ─Change scripts to be repl\export\scripts. If you change the value
- of scripts while the Netlogon service is running, stop and restart
- both the Server and Netlogon services for the change to take
- effect.
-
- ■ In the [replicator] section:
-
- ─Check that the value of exportpath is repl\export. This is the
- default value.
-
- ─Change the value of replicate to export or both.
-
- ─Change the value of exportlist to the name of the domain.
-
-
- 3. Change the values of the following entries in the LANMAN.INI files of
- each backup domain controller in the domain:
-
- ■ In the [netlogon] section:
-
- ─Check that the value of scripts is repl\import\scripts.
-
- ■ In the [replicator] section:
-
- ─Check that the value of importpath is repl\import.
-
- ─Change the value of replicate to import or both.
-
- ─Change the value of importlist to the computername of the primary
- domain controller.
-
-
- 4. Start the Replicator service on the primary and each backup by typing
- the following command at each of these servers:
-
- net start replicator
-
- To have the Replicator service start automatically when the Server
- service starts, add replicator to the list of services in the
- srvservices entry of the primary and each backup. The srvservices
- entry is in the [server] section of the LANMAN.INI file.
-
- 5. Create logon scripts in the LANMAN\REPL\EXPORT\SCRIPTS directory of
- the primary.
-
- These scripts will be replicated to the LANMAN\REPL\IMPORT\SCRIPTS
- directory of each backup. Whenever you update or make additions to
- scripts on the primary, they are also copied to the backups, as long
- as the Replicator service is running.
-
-
- The preceding procedure uses default values for exportpath, importpath, and
- scripts whenever possible, to simplify the process of setting up the
- replication of scripts. Whether or not you use the default values for these
- options, you must follow these rules for logon script replication to work:
-
-
- ■ On each primary and backup, the scripts must be kept in the directory
- specified by that server's scripts entry or in a subdirectory of that
- directory.
-
- ■ On the export server (usually the primary domain controller), the
- directory that holds the scripts must be a subdirectory of the
- directory specified by exportpath.
-
- ■ On the import servers (usually the backup domain controllers), the
- directory that holds the scripts must be a subdirectory of the
- directory specified by importpath.
-
-
- For more information about the Replicator service, see Chapter 13,
- "Replicating Files and Directories."
-
-
- Scripts for 1.x Workstations
-
- Workstations running LAN Manager 1.x versions ignore the value of the
- scripts entry (in the [netlogon] section of LANMAN.INI) on LAN Manager 2.0
- servers. Workstations running 1.x always assume that the logon script
- specified in a user's account is relative to the LANMAN\ACCOUNTS\USERDIRS
- directory. Scripts for 1.x workstations must be stored in
- LANMAN\ACCOUNTS\USERDIRS or in a subdirectory of this directory. (LAN
- Manager automatically creates a SCRIPTS directory in the
- LANMAN\ACCOUNTS\USERDIRS directory when a server is installed.)
-
- If your domain has computers running LAN Manager 2.0 and computers running
- LAN Manager 1.x, you have the following options for setting up scripts for
- users of 1.x versions:
-
-
- ■ Use the procedure in the preceding section to set up logon scripts.
- Users with workstations running LAN Manager 2.0 will use scripts in
- the primary domain controller's REPL\EXPORT\SCRIPTS directory and in
- the backup domain controllers' REPL\IMPORT\SCRIPTS directories.
-
- In addition, put scripts for users with LAN Manager 1.x workstations
- in the LANMAN\ACCOUNTS\USERDIRS directory, or in a subdirectory of
- this directory, on each logon server. These scripts won't be
- replicated.
-
- ■ Specify accounts\userdirs\scripts as the value for the scripts entry
- in the [netlogon] section of the LANMAN.INI file on the primary and on
- the backups. All users who log on in the domain will use scripts in
- this directory.
-
- To replicate scripts between the primary and backup domain
- controllers, edit the [replicator] section of the LANMAN.INI file.
- Specify accounts\userdirs as the value of exportpath on the primary
- and of importpath on each backup. However, doing this means that any
- other directories you want to replicate from the primary must also be
- subdirectories of ACCOUNTS\USERDIRS, as the Replicator service
- replicates only subdirectories of the single directory specified by
- exportpath.
-
-
-
- User Accounts
-
- Each user who needs access to resources shared on a server with user-level
- security must have a user account on that server. The user account
- identifies the user to LAN Manager.
-
- If the domain has logon security, you need to create user accounts on the
- primary domain controller for all users in the domain. These accounts will
- be checked when users log on to the network in the domain. In addition,
- these accounts will be replicated to the domain's backup domain controllers
- and member servers, and each of these servers (as well as the primary) will
- check these accounts when users try to access resources shared on these
- servers. You don't create user accounts directly on any backup or member.
-
- If the domain doesn't have logon security, you'll need to create user
- accounts separately on each server with user-level security. On each server,
- you need to create accounts for users who will use resources shared on that
- server.
-
- The following section describes each element of user accounts. Following
- that section are procedures explaining how to create user accounts, change
- information in accounts, disable accounts, and delete accounts.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- User accounts are kept in the server's NET.ACC file (in the LANMAN\ACCOUNTS
- directory). Because LAN Manager keeps this file open, most backup procedures
- can't save user account information while LAN Manager is running. Two LAN
- Manager utilities, backacc and restacc, allow this file to be backed up
- while LAN Manager is running. For more information about these utilities,
- see the Microsoft LAN Manager Administrator's Reference.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Contents of User Accounts
-
- Each user account must have a username and privilege level. You can also
- define more information for each account, including a password, operator
- privileges, group memberships, logon restrictions, a logon script, and a
- home directory.
-
- The following sections describe the elements of user accounts.
-
-
- Username
-
- The username identifies the user to LAN Manager and to other network users.
- Each user account on the server must have a unique username.
-
-
- Privilege Level
-
- Each user has one of three privilege levels, which determines what actions
- the user can take:
-
-
- ■ The admin privilege makes the user an administrator. Administrators
- can perform all types of actions on the server─starting and stopping
- services, creating and modifying user accounts, sharing resources,
- assigning resource permissions, and managing printer queues and
- communication-device queues (comm queues). (Administrators can also
- perform all actions granted by the user privilege, described next.)
-
- Users with admin privilege can use all resources shared on the server,
- regardless of access permissions, and can access all files on the
- server, regardless of access permissions enforced by local security.
- (For more information about local security, see the "Local Security on
- 386 Servers" section, later in this chapter.)
-
- The default administrative account admin has admin privilege, and you
- can create more accounts with admin privilege. Once you have created
- more accounts that have admin privilege, you can delete the account
- named admin. Whenever you delete an account with admin privilege, LAN
- Manager makes sure there is at least one other active account with
- admin privilege on the server. LAN Manager will prevent you from
- deleting the last account with admin privilege from the server, so you
- will never be locked out from administering the server.
-
- Do not assign a null password to an account with admin privilege.
-
- LAN Manager automatically puts all accounts with admin privilege into
- the special group admins.
-
- ■ The user privilege is the default privilege level and is the one you
- assign to most network users. User privilege allows a user to use
- network resources (subject to the access permissions for the
- resources), view information about the resources that servers share
- and the status of printer and comm queues, and send and receive
- messages.
-
- LAN Manager automatically puts all accounts with user privilege into
- the special group users. This group is useful when you assign access
- permissions; to give all users with accounts on the server (except
- those with guest privilege) permissions for a resource, give those
- permissions to the group users.
-
- You can also give a person with user privilege limited rights to
- perform certain types of administrative actions by giving operator
- privileges to the user. Operator privileges are described in the
- following section.
-
- ■ The guest privilege gives a user the same abilities as user
- privilege─the abilities to use network resources (subject to the
- access permissions for the resources), view information about the
- resources that servers share and the status of printer and comm
- queues, and send and receive messages. Accounts with guest privilege
- are automatically put into the special group guests.
-
- The main reason to give an account guest privilege instead of user
- privilege is to exclude temporary or occasional users from the group
- users, which is often used to grant resource permissions to all
- regular users.
-
- Accounts with guest privilege can't be given operator privileges.
-
-
-
- Operator Privileges
-
- A person with user privilege can also be given operator privileges, which
- allow the user to perform certain types of administrative actions. Each user
- can be given one or more of the four types of operator privileges. Table 4.1
- explains each type of operator privilege.
-
- Table 4.1 Operator Privileges
-
- ╓┌──────────────────┌────────────────────────────────────────────────────────╖
- Operator
- privilege Allows a user to
- ────────────────────────────────────────────────────────────────────────────
- server Start and stop services.
-
- Share and stop sharing resources.
-
- Read and clear the error log.
-
- Close users' sessions and files that users have opened.
-
- View a list of all resources shared on the server
- (including "admin-only" resources).
-
- accounts Create, remove, and modify user accounts with user or
- guest privilege.
-
- Create, remove, and modify groups.
-
- Modify logon restrictions.
- Operator
- privilege Allows a user to
- Modify logon restrictions.
-
- An accounts operator can't modify an account with admin
- privilege except to change group memberships. Nor can
- an accounts operator change an account's privilege to
- admin.
-
- print Share and stop sharing printer queues.
-
- Create, remove, and modify printer queues.
-
- Control print jobs.
-
- View a list of all resources shared on the server
- (including "admin-only" resources).
-
- comm Share and stop sharing comm queues.
-
- Control comm queue requests.
- Operator
- privilege Allows a user to
- Control comm queue requests.
-
- View a list of all resources shared on the server
- (including "admin-only" resources).
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
- Logon Hours
-
- You can define a set of logon hours for the user. The person can use the
- server's resources only during the days and times you specify. And if you
- define logon hours for an account in a domain's master user accounts
- database, the user will be able to log on to the network only during those
- hours.
-
- If the person is using a resource at the server when his or her logon hours
- expire, the user's connection to the server may be automatically canceled.
- Whether the connection is canceled is determined by the security settings on
- the server. Security settings are explained in the "Security Settings"
- section, later in this chapter.
-
- The default value for logon hours allows the user to log on at any time.
-
-
- Valid Workstations
-
- You can specify as many as eight workstations from which the user can access
- the server, or you can allow the user to access the server from any
- workstation. The default value allows the user to access the server from any
- workstation.
-
- If the account is in a domain's user accounts database, the user must log on
- to the network from one of the workstations you specify.
-
-
- Logon Server
-
- If the Netlogon service is running in the user's domain, you can specify
- which domain controller (the primary or one of the backups) will be the
- user's logon server. If you specify a logon server, that server will process
- the user's logon requests.
-
- However, if the user's designated logon server is down when the user logs
- on, another domain controller (the primary or a backup) will log the user
- on.
-
- You can also specify that a user's logon server be "any server." In this
- case, the user's logon requests will be processed by whichever server is
- available at the time. This is the default value for the logon server
- option.
-
- The Netlogon service can keep track of the last time the user logged on to
- the network (in the user's domain) and the number of times the user has
- tried but failed to log on in the domain. This information can be seen by an
- administrator viewing the user's account. However, the information is kept
- only if you designate a specific logon server (either the primary domain
- controller or one of the backup domain controllers) for the user.
-
- When specifying logon servers for users, be sure not to overload any of the
- logon servers by assigning too many users to that server. Spread the logon
- processing load among all the domain's logon servers.
-
-
- Logon Script
-
- You can specify a file to be used as the user's logon script. The logon
- script is run on the user's workstation and is normally used to configure
- the workstation for that user, performing such tasks as making connections
- and starting applications. Logon scripts can be batch files, profiles, or
- executable programs. How to set up logon scripts on servers is explained in
- the "Logon Scripts" section, earlier in this chapter.
-
- The default value for logon script is to have no logon script.
-
-
- Home Directory
-
- You can create a home directory on a server for the user. A user can use the
- home directory as his or her storage space on the server.
-
- If you assign a home directory to a user, you can limit the amount of disk
- space the home directory can use. LAN Manager's chkstor utility lets you
- check how much disk space is used by users' home directories. For more
- information about the chkstor utility, see the Microsoft LAN Manager
- Administrator's Reference.
-
- The default value for home directory is to have no home directory.
-
-
- Expiration Date
-
- You can assign an expiration date to an account. At the beginning of the
- assigned date, the account will be disabled, but won't be removed from the
- database (you can enable an expired account by removing the expiration date
- or defining a new expiration date).
-
- The default value for expiration date is to have no expiration date.
-
-
- Adding a User Account from the Command Line
-
- When you use the net user command to add or modify a user account, you can
- specify three types of information that you can't specify when adding an
- account with the LAN Manager Screen:
-
-
- ■ You can specify that the account not be required to have a password.
-
- ■ You can specify that the user can never change his or her own
- password.
-
- ■ You can specify whether the account is required to have a home
- directory.
-
-
- For more information, see Net User, Microsoft LAN Manager Administrator's
- Reference.
-
-
- The Guest Account
-
- The guestacct entry in the [server] section of the LANMAN.INI file specifies
- the name of the server's guest account. You can use the guest account to
- allow users who don't have accounts on the server to access resources on the
- server.
-
- The default value for guestacct is guest. LAN Manager installs a
- corresponding user account with the username guest and no password in the
- user accounts database of each server.
-
- When a user who has no account on a server tries to access a resource on
- that server, LAN Manager looks at the account name specified by guestacct.
- If guestacct specifies the name of a valid account on the server, and the
- password the user provided matches the password of this account, the user is
- given access to the server's resources according to the resource permissions
- you have granted to the guest account.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If the account specified by guestacct has no password, a user can gain
- access to the server through the guest account by supplying any password, or
- no password at all.
- ────────────────────────────────────────────────────────────────────────────
-
- For example, suppose the guestacct entry specifies guest and the account
- named guest exists on the server. The user tomwr tries to make a connection
- to the printer queue LASER shared on the server. But tomwr doesn't have an
- account on the server, so LAN Manager checks the permissions assigned to the
- account named guest. If guest has been given permission to use LASER, then
- tomwr is allowed to make the connection.
-
- If you change the value for guestacct to another name, be sure that you have
- added an account with that name to the server. The initial guest account,
- guest, has no password; you can assign a password to the guest account. If
- you do, then a user must type that password to be able to access the server
- using the guest account.
-
- It is a good idea to give the guest account guest privilege. If you give the
- guest account user privilege, then the guest account will be a member of the
- special group users and will have all the resource permissions you have
- granted to users. Giving the guest account admin privilege allows any user
- who doesn't have an account on the server to administer the server.
-
- If you want no guest account on the server, delete the user account
- specified by the guestacct entry in LANMAN.INI.
-
-
- Creating a User Account
-
- The following procedure explains how to create a new user account. You can
- also create a user account by cloning another account. Cloning is explained
- in the "Cloning a User Account" section, later in this chapter.
-
- To create a user account:
-
-
- 1. From the Accounts menu, choose Users.
-
- The dialog box shown in Figure 4.3 appears.
-
- (This figure may be found in the printed book).
-
- The list box shows existing user accounts.
-
- 2. Choose <Add user>.
-
- The dialog box shown in Figure 4.4 appears.
-
- (This figure may be found in the printed book).
-
- 3. In the "Account name" text box, type the username of the account.
-
- The username can have as many as 20 characters, including letters,
- numbers, and the following characters:
-
- ! # $ % & ( ) - . @ ^ _ ` { } ~
-
- 4. In the "Password" text box, type a password for the user.
-
- The password can have as many as 14 characters, and the minimum length
- is determined by the security settings on the server. Security
- settings are explained in the "Security Settings" section, later in
- this chapter.
-
- Do not assign a null password to an account with admin privilege.
-
- Advise each user to change his or her password when he or she logs on
- for the first time.
-
- 5. In the "Full name" text box, optionally type the user's full name.
-
- 6. In the "Comment" text box, optionally type a comment.
-
- This comment can't be changed by the user and will be displayed when
- an administrator lists users on the server.
-
- 7. In the "User comment" text box, optionally type a user comment.
-
- The user can change this comment, which will be displayed when users
- view a list of users on the server or in the domain.
-
- 8. In the "Country code" list box, type the code corresponding to the
- language in which the user's messages are to be displayed.
-
- The default value for the country code is 0. If this value is
- specified, messages are sent in the language used in the
- LANMAN\NETPROG\NET.MSG file. See Appendix C, "Country Codes," for a
- list of the country codes.
-
- 9. From the "Privilege level" option buttons, select either "Guest,"
- "User," or "Admin."
-
- 10. If you selected "User," you can optionally mark one or more of the
- "Operator privileges" check boxes (server, accounts, print, and comm)
- to give a person with user privilege the ability to perform certain
- types of administrative tasks.
-
- 11. To put the user into one or more currently existing groups, choose
- <Groups>.
-
- The dialog box that appears when the <Groups> command button is chosen
- is described in the following section.
-
- 12. To limit the hours when the user can access the server, specify which
- workstations the user can use, and/or give the account an expiration
- date, choose <Logon>.
-
- The dialog box that appears when the <Logon> command button is chosen
- is described in the "<Logon> Command Button" section, later in this
- chapter.
-
- 13. To assign the user a logon server, logon script, and/or home
- directory, choose <Paths>.
-
- The dialog box that appears when the <Paths> command button is chosen
- is described in the "<Paths> Command Button" section, later in this
- chapter.
-
- 14. Choose <OK>.
-
- 15. Choose <Done>.
-
-
-
- <Groups> Command Button
-
- When creating a user account, choosing <Groups> displays the dialog box
- shown in Figure 4.5.
-
- (This figure may be found in the printed book).
-
- The "Member of" list box displays the groups to which the user belongs. The
- "Not a member of" list box displays groups to which the user does not
- belong.
-
- To assign group memberships for a user account:
-
-
- 1. In the "Not a member of" list box, select a groupname, then choose
- <Join>.
-
- 2. Repeat step 1 until the user is assigned to as many groups as needed.
-
- 3. To remove the user from a group, in the "Member of" list box, select
- the groupname, then choose >.
-
- To remove the user from all groups (except the user's automatic
- group─admins, users, or guests), choose >.
-
- 4. Choose <OK>.
-
-
-
- <Logon> Command Button
-
- When creating a user account, choosing <Logon> displays the following dialog
- box:
-
- (This figure may be found in the printed book).
-
- This dialog box is used to set limits on the user's logon privileges. The
- administrator can set an expiration date for the account, limit logon hours,
- and limit the workstations from which the user can log on.
-
- To specify logon restrictions for a user account:
-
-
- 1. To set an expiration date, in the "Account expires" text box, type a
- date and/or time.
-
- LAN Manager accepts all of the following formats for the expiration
- date:
-
- 7-23-90 7-23-90 8am 7/23/90 5 pm 7-23-90 8:00 7-23-90 17:30:32
-
- To set no expiration date, leave the "Account expires" text box blank.
-
- 2. To allow the user to access the server while working at any
- workstation, from the "Valid workstations" option buttons, select "Any
- workstation."
-
- To limit the workstations from which a user can work, from the "Valid
- workstations" option buttons, select "Listed" and, in the text box,
- type the computernames of as many as eight workstations.
-
- 3. To limit the times the user can access the server, adjust the graph
- under "Hours logon allowed:"
-
- ■ To allow the user to use resources at the server at all times,
- choose <Permit all hours>. This is the default value.
-
- ■ To allow or prevent use at a specific hour, move to that spot and
- press the SPACEBAR, or click that spot with the mouse.
-
- ■ To clear all logon hours, choose <Clear>.
-
-
- 4. Choose <OK>.
-
-
-
- <Paths> Command Button
-
- When creating a user account, choosing <Paths> displays the following dialog
- box:
-
- (This figure may be found in the printed book).
-
- This dialog box is used to define the logon server, logon script, and home
- directory for the user. Use this dialog box only if you are adding the
- account to a domain's master user accounts database.
-
- To specify a logon server, logon script, and home directory for a user
- account:
-
-
- 1. From the "Logon server" option buttons, select the option button for
- the server that will process the user's logon requests:
-
- ■ Select "Domain controller" to have the domain's primary domain
- controller process the user's logon requests. However, if the user
- logs on and the primary is unavailable, a backup domain controller
- (if any exist in the domain) will process the logon request.
-
- ■ Select "Any server" to have the user's logon requests be processed
- by any logon server available at the time. This is the default.
-
- ■ Select "Servername" and, in the text box, type the computername of
- a backup domain controller to have that backup process the user's
- logon requests. However, if the user logs on and the specified
- backup is unavailable, the primary or another backup will process
- the logon request.
-
-
- 2. If the user has a logon script, in the "Logon script" text box, type
- the filename or pathname of the script.
-
- For users with LAN Manager 2.0 workstations, the pathname of the logon
- script is relative to the value for the scripts entry in the
- [netlogon] section of the logon server's LANMAN.INI file.
-
- For users with LAN Manager 1.x workstations, the pathname of the logon
- script is relative to the LANMAN\ACCOUNTS\USERDIRS directory of the
- logon server.
-
- 3. In the "Home directory" text box, type the name of the user's home
- directory, if any.
-
- The name can be an absolute pathname (in which case the home directory
- will be on the primary domain controller) or a network pathname.
-
- If the directory you specify doesn't exist, LAN Manager will offer to
- create it. Once you create the home directory for the user, you should
- give the user permissions for it. Give each user RWCDAP permissions
- for his or her own home directory. Permissions are explained in the
- "Resource Permissions and Auditing" section, later in this chapter.
-
- 4. To set a limit on the size of the user's home directory, from the
- "User storage limit" option buttons, select "Maximum" and, in the text
- box, type the limit (in kilobytes).
-
- Exceeding this limit will cause an alert to be sent to both the user
- and the administrator.
-
- The default for this option is "None" (no limit).
-
- 5. Choose <OK>.
-
-
- Command Line To create a user account, type
-
- net user username password /add [options]
-
- See Net User, Microsoft LAN Manager Administrator's Reference.
-
-
- Cloning a User Account
-
- An existing user account can be used as a template for a new user account.
- This is called cloning. When an account is cloned, the new account
- duplicates all information from the cloned account (except the account name,
- full name, and password); you need to change only the settings that you want
- to be different.
-
- Cloning can be done only with the LAN Manager Screen; there is no equivalent
- command-line command.
-
- To clone a user account:
-
-
- 1. From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- 2. In the list box, select an account, then choose <Clone>.
-
- The "Create a New User Account" dialog box (Figure 4.4) appears.
- Settings for the template account (except the account name, password,
- and full name) appear as values for the new account.
-
- 3. In the "Account name" text box, type a username.
-
- 4. In the "Password" text box, type a password.
-
- 5. In the "Full name" text box, optionally type the user's full name.
-
- 6. Follow steps 6-13 of the procedure in the "Creating a User Account"
- section (earlier in this chapter) to customize the account for this
- user.
-
- If the old account being cloned has a home directory, be sure to
- change that option for the new account.
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
-
- Viewing and Changing Account Settings
-
- When you view an account, LAN Manager can report information about the
- person's use of passwords and attempts to log on, in addition to the account
- information you initially set.
-
- To view or change information about a user account:
-
-
- 1. From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- 2. In the list box, select an account, then choose <Zoom>.
-
- The dialog box shown in Figure 4.6 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box shows the account information you have set for the
- user. It also shows when the user last changed his or her password,
- when the user will be able to change his or her password, and the date
- the user's password expires.
-
- If this account is in a domain's master user accounts database, then
- the date and time the user last logged on in the domain and how many
- times the user has unsuccessfully tried to log on in the domain are
- also shown. However, this information is accurate only if a specific
- logon server is designated for this user. The dialog box displayed
- when <Paths> is chosen shows whether a logon server has been specified
- for this user.
-
- Also, the date of last logon and number of unsuccessful logons do not
- reflect any attempts by the user to log on from workstations running
- LAN Manager 1.x.
-
- You can make changes to the account settings shown in the text boxes
- of this dialog box. You can't change the information in the "Last
- logon," "Failed logon count," "Password last changed," "Next change
- available," and "Password expires" display fields.
-
- You can also choose <Groups>, <Logon>, and <Paths> to make changes to
- those types of information for the account.
-
- 3. Choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To view or change information about a user account:
-
-
- ■ View information about a user account by typing
-
- net user username
-
- ■ Change one or more options of a user's account by typing
-
- net user username [options]
-
-
- See Net User, Microsoft LAN Manager Administrator's Reference.
-
-
- Disabling or Enabling a User Account
-
- Disabling a user account prevents the user from logging on, but doesn't
- delete the account's information.
-
- The account-disabling feature lets you keep generic accounts and allow their
- use only when needed. You can also temporarily disable accounts of employees
- who are on vacation.
-
- Also, if you use a generic account as a template for cloning accounts, you
- should keep the template account disabled.
-
- To disable or enable a user account:
-
-
- 1. From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- 2. In the list box, select a username, then choose <Zoom>.
-
- The "View the User Account username" dialog box (Figure 4.6) appears.
-
- 3. Mark the "Disable account" check box.
-
- 4. Choose <OK>.
-
- 5. Choose <Done>.
-
-
- To enable the account again, unmark the "Disable account" check box.
-
- Command Line To disable or enable a user account:
-
-
- ■ Disable a user account by typing
-
- net user username /active:no
-
- ■ Enable a disabled user account by typing
-
- net user username /active:yes
-
-
- See Net User, Microsoft LAN Manager Administrator's Reference.
-
-
- Deleting a User Account
-
- Deleting a user account removes all information about the account from the
- user accounts database.
-
- To delete a user account:
-
-
- 1. From the Accounts menu, choose Users.
-
- The "Select a User Account" dialog box (Figure 4.3) appears.
-
- 2. In the list box, select a username, then choose <Delete>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To delete a user account, type
-
- net user username /delete
-
- See Net User, Microsoft LAN Manager Administrator's Reference.
-
-
- Groups of Users
-
- Creating groups of users who have similar resource needs makes it easier to
- grant access permissions; when you define access permissions for a resource,
- you can grant permissions to many users at once by granting permissions to a
- group.
-
- For example, all employees that work with the payroll can be put into a
- group called payroll. You can then grant permissions for the necessary
- directories and printers to payroll, rather than granting permissions to
- each of those users individually.
-
- Also, when you add a new user account to the server, and put that account in
- payroll, the user is instantly granted the permissions already given to
- payroll.
-
- Any number of users can be put in a group, and each user can be a member of
- as many as 256 groups. However, a group can't be made a member of another
- group.
-
- Groups you create on a domain's primary domain controller are copied to the
- backup domain controllers and member servers, just as user accounts and
- security settings are.
-
-
- Creating a Group
-
- The following procedure explains how to create a group. You can also create
- a group by cloning another group. Cloning a group is explained in the
- following section.
-
- To create a group:
-
-
- 1. From the Accounts menu, choose Groups.
-
- The dialog box shown in Figure 4.7 appears.
-
- (This figure may be found in the printed book).
-
- 2. Choose <Add group>.
-
- The dialog box shown in Figure 4.8 appears.
-
- (This figure may be found in the printed book).
-
- The "Non-members" list box displays all users with accounts in the
- database.
-
- 3. In the "Groupname" text box, type a name for the group.
-
- The groupname can have as many as 20 characters, including letters,
- numbers, and the following characters:
-
- ! # $ % & ( ) - . @ ^ _ ` { } ~
-
- 4. In the "Comment" text box, optionally type a comment.
-
- The comment will be shown when lists of groups on the server are
- displayed.
-
- 5. In the "Non-Members" list box, select a username, then choose <Add
- member>.
-
- 6. Repeat step 5 until you're finished adding members to the group.
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
- Command Line To create a group and add users to a group:
-
-
- ■ Create a group by typing
-
- net group groupname /add [/comment:"text"]
-
- ■ Add users to a group by typing
-
- net group groupname [username[ ...]] /add
-
-
- See Net Group, Microsoft LAN Manager Administrator's Reference.
-
-
- Cloning a Group
-
- An existing group can be used as a template for a new group. When you clone
- a group, the new group has the same members as the original group.
-
- Any group, including the special groups users, admins, and guests, can be
- cloned.
-
- Cloning can be done only with the LAN Manager Screen; there is no equivalent
- command-line command.
-
- To clone a group:
-
-
- 1. From the Accounts menu, choose Groups.
-
- The "Select a User Group" dialog box (Figure 4.7) appears.
-
- 2. In the list box, select a groupname, then choose <Clone>.
-
- The "Add a New User Group" dialog box (Figure 4.8) appears. The
- members of the template group appear in the "Members" list box.
-
- 3. In the "Groupname" text box, type a name for the new group.
-
- 4. In the "Comment" text box, optionally type a comment for the group.
-
- The comment will be shown when lists of groups on the server are
- displayed.
-
- 5. Add more members to the group and remove current members from the
- group:
-
- ■ To add another member to the group, from the "Non-members" list
- box, select the username, then choose <Add member>.
-
- ■ To remove a member from the group, from the "Members" list box,
- select the username, then choose >.
-
-
- 6. Choose <OK>.
-
- 7. Choose <Done>.
-
-
-
- Changing a Group's Membership
-
- The membership of a group can be changed at any time.
-
- To change the membership of a group:
-
-
- 1. From the Accounts menu, choose Groups.
-
- The "Select a User Group" dialog box (Figure 4.7) appears.
-
- 2. In the list box, select a groupname, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Add more members to the group and remove users from the group:
-
- ■ To add a user to the group, from the "Non-members" list box,
- select the username, then choose <Add member>.
-
- ■ To remove a user from the group, from the "Members" list box,
- select the username, then choose >.
-
- ■ To remove all members from the group, choose >.
-
-
- 4. Choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To change the membership of a group:
-
-
- ■ Add users to the group by typing
-
- net group groupname [username[ ...]] /add
-
- ■ Remove users from the group by typing
-
- net group groupname [username[ ...]] /delete
-
-
- See Net Group, Microsoft LAN Manager Administrator's Reference.
-
-
- Deleting a Group
-
- Deleting a group removes the groupname from the user accounts database and
- deletes all resource permissions assigned to that group. The user accounts
- of the group's members are not affected, however.
-
- You can't delete the special groups users, admins, and guests.
-
- To delete a group:
-
-
- 1. From the Accounts menu, choose Groups.
-
- The "Select a User Group" dialog box (Figure 4.7) appears.
-
- 2. In the list box, select a groupname, then choose <Delete>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To delete a group, type
-
- net group groupname /delete
-
- See Net Group, Microsoft LAN Manager Administrator's Reference.
-
-
- Security Settings
-
- The server's security settings determine how the passwords of user accounts
- on the server can be changed, and what happens when a user tries to exceed
- his or her logon hours.
-
- There are five security settings:
-
-
- ■ Minimum password length is the minimum number of characters that
- passwords must have. The value can range from 0 (where user accounts
- aren't required to have passwords) to 14 (the maximum length for user
- passwords). The initial value (set when LAN Manager is installed) is
- 6.
-
- ■ Minimum password age is the minimum number of days that must pass
- before a user can change his or her password. This setting does not
- apply to administrators, who can change the password of a user at any
- time. The initial value is 0.
-
- ■ Maximum password age is the maximum number of days that can pass
- before a user is forced to change his or her password. The initial
- value is 90.
-
- ■ Password uniqueness prevents a user from reusing his or her old
- passwords. The value you set for password uniqueness is the number of
- the user's previous passwords that can't be reused. For example, if
- password uniqueness is 3, when users change their passwords they can't
- reuse any of their last 3 passwords as the new password. The initial
- value is 5.
-
- ■ Force logoff determines what happens when a user has a session to a
- server when his or her logon hours expire. You can specify that the
- user's session be ended immediately, that it be ended after a certain
- number of seconds, or that it not be ended at all. This value also
- applies when a user has a session to a server when his or her account
- expires.
-
- This value affects only what happens when a user is already logged on.
- Regardless of the force logoff value, users are prevented from making
- a new connection to the server outside of their logon hours or after
- their accounts expire.
-
-
- Security is more effective when users are forced to change passwords
- regularly. The maximum password age, minimum password age, and password
- uniqueness settings work together to ensure this.
-
- The maximum password age forces users to change passwords periodically.
- Setting a value for minimum password age ensures that users won't be able to
- change to a new password and then immediately change back to the old one.
- Password uniqueness forces users to use a new password each time they change
- their password, instead of just alternating between a few passwords.
-
- Security settings made on a domain's primary domain controller are
- replicated to the domain's backup and member servers, just as user accounts
- and groups are.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- You can specify that a particular account not be required to have a password
- at all, using the /passwordreq option of the net user command. This option
- partially overrides the minimum password length security setting. For
- example, if a server's minimum password length is 8, you can use the
- /passwordreq option to allow the danbe account to not have a password, but
- if the account does have a password it must have at least 8 characters.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Adjusting Security Settings
-
- To change security settings:
-
-
- 1. From the Accounts menu, choose Security settings.
-
- The "Security Settings on \\server" dialog box (Figure 4.1) appears.
-
- The dialog box shows the security settings, as well as the server's
- role. For more information about server roles, see the "Setting Up
- Logon Security" section, earlier in this chapter.
-
- 2. In the "Minimum password length" text box, type a value.
-
- The range is 0-14 characters.
-
- 3. In the "Password uniqueness" text box, type a value.
-
- The range is 0-8 password changes.
-
- 4. In the "Minimum password age" text box, type a value.
-
- The range is 0-49710 days.
-
- 5. From the "Maximum password age" option buttons:
-
- ■ To specify the number of days that can pass before a user is
- forced to change his or her password, select "Valid for" and, in
- the text box, type a value. The range is 1-49710 days.
-
- ■ To specify no maximum, select "No limit."
-
- LAN Manager prevents you from setting a server's minimum password
- age to be longer than the maximum password age.
-
-
- 6. From the "Force logoff" option buttons:
-
- ■ To have users logged off as soon as their logon hours or account
- expire, select "Immediately."
-
- ■ To allow users to remain logged on despite their logon limits,
- select "Never."
-
- ■ To force users to log off within a certain amount of time of
- expiration, select "After" and, in the text box, type a value.
-
-
- 7. Choose <OK>.
-
-
- Command Line To change security settings, type
-
- net accounts [/minpwlen:length] [/uniquepw:number] [/minpwage:days]
- [/maxpwage:days] [/forcelogoff:{minutes | no}]
-
- See Net Accounts, Microsoft LAN Manager Administrator's Reference.
-
-
- Resource Permissions and Auditing
-
- The permissions you assign for each resource determine which users can use
- the resource, and in what ways. Permissions can be assigned to both users
- and groups. If you don't assign permissions for a resource to a particular
- user (either by assigning permissions to that user or to a group to which
- the user belongs), that user can't access that resource.
-
- When you assign permissions for a resource, you can also audit use of the
- resource. When you audit a resource, LAN Manager writes an entry to the
- audit trail whenever a user accesses the resource in a certain way. The
- audit entry shows the resource, action performed, user who performed it, and
- the date and time of the action.
-
- Events that can be audited for directories and files include successful and
- failed attempts to open the directory or file, write to it, change access
- permissions for it, or delete a file or subdirectory. Audited events for
- non-disk resources─printer queues, comm queues, and named pipes─are
- successful and failed attempts to access the resource.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- These audit entries are written only if the value of the Server service's
- auditing option is yes or lists resource. The auditing option is set with
- the net start server command, or in the [server] section of the LANMAN.INI
- file.
- ────────────────────────────────────────────────────────────────────────────
-
- On 386 servers, permissions and auditing information for directories and
- files on partitions with HPFS386 are kept with the files themselves.
- Permissions and auditing information for non-disk resources and for
- directories and files on partitions with the file allocation table (FAT)
- file system are kept in the NET.ACC file (along with user accounts and
- groups).
-
- On 286 servers, permissions and auditing information for all resources are
- kept in NET.ACC.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Because LAN Manager keeps the NET.ACC file open and because HPFS386 file
- permissions can't be copied to disks or tapes that don't have HPFS386, most
- backup procedures can't save permissions and auditing information. Two LAN
- Manager utilities, backacc and restacc, are provided to allow permissions
- and auditing information to be backed up. For more information about these
- utilities, see the Microsoft LAN Manager Administrator's Reference.
- ────────────────────────────────────────────────────────────────────────────
-
- On 386 servers with local security, you must consider what permissions to
- set for all the directories and files in the server's HPFS386 partitions.
- These permissions control how local users of the server can access those
- directories and files. Local security has no effect on printer queue, comm
- queue, or named pipe access, however. For more information about local
- security, see the "Local Security on 386 Servers" section, later in this
- chapter.
-
- On servers without local security, the only directories and files you need
- to set permissions for are those that will be shared─but be sure to check
- the permissions for all subdirectories and files in the directory tree of
- any directory you share.
-
- The following section describes the types of permissions that can be
- assigned for each type of resource and how permissions affect users'
- attempts to access resources. This section is followed by procedures
- explaining how to set resource permissions and audit resource use.
-
-
- Types of Permissions
-
- There are different types of permissions for each type of resource
- (directories, files, printer queues, comm queues, and named pipes), each of
- which allows users to perform different actions.
-
-
- Directory and File Permissions
-
- The following list describes the types of permissions that can be assigned
- for directories and files and what each permission allows a user to do.
-
- R (Read)
- User can read and copy files, run programs, and change from one
- subdirectory to another within the shared directory. User can also read
- the extended attributes of files.
-
- W (Write)
- User can write the contents and extended attributes of a file.
-
- Note that when a user with an MS-DOS workstation opens a shared file to
- write to it, and then truncates the file, the file is recreated.
- Therefore, to give users with MS-DOS workstations full write access to a
- file, assign them C permission as well as W permission.
-
- C (Create)
- User can create files and subdirectories within a shared directory. After
- creating a file, a user with C permission can read from or write to the
- file and its extended attributes only until closing it.
-
- D (Delete)
- User can delete files and subdirectories within the shared directory but
- can't delete the shared directory itself.
-
- X (Execute)
- User can run a file (but not read or copy it). Only MS OS/2 computers
- recognize X permission. To allow a user with an MS-DOS workstation to run
- a program, grant that user R permission.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- X permission isn't needed if R permission is assigned to the user for that
- directory or file. R permission includes all rights that X permission
- grants.
- ────────────────────────────────────────────────────────────────────────────
-
- A (Change Attributes)
- User can set the physical file flags of the file.
-
- P (Change Permissions)
- User can change the permissions for the directory or file. Giving a user P
- permission for a directory allows the user to change the permissions for
- only that directory, not to change the permissions for any subdirectories
- of the directory.
-
- Y (Yes)
- Gives the user RWCDA permissions. Y serves as an abbreviation for this set
- of permissions.
-
- N (No)
- Prevents the user from accessing the directory or file. Use this
- permission to exclude individual users from access to a directory or file,
- despite the permissions that are assigned to the groups to which that user
- belongs. You can assign N permission only to individual users.
-
- You can give a user or group any combination of R, W, C, D, X, A, and P
- permissions; for example, you can give a user RWD permissions for a shared
- directory, allowing that user to read files in the directory, write to them,
- and delete them.
-
- Each user can be assigned Y permission, N permission, one or more of the R,
- W, C, D, X, A, and P permissions, or no permissions at all. A group can be
- assigned Y permission, one or more of the R, W, C, D, X, A, and P
- permissions, or no permissions.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- For a user at an MS-DOS workstation to run a program file (with a .COM,
- .EXE, or .BAT extension), the user must have R permission for both the file
- and the directory.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Printer Queue Permissions
-
- The following list describes the three types of permissions you can assign
- to printer queues.
-
- Y (Yes)
- User can send jobs to the printer queue.
-
- N (No)
- User cannot access the printer queue.
-
- Y+P (Yes+Change Permissions)
- User can send jobs to and set access permissions for the printer queue.
-
- "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN
- Manager Screen.
-
- When assigning permissions with the net access command, use Y or C to
- represent the Yes permission, N or a space to represent the No permission,
- and CP permissions to represent the Yes+P permission (for printer queues, Y
- permission is equivalent to C permission).
-
-
- Comm Queue Permissions
-
- The following list describes the three types of permissions you can assign
- to comm queues.
-
- Y (Yes)
- User can send requests to the comm queue.
-
- N (No)
- User cannot access the comm queue.
-
- Y+P (Yes+Change Permissions)
- User can send requests to and set access permissions for the comm queue.
-
- "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN
- Manager Screen.
-
- When assigning permissions with the net access command, use Y or RWC to
- represent the Yes permission, N or a space to represent the No permission,
- and RWCP permissions to represent the Yes+P permission (for comm queues, Y
- permission is equivalent to RWC permissions).
-
-
- Named Pipe Permissions
-
- Named pipes are used in interprocess communication (IPC), which is
- communication by different processes running parts of a program. The
- separate processes may be on the same computer or on different computers.
-
- Named pipes are created by some network applications and are used to send
- information back and forth between computers running the application. See
- the documentation for your network applications to find the names of named
- pipes they create. For example, two pipes created by Microsoft SQL Server
- are \PIPE\SQL\QUERY, which is used for SQL-related communications, and
- \PIPE\SQL\CONSOLE, which is used for backing up the database to a disk.
-
- You can assign permissions to named pipes to restrict the use of the
- applications that use those named pipes. For example, to allow all users
- except bobju to use SQL Server to make database queries, you could give the
- group users Y permission to \PIPE\SQL\QUERY, but give bobju N permission to
- that resource.
-
- The following list describes the three types of permissions you can assign
- to named pipes.
-
- Y (Yes)
- User can access the named pipe.
-
- N (No)
- User cannot access the named pipe.
-
- Y+P (Yes+Change Permissions)
- User can access and set access permissions for the named pipe.
-
- "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN
- Manager Screen.
-
- When assigning permissions with the net access command, use Y or RW to
- represent the Yes permission, N or a space to represent the No permission,
- and RWP permissions to represent the Yes+P permission (for named pipes, Y
- permission is equivalent to RW permissions).
-
-
- How Resource Permissions are Applied
-
- Permissions can be granted to both users and groups, with one exception: N
- permission can't be granted to a group. Use the N permission only to exclude
- a user from accessing a resource for which you have given access to a group
- to which the user belongs. For example, to allow all users except kathykn to
- access the printer queue LASER, grant Y permission to the group users but
- give kathykn N permission.
-
- If a user belongs to two groups, both of which are granted permissions for a
- resource, then that user has all permissions granted to either group. For
- example, suppose donj is a member of users and of marketers. If users is
- granted RW permissions for the resource REPORTS, and marketers is granted WC
- permissions, then donj has RWC permissions.
-
- If permissions are explicitly granted to a specific user, then that user has
- only those permissions, no matter what permissions may be assigned to any
- groups that the user is a member of. For example, if you give beckys, also a
- member of users and marketers, only R permission for REPORTS in the
- preceding example, then the permissions given to users and marketers are
- ignored for beckys, and she would have only R permission.
-
- Administrators at a server (people with accounts at the server with admin
- privilege) can access all resources shared on that server, despite the
- access permissions that the resources have. Even if you assign an
- administrator N permission for a resource, the administrator can still use
- the resource.
-
-
- Setting Permissions and Auditing for a Directory or File
-
- The procedure in this section explains how to set permissions and auditing
- for a directory or file. Use this procedure to set permissions and auditing
- for the following types of directories and files:
-
-
- ■ Directories that will be shared, and the files and subdirectories of
- those directories. (You can also do this when you share the
- directory.)
-
- ■ All directories and files on HPFS386 partitions of a server with local
- security. Local security is explained in the "Local Security on 386
- Servers" section, later in this chapter.
-
-
- This procedure is also used to set default permissions for a drive or
- partition with the FAT file system. Default permissions are set for the
- drivename of the drive or partition (such as C:). On a FAT partition, a file
- or directory that doesn't have permissions set for itself or for its parent
- directory takes the default permissions you set for the drive. Default
- permissions are explained in Chapter 7, "Disk Resources."
-
- To set or change permissions and auditing for a directory or file:
-
-
- 1. From the Accounts menu, choose File permissions.
-
- The dialog box shown in Figure 4.9 appears.
-
- (This figure may be found in the printed book).
-
- 2. In the "Filename" text box, type the absolute path (including the
- drive) of the file or directory (to set default permissions for a
- drive or partition, type just the drivename, such as C:).
-
- Or use the list box with the <Dir> command button:
-
- ■ Select the drive that contains the directory or file you want,
- then choose <Dir>.
-
- ■ If the directory or file you want now appears in the list box,
- select it. Otherwise, you will need to continue moving down
- through the directory tree. To do so, in the list box, select a
- directory, then choose <Dir>. The subdirectories and files of that
- directory now appear in the list box. Repeat this process until
- you find the directory or file you want, and then select that file
- or directory.
-
- ■ To choose the directory that the list box is displaying the
- contents of, select "<current directory>."
-
- ■ To move up the directory tree to a parent directory or drive,
- select "<parent directory>."
-
- 3. Choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box displays permissions for the selected directory or
- file. The "Permitted" list box lists groups and users on the server
- who are assigned permissions for this file or directory (groupnames
- are preceded by an asterisk), along with the permissions they have.
- The "Not permitted" list box lists groups and users who don't have
- permissions.
-
- 4. Set the permissions for the directory or file:
-
- ■ To grant permissions to a group or user, in the "Not permitted"
- list box, select the groupname or username. From the "Permissions"
- option buttons, select the permissions that you want the group or
- user to have, then choose <Permit>.
-
- The groupname or username moves to the "Permitted" list box, along
- with its permissions.
-
- ■ To change the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username. From the "Permissions"
- option buttons, select the permissions that you want the group or
- user to have.
-
- The permissions displayed in the "Permitted" list box change as
- you change the permissions.
-
- ■ To set the permissions for the directory or file to the default,
- mark the "Use default permissions" check box.
-
- For more information about default permissions for directories and
- files, see Chapter 7, "Disk Resources."
-
- ■ To revoke the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username, then choose >.
-
- ■ To revoke permissions for all users, choose >.
-
-
- 5. To specify which types of events to audit for the directory or file,
- choose <Auditing>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 6. To turn on auditing, mark the "Auditing enabled" check box.
-
- 7. From the "Audited events" check boxes, mark one or more events to be
- audited. Or to audit all the listed events, choose <Set all>.
-
- 8. Choose <OK>.
-
- 9. Choose <OK>.
-
- 10. If the permissions and audited events you just set were for a
- directory, and you want them to apply to every subdirectory and file
- in the directory tree of this directory, choose <Permit tree>.
-
- (If the "Filename" text box displays the name of a directory, and you
- want to remove all permissions for that directory and all
- subdirectories and files in the directory tree of that directory,
- choose >.)
-
- 11. Choose <Done>.
-
-
- For more information about auditing resources and the audit trail, see
- Chapter 16, "Monitoring the Network."
-
- Command Line To set permissions and auditing for a directory or file:
-
-
- ■ Assign permissions for a directory or file by typing
-
- net access drive:path /add [name:permission[ ...]]
-
- ■ Assign audited events for a directory or file by typing
-
- net access resource /trail:{yes | no} or net access resource
- /failure[:{all | none | event[,...]}] or net access resource
- /success[:{all | none | event[,...]}]
-
-
- See Net Access, Microsoft LAN Manager Administrator's Reference.
-
-
- Setting Permissions and Auditing for a Non-Disk Resource
-
- Non-disk resources are printer queues, comm queues, and named pipes. Use the
- following procedure to set or change permissions for a queue or pipe, or to
- set default permissions for the server's printer queues, comm queues, or
- named pipes. (For printer queues and comm queues, you can also set
- permissions when you share the queue.)
-
- To set or change permissions and auditing for a non-disk resource:
-
-
- 1. From the Accounts menu, choose Other permissions.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The "Access type" list box shows the types of non-disk resources. The
- "Resource name" list box shows the queues or pipes for which
- permissions and auditing have been set.
-
- 2. In the "Access type" list box, select the type of resource for which
- you want to set permissions and auditing.
-
- The entries in the "Resource name" list box change to reflect the
- selection in the "Access type" list box.
-
- 3. Select the resource for which you want to set permissions and
- auditing:
-
- ■ To set default permissions and auditing for the resource type, in
- the "Resource name" list box, select "Default," then choose
- <Zoom>.
-
- Default permissions will be used for resources for which you don't
- set permissions and auditing individually. For example, default
- printer queue permissions will be used for any shared printer
- queues for which you don't set permissions.
-
- ■ To set permissions and auditing for a queue or pipe that does not
- appear in the "Resource name" list box, choose <Add entry>.
-
- ■ To change the permissions and auditing for a queue or pipe, in the
- "Resource name" list box, select the queuename or pipename, then
- choose <Zoom>.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- The title of the dialog box depends on the type of resource you
- have selected. Otherwise, the dialog boxes used for printer
- queues, comm queues, and named pipes are identical.
-
- The "Permitted" list box shows groups and users with permissions
- to use the queue or pipe (groupnames are preceded by an asterisk).
- The "Not permitted" list box shows all other groups and users.
-
-
- 4. Set permissions for the queue or pipe:
-
- ■ To grant permissions to a group or user, in the "Not permitted"
- list box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select the
- permission you want to assign to the group or user, then choose
- <Permit>.
-
- The groupname or username moves to the "Permitted" list box.
-
- ■ To change the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select the
- permission you want the group or user to have.
-
- ■ To revoke the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username, then choose >.
-
- ■ To revoke permissions for all users, choose >.
-
- ■ If you are setting permissions for an actual queue or pipe (not
- setting default permissions), you can set the permissions to the
- default by marking the "Use default permissions" check box.
-
-
- 5. To audit successful or failed attempts to use this resource (or both),
- from the "Enable auditing for" check boxes, mark one or both check
- boxes.
-
- 6. Choose <OK>.
-
- 7. Choose <Done>.
-
-
- Command Line To set permissions and auditing for a non-disk resource:
-
-
- ■ Assign permissions for a non-disk resource by typing
-
- net access resource /add [name:permission[ ...]]
-
- ■ Assign audited events for a non-disk resource by typing
-
- net access resource /trail:{yes | no} or net access resource
- [/failure:{all | none | event}] [/success:{all | none | event}]
-
-
- See Net Access, Microsoft LAN Manager Administrator's Reference.
-
-
- Local Security on 386 Servers
-
- A 386 server with the high-performance file system (HPFS) and user-level
- security can have local security. Local security extends user-level security
- so that file access permissions apply to local users─users working at the
- server itself─as well as to remote users.
-
- Local security makes a server completely secure from unauthorized access. It
- protects the server's files at all times, regardless of whether the
- Workstation service or any other part of LAN Manager is running. When a
- local user tries to access a file on an HPFS partition on the server, LAN
- Manager checks the permissions for the file. Access is allowed only if the
- user has been granted sufficient permissions. LAN Manager also checks file
- permissions when a user runs a program that accesses files.
-
- On a server with local security, file-access auditing is also improved.
- Auditing of the files and directories on the server's HPFS partitions begins
- when the computer is started, even if the Server service isn't started.
-
- When LAN Manager is installed on a 386 server, the server's HPFS file system
- is replaced with HPFS386. Local security protects all files on drives and
- partitions with HPFS386. Files on drives and partitions with the FAT file
- system are not protected by local security (but they are still protected
- from unauthorized remote access by user-level security).
-
- To install local security on the server, use the Setup program. If you want
- to run local security on a server but it isn't installed, install it now
- using the Setup program. For more information about the Setup program, see
- the Microsoft LAN Manager Installation Guide.
-
-
- Starting a Server with Local Security
-
- When the computer starts, many system processes must run. On a server with
- local security, these won't run correctly if the special group local lacks
- RX permissions for some system files. For more information about the group
- local, see the following section.
-
- If the system processes can't run, the computer can't start correctly. To
- help you solve problems caused by incorrect permissions for system files,
- LAN Manager displays the following prompt when a server with local security
- is started:
-
- LAN Manager local security has started.
-
- Press ESC to log on now, or press ENTER to start the computer with no one
- logged on.
-
- Pressing ESC causes a logon prompt to appear on the screen, and you can then
- log on at the server. System initialization will then continue. If you press
- ENTER, the computer will start with no one logged on.
-
- If the computer isn't starting properly with no one logged on, restart it
- and press ESC when this prompt appears, then log on using an account that
- has admin privilege on the server. The computer should start correctly, and
- you can then adjust the local group's permissions for the system files so
- that the computer will be able to start with no one logged on. For more
- information about what system files are involved in computer startup, see
- the "Local Security Guidelines" section, later in this chapter.
-
- Only administrators can start services on servers with local security.
-
- Whenever you stop administering the server, be sure to log off, so that
- other users can't start working at the server using your account with admin
- privilege.
-
-
- File Access with Local Security
-
- LAN Manager creates a special group called local on servers with local
- security. This group represents local users of the server. When a user
- begins working at the server, he or she temporarily becomes a member of
- local and gains the permissions granted to local. Any user has these
- permissions as long as he or she works at the server's keyboard.
-
- A local user gains the permissions granted to local whether or not he or she
- is logged on. If the user is logged on to the network, he or she also has
- the permissions granted to his or her own user account, and to any groups he
- or she is a member of. If a user with admin privilege is logged on, the user
- can access all files on the server, regardless of permissions.
-
- LAN Manager provides the logon utility as a way to log on locally at a
- server with local security. This utility lets a user gain the permissions
- granted to his or her account on the local server, but not to use the
- network in any other way. Users can use the logon utility when they want to
- gain the local file permissions granted to their own accounts, but for some
- reason can't or don't want to access the network. The logon utility is used
- with the following syntax:
-
- logon username password
-
- If a person uses the logon utility when the Workstation service isn't
- running on the server (logging on to the local server only), the logon
- request is processed at the local server only─LAN Manager checks for the
- username and password in the local server's user accounts database. If the
- username and password don't match an account in the local database, the
- logon request is denied.
-
- When a local logon request is validated, LAN Manager displays the following
- message:
-
- Username logged on successfully in the LOCAL domain.
-
- If the Workstation service is running, the logon utility has the same effect
- as the net logon command, and a user typing logon will log on to the
- network. If the domain has logon security, the logon request will be
- processed at a logon server; if the domain doesn't have logon security, the
- logon request will be processed as a standalone logon.
-
- LAN Manager also has a logoff utility, which lets a user log off from a
- server locally. All users (especially administrators) should be sure to log
- off when finished working at a server with local security, to prevent other
- users from working at the server and gaining the original user's permissions
- and privilege.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If you log on locally to a server with local security, then log on to the
- network and log off from the network, you are also logged off from the local
- server.
- ────────────────────────────────────────────────────────────────────────────
-
- For more information about the logon and logoff utilities, see the Microsoft
- LAN Manager Administrator's Reference.
-
- The following list summarizes the permissions and abilities of a user
- working at the console of a server with local security.
-
- Local user not logged on
- User has only the permissions granted to local, and can't access the
- network.
-
- Local user logged on only to local server
- User has permissions granted to local and the permissions granted to his
- or her account, and can't access the network.
-
- Local user logged on to the network
- User has permissions granted to local and the permissions granted to his
- or her account, and can access the network.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If the local user has logged on to the network with a username that is not
- found in the local server's user accounts database, or logs on to the
- network with a username found in the local user accounts database but
- without the password matching that username in the local database, the user
- has only the permissions granted to local.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Local Security Guidelines
-
- On a server with local security, the local security restrictions begin when
- the computer starts, before many of the system initialization files run.
- Therefore, the group local must have permission to execute these files, so
- that the computer starts and works correctly, even when no one is logged on.
- To facilitate this, the Setup program automatically grants local permissions
- for certain files when local security is installed. These permissions are
- shown in Table 4.2.
-
- Table 4.2 Permissions Granted to local on Servers with Local Security
-
- ╓┌────────────────────────────────────────────────────────────────┌──────────
- File or directory Permissions
- ────────────────────────────────────────────────────────────────────────────
- Root directories of all HPFS386 drives and partitions RX
-
- Each directory specified in PATH RX
- File or directory Permissions
- ────────────────────────────────────────────────────────────────────────────
- Each directory specified in PATH RX
-
- C:\OS2 RX
-
- C:\OS2\SYSTEM RX
-
- C:\OS2\DLL RX
-
- C:\OS2\BOOK RX
-
- C:\OS2\INTRO RX
-
- C:\OS2\OS2.INI RWX
-
- C:\OS2\OS2SYS.INI RWX
-
- ────────────────────────────────────────────────────────────────────────────
-
- LANMAN RX
- File or directory Permissions
- ────────────────────────────────────────────────────────────────────────────
- LANMAN RX
-
- LANMAN\SETUP.* None
-
- LANMAN\NETPROG RX
-
- LANMAN\NETPROG\HPFS.386 None
-
- LANMAN\NETPROG\HPFS386.IFS None
-
- LANMAN\SERVICES RX
-
- LANMAN\NETLIB RX
-
- LANMAN\ACCOUNTS\NET.ACC RX
-
- LANMAN\ACCOUNTS\NETACC.BKP None
-
- ────────────────────────────────────────────────────────────────────────────
- File or directory Permissions
- ────────────────────────────────────────────────────────────────────────────
- ────────────────────────────────────────────────────────────────────────────
-
- C:\PUBLIC RWX
-
- C:\SPOOL RWXCD
-
- The directories specified by the environment variables TMP and RWXCD
- TEMP, if either or both exists
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Once LAN Manager has been installed, you can modify these permissions.
- However, when doing so, and when setting permissions for any files on a
- server with local security, keep in mind the following security guidelines
- for each type of file:
-
-
- ■ System files─System files include CONFIG.SYS, PRIVINIT.CMD,
- STARTUP.CMD, OS2INIT.CMD, LANMAN.INI, SECURESH.EXE, and base device
- drivers such as BASEDD.SYS and the DISK01.SYS disk device driver.
- These files are used when the computer starts, so for the computer to
- be able to start with no one logged on, local must have RX
- permissions for them. However, only an administrator should modify
- these files, so do not grant local W, C, or D permission for them.
-
- You have two options for setting permissions for OS2.INI and
- OS2SYS.INI. Giving local RXW permissions for these files allows all
- local users to modify the configuration of the computer's Presentation
- Manager, performing tasks such as determining what programs are listed
- in the "Start Programs" dialog box. If local is given only RX
- permissions for these files, then how the computer is started
- determines whether users will be able to configure Presentation
- Manager: if an administrator or a user with W permission for the
- OS2.INI and OS2SYS.INI files logs on at the special logon prompt
- displayed during system startup, then all users will be able to
- configure Presentation Manager until the computer is restarted.
- Otherwise, nobody (even administrators) will be able to configure
- Presentation Manager until the computer is restarted.
-
- The C:\ directory contains many system files. To ensure the security
- of these files, do not give local W, D, or C permissions to the C:\
- directory.
-
- ■ Data files─For public data files that can be read by any user, grant
- local R permission. For data files that are written to by programs
- that all users are allowed to use, grant local RW permissions.
-
- For private user data files, do not give any permissions to local.
- Give permissions only to the appropriate users.
-
- ■ Executable programs and dynamic link libraries─These are programs and
- files with .EXE and .DLL filename extensions (dynamic link libraries
- are files of commands used internally by executable programs). For
- those used by general users, grant local RX permissions. In general,
- it is safe to grant RX permissions for executable files, as long as
- the permissions for the data files that these programs may modify are
- set correctly.
-
- For programs and dynamic link libraries used only by administrators,
- grant no permissions to local or any other user or group.
-
- Don't grant W permission for any program or dynamic link library, to
- prevent users from substituting these files with others. Also, don't
- grant C permission for any directory specified in the MS OS/2 path
- command. These steps help ensure that no viruses or trojan horses get
- onto the server.
-
- ■ NET.ACC file─The NET.ACC file contains the server's user accounts
- database. The Setup program gives local RWX permissions for NET.ACC.
- Giving local these permissions should not cause security problems, as
- the account information in NET.ACC is stored in binary format (instead
- of ASCII text) and thus isn't easily readable with a text editor.
- Also, as long as the Workstation service is running, it keeps the
- NET.ACC file open, so commands and programs that need exclusive access
- to a file (such as the MS OS/2 copy and del commands) will not work on
- NET.ACC while LAN Manager is running.
-
- You can choose to revoke the permissions for NET.ACC given to local.
- If you do so, users who have accounts on the server won't be able to
- view or change their passwords or user comments while working locally
- at the server (but will still be able to do so from remote
- workstations). All other LAN Manager commands will still work if you
- revoke the local group's NET.ACC permissions.
-
- NETACC.BKP is the NET.ACC backup file created by the backacc utility.
- All users and groups should always be prevented from accessing it in
- any way.
-
-
-
- Background Processes
-
- On servers with local security, all background processes are subject to file
- access permissions. Every process always has the permissions granted to the
- local group. Also, while a user is logged on locally at the server, the
- process has the permissions granted to that user. While an administrator is
- logged on, the process can access all files on the server, just as
- administrators can.
-
- While a background process is running, several different users may log on
- and log off. If the process is not privileged, then each time a user logs
- on, the process gains the permissions granted to that user, in addition to
- the permissions of local. When the user logs off, the process loses the
- permissions of that user and again has only the permissions of local.
-
-
- Privileged Processes
-
- Many processes must have access to all the server's files, regardless of who
- logs on to or off from the server locally. To let these processes work, the
- administrator can run them as privileged processes. These processes can
- access all files on the server, whether or not anyone is logged on locally.
- Only an administrator can make a process privileged, and only when starting
- the process.
-
- An administrator has two ways to start a privileged process when the
- computer starts:
-
-
- ■ Put the command starting the process in PRIVINIT.CMD, which is located
- in the C:\ directory. This is a special batch program run when a
- computer with local security starts. Each command in PRIVINIT.CMD is
- started as a privileged process.
-
- Commands in PRIVINIT.CMD are not automatically run as background
- processes. To start a background process from PRIVINIT.CMD, use the MS
- OS/2 detach command. For more information about the detach command,
- see your operating system manual(s).
-
- ■ Put the command to start the program in CONFIG.SYS using the run
- command. Programs started with the run command are always started as
- background processes. For more information about the run command, see
- your operating system manual(s).
-
-
- Commands in STARTUP.CMD and OS2INIT.CMD are not run as privileged processes.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- LAN Manager services must be started as privileged processes. To have a
- service start automatically when the computer starts (before anyone logs on
- at the server), put the net start command in PRIVINIT.CMD. On servers with
- local security, do not start LAN Manager services from STARTUP.CMD.
- ────────────────────────────────────────────────────────────────────────────
-
- To start a privileged process at the MS OS/2 prompt once the computer is
- running, type priv followed by the command to start the process. For
- example, suppose sort is normally started in the background by typing
-
- detach sort < source > destination
-
- To start sort as a privileged background process, type
-
- detach priv sort < source > destination
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- LAN Manager services are an exception to this requirement. When started by
- an administrator, LAN Manager services are automatically treated as
- privileged processes─using the priv command is unnecessary.
- ────────────────────────────────────────────────────────────────────────────
-
- When you start a program as a privileged process, the privilege applies only
- to that instance of the program. If you or another user runs the program
- again later, the program is not automatically privileged. This applies to
- privileged processes started both from the command line and by the
- PRIVINIT.CMD file.
-
- Descendant processes started by a privileged process─no matter how the
- privileged process was started─are also privileged.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Be careful when using the Netrun service on a server with local security.
- The Netrun service must be started as a privileged process, so processes run
- on the server by a remote user (using the Netrun service) are also
- privileged processes.
- ────────────────────────────────────────────────────────────────────────────
-
-
- SECURESH.EXE and the CONFIG.SYS File
-
- When local security is installed, LAN Manager adds the pathname of the file
- SECURESH.EXE to the protshell entry of the CONFIG.SYS file. SECURESH.EXE
- implements local security on the server's files.
-
- By default, LAN Manager adds SECURESH.EXE to CONFIG.SYS without any options,
- but SECURESH.EXE can take two options:
-
- protshell=securesh.exe [/n] [/f:pathname] files
-
- (files represents the original value of protshell, to which LAN Manager
- added SECURESH.EXE.)
-
- The /n option nullifies local security, causing all users and processes to
- have access to all files on the server. However, if this option is
- specified, PRIVINIT.CMD (or the file specified by the /f option) is still
- executed, and auditing the file use for the server's HPFS386 partitions
- still begins when the computer is started.
-
- Use the /n option if you need to temporarily disable local security (to fix
- problems with the computer's configuration, for example), and if you want
- the PRIVINIT.CMD file to run automatically as usual.
-
- The /f option specifies a filename other than PRIVINIT.CMD to be executed as
- privileged when the computer starts. This file should be in a drive or
- partition with HPFS386, ensuring that it will be protected by local
- security. If you specify a file with this option, PRIVINIT.CMD will not be
- run when the computer starts.
-
-
- Upgrading MS OS/2 or LAN Manager
-
- To prepare LAN Manager for upgrade or removal, see the Microsoft LAN Manager
- Installation Guide.
-
-
-
-
-
-
- Chapter 5 Share-Level Security
- ────────────────────────────────────────────────────────────────────────────
-
- With share-level security, each shared resource is protected with a single
- password. The administrator assigns this password when sharing the resource
- and controls who has access to the resource by controlling who knows the
- password.
-
- To gain access to a shared resource, a user has to know the password for
- that resource. User accounts are not created on servers with share-level
- security.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- The default security mode is user-level security. If you're not sure what
- type of security the server has, type net config server. To change from
- user-level security to share-level security, use the Setup program's
- configuration management feature. For information about using the Setup
- program, see the Microsoft LAN Manager Installation Guide.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Administering a Server with Share-Level Security
-
- To locally administer a server with share-level security, just start the
- server and log on. You can then share resources and use other administrative
- commands.
-
- When you start a server with share-level security, you must decide whether
- to share the administrative resources ADMIN$ and IPC$.
-
- ADMIN$ controls remote administration of the server. You must share it to be
- able to administer the server remotely.
-
- If you share ADMIN$, assign a password to it and give that password only to
- people who you want to remotely administer the server. If you share ADMIN$
- with no password, any network user can administer the server from a
- workstation running LAN Manager for MS OS/2 or LAN Manager Enhanced for
- MS-DOS. Note that changing the ADMIN$ password when users have active
- sessions will not change the status of those sessions. The sessions remain
- active until the users disconnect their workstations from the server.
-
- When a user begins to administer the server remotely (by typing net admin
- \\computername or setting the focus on the server), LAN Manager prompts the
- user for the ADMIN$ password.
-
- When you begin administering a server with share-level security, you will
- probably want to share IPC$. It enables interprocess communication (IPC),
- which is necessary for users to view the list of resources shared at the
- server, for the Netrun service and some network applications to work, and
- for remote administration.
-
- It is easiest to share IPC$ with no password. If IPC$ is password protected,
- users must first make a connection to IPC$, supplying the password, before
- performing any task requiring IPC$ (including viewing the list of resources
- shared on the server).
-
- For details about the use and sharing of ADMIN$, IPC$, and the other special
- administrative resources, see Chapter 6, "Administrative Resources."
-
-
- Setting Resource Permissions
-
- When you share a resource, you can assign a password to the resource. Only
- users who know the password will be able to access the resource.
-
- When you share a directory as a resource, you also set permissions for the
- resource. Permissions define what types of action can be taken by users who
- make a connection to that resource. These permissions apply to each user who
- accesses the directory, and are the same for the shared directory and each
- of its subdirectories and files.
-
- For directories on servers with share-level security, there are seven types
- of permissions. The following list describes each permission and what each
- allows users to do.
-
- R (Read)
- Users can read and copy files, run programs, and change from one
- subdirectory to another within the shared directory. Users can also read
- the extended attributes of files.
-
- W (Write)
- Users can write the contents and extended attributes of a file.
-
- C (Create)
- Users can create files and subdirectories within the shared directory.
- After creating a file, a user with C permission can read from or write to
- the file and its extended attributes only until closing it.
-
- D (Delete)
- Users can delete files and subdirectories within the shared directory, but
- not the shared directory itself.
-
- X (Execute)
- Users can execute a file. Only computers with MS OS/2 recognize X
- permission. To let a user with an MS-DOS workstation run a file, you must
- assign R permission for the directory.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- X permission isn't needed if R permission is assigned for the directory. R
- permission includes all rights that X permission grants.
- ────────────────────────────────────────────────────────────────────────────
-
- A (Change Attributes)
- Users can set the physical file flags of the file.
-
- P (Admin only)
- Users can access the directory only if the user has administrator status.
- Users gain administrator status by making a connection to the ADMIN$
- resource.
-
- When sharing a directory as a resource, you can grant any combination of
- these permissions, depending on how you want users to be able to access the
- directory.
-
- When you share a directory as a resource and grant permissions for it, those
- permissions apply only to that resource─they are not assigned to the
- directory itself, so if you share the directory again you can grant
- different permissions for it.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- To share a directory and give different permissions to different people,
- share the directory twice, with different sharenames, passwords, and
- permissions.
-
- For example, you could share the directory C:\SALES with the sharename
- SALES1 with only R permission, and also share it with the sharename SALES2
- with RWCDA permissions. You might share SALES1 with no password, allowing
- all users to read the information in the directory, but share SALES2 with a
- password and let only certain users know the password.
- ────────────────────────────────────────────────────────────────────────────
-
- When you share a printer queue, grant C permission for the queue. When
- sharing a comm queue, grant RWC permissions. For either type of queue, you
- can also grant P (admin-only) permission; doing so restricts access to the
- queue, allowing only users with administrator status to use the queue.
-
- With share-level security, permissions are effective only until you stop
- sharing the resource. No record of the permissions is saved. To save the
- permissions associated with a shared resource, save a profile, and load the
- profile later to recreate the resource configuration. For more information,
- see Chapter 10, "Profiles."
-
- For a full explanation of how resources are shared and assigned permissions
- on servers with share-level security, see Part 3, "Sharing Resources."
-
-
-
-
-
- PART III Sharing Resources
- ────────────────────────────────────────────────────────────────────────────
-
- Servers make disk resources and devices available over the local-area
- network through a process known as sharing. The first four chapters in Part
- 3 tell how to share the four types of resources.
-
- Chapter 6 discusses the sharing of the special administrative resources that
- support remote use and administration of the server. Chapter 7 tells how to
- share the server's directories. Chapters 8 and 9 tell how to share printer
- queues and communication-device queues (comm queues), which store and route
- users' requests to devices on servers.
-
- The final chapter, Chapter 10, explains how to use profiles. Profiles allow
- you to save and load a server's configuration of shared and used resources.
-
-
-
-
-
-
-
- Chapter 6 Administrative Resources
- ────────────────────────────────────────────────────────────────────────────
-
- A server's administrative resources are used when network users and
- administrators perform certain tasks on the server. These tasks include
- viewing the resources that the server is sharing, administering the server
- remotely, using the Netrun service, and running distributed applications.
-
- How a server's administrative resources are shared determines which of these
- tasks can be performed on the server. Whether a server has user-level or
- share-level security determines what kind of access a user has to these
- resources, and whether the resources are shared automatically when the
- server starts.
-
- This chapter explains the functions of each of the administrative resources,
- and tells how to share and stop sharing them on servers with user-level or
- share-level security.
-
-
- Using the Administrative Resources
-
- The administrative resources are ADMIN$, IPC$, and the disk administrative
- resources. They are hidden from most network users─only administrators can
- see them when using the LAN Manager Screen to view the resources that the
- server is sharing.
-
-
- ADMIN$
-
- ADMIN$ controls remote administration. A server's ADMIN$ resource must be
- shared for an administrator to administer the server remotely.
-
- To administer a server remotely, an administrator does not need to make a
- connection to ADMIN$. When a remote administration session begins, LAN
- Manager makes the connection automatically. An administrator working at a
- remote computer can make an explicit connection to a server's ADMIN$
- resource, however. Making such a connection gives the administrator access
- to all files and programs in the LAN Manager directory.
-
- When a server with user-level security starts, LAN Manager automatically
- shares ADMIN$.
-
- Sharing ADMIN$ is not automatic on servers with share-level security. An
- administrator must share the resource. To prevent security breaches, it is
- important to assign the ADMIN$ resource a password and to give the password
- only to people who will administer the server remotely. Anyone who connects
- to the ADMIN$ resource on a server with share-level security becomes an
- administrator for the server.
-
- You can limit the number of users who can perform remote administration on
- the server by changing the "Max. users" value for ADMIN$. See the "Changing
- Administrative Resource Options" section, later in this chapter. When you
- set or change the limit for "Max. users," it overrides the numadmin value
- set in the [server] section of the LANMAN.INI file.
-
-
- IPC$
-
- IPC$ controls interprocess communication (IPC). IPC is the communication
- between different processes of a program, different computers running parts
- of a single program, or two programs working together.
-
- In LAN Manager, IPC takes place when a user or administrator performs one of
- the following actions:
-
-
- ■ Views a list of a server's available resources.
-
- ■ Administers the server remotely.
-
- ■ Uses the Netrun service.
-
- ■ Runs a distributed application. Distributed applications are software
- products, such as Microsoft SQL Server, that are designed to run on a
- network. In these applications, individual computers run programs that
- cooperate to get a single job done.
-
-
- IPC$ must be shared for any of these tasks to be performed.
-
- On a server with user-level security, LAN Manager automatically shares IPC$.
- On a server with share-level security, an administrator must share IPC$; it
- is not shared automatically.
-
- Users and administrators usually don't need to make an explicit connection
- to IPC$. When IPC$ is needed, LAN Manager automatically makes a connection.
-
- You can assign IPC$ a password on a server that has share-level security,
- but this is not recommended. If you assign IPC$ a password, users must
- supply the password to view lists of resources available on the server, to
- use the Netrun service, and to run distributed applications. Also, to
- perform remote administration when IPC$ has a password, administrators must
- first connect to ADMIN$, then supply both the ADMIN$ and the IPC$ passwords.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- To enable remote administration of a server, a server must share ADMIN$ and
- IPC$. To prevent remote administration, you can choose not to share ADMIN$
- or IPC$, or both. However, if IPC$ is not shared, users cannot view the
- server's resources and use the Netrun service. To prevent remote
- administration but allow these other features, share IPC$ but not ADMIN$.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Disk Administrative Resources
-
- The disk administrative resources represent the server's disk drives. One of
- these is automatically shared for each of the server's drives whenever you
- start a server with either user-level or share-level security.
-
- The sharename for each disk administrative resource is the drive letter
- followed by $. For example, when you start a server with A, B, and C drives,
- LAN Manager shares the A$, B$, and C$ resources.
-
- Only administrators can connect to the disk administrative resources. Doing
- so gives an administrator access to all directories and files on the
- server's drives. Administrators working at remote computers cannot access a
- server's administrative resources unless ADMIN$ and IPC$ are shared.
-
-
- Sharing an Administrative Resource
-
- ADMIN$ and IPC$ must be explicitly shared on a server with share-level
- security. To control remote administration or access to named pipes, you can
- stop or start sharing ADMIN$ and IPC$.
-
- Disk administrative resources are shared automatically. For more
- information, see the "Sharing a Disk Administrative Resource" section, later
- in this chapter.
-
-
- Sharing ADMIN$ and IPC$
-
- To share ADMIN$ or IPC$:
-
-
- 1. From the View menu, choose Shared resources.
-
- The dialog box shown in Figure 6.1 appears.
-
- (This figure may be found in the printed book).
-
- The list box shows the resources the server is sharing. Administrative
- resources are not displayed unless the "Show hidden shares" check box
- is marked.
-
- 2. To display shared administrative resources, mark the "Show hidden
- shares" check box.
-
- 3. Choose <Add share>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. Select the "Admin share" option button, then choose <OK>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- If the server has share-level security, a "Password" text box appears
- in the dialog box.
-
- 5. From the "Sharename" option buttons, select either "ADMIN$" or "IPC$."
-
- 6. In the "Remark" text box, optionally type a descriptive comment to be
- displayed when administrators view lists of the server's shared
- resources.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If you do not type a comment for this resource, LAN Manager displays the
- default comment─"Remote IPC$" for IPC$, or "Remote ADMIN$" for
-
-
-
- 7. To protect the ADMIN$ resource (if the server has share-level
- security), in the "Password" text box, type a password for the
- resource.
-
- To let users more easily perform tasks requiring interprocess
- communication, do not type a password for the IPC$ resource.
-
- 8. If you don't want to limit the number of people who can use the
- resource simultaneously, from the "User limit" option buttons, select
- "Unlimited." To set a limit, select "Max. users," and type the number
- in the text box.
-
- 9. If you are sharing the IPC$ resource and want to make it available
- only to administrators, mark the "Admin only" check box.
-
- 10. Choose <OK>.
-
- 11. Choose <Done>.
-
-
- Command Line To share ADMIN$ or IPC$:
-
-
- ■ Share ADMIN$ by typing
-
- net share ADMIN$ [password]
-
- ■ Share IPC$ by typing
-
- net share IPC$ [password]
-
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Sharing a Disk Administrative Resource
-
- Disk administrative resources are shared automatically. If you have stopped
- sharing a disk administrative resource, however, you must start sharing the
- resource again. This can be done from the command line only.
-
- Command Line To share a disk administrative resource, type
-
- net share sharename=devicename [password]
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Changing Administrative Resource Options
-
- You can change the configuration of an administrative resource that has been
- shared on a server with user-level or share-level security. The options you
- can change are
-
-
- ■ The remark for the administrative resource
-
- ■ The user limit
-
- ■ Who is permitted to use the resource, such as administrators only or
- all users
-
-
- To change administrative resource options:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 6.1) appears.
-
- 2. If the list box does not display administrative resources, mark the
- "Show hidden shares" check box.
-
- 3. In the list box, select the administrative resource, then choose
- <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. Change any options that you want to change, then choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To change administrative resource options, type
-
- net share sharename [/permissions:permissions] [/users:number |
- /unlimited] [password] [/remark:"text"]
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Stop Sharing an Administrative Resource
-
- To stop sharing an administrative resource:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 6.1) appears.
-
- 2. If the list box does not display administrative resources, mark the
- "Show hidden shares" check box.
-
- 3. In the list box, select the administrative resource, then choose <Stop
- sharing>.
-
- 4. When prompted for confirmation, choose <OK>.
-
- 5. Choose <Done>.
- Command Line
-
- To stop sharing an administrative resource, type
-
-
- net share sharename /delete
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
-
-
-
- Chapter 7 Disk Resources
- ────────────────────────────────────────────────────────────────────────────
-
- With LAN Manager you can share directories and specify which users have
- access to the directories. Any directory on the server can be shared,
- including the root directory. When sharing a directory, you assign it a
- sharename, which identifies the shared directory to users. No two resources
- on a server can have the same sharename.
-
- By assigning permissions for shared directories, you determine what types of
- actions users can take with the directories.
-
- LAN Manager also lets you audit how users access shared directories. You
- specify what types of access attempts are audited. Entries are written to
- the audit trail when the specified events occur.
-
- Permissions and auditing work differently for servers with user-level and
- share-level security. With user-level security, permissions and auditing can
- be set for individual files, directories, or drives. With share-level
- security, permissions and auditing can be set for all accesses to a shared
- resource.
-
-
- Directory Access with User-Level Security
-
- When sharing a directory on a server with user-level security, you specify
- the names of groups and users who can access the shared directory and its
- subdirectories and files. You also define the permissions each group or user
- has for the shared directory. You can set different permissions for each
- subdirectory and file in the shared directory.
-
- The following list explains the access that each type of permission allows
- for directories shared on a server with user-level security.
-
- R (Read)
- User can read and copy files, run programs, and change from one
- subdirectory to another within the shared directory. User can also read
- the extended attributes of files.
-
- W (Write)
- User can write the contents and extended attributes of a file.
-
- Note that when a user with an MS-DOS workstation opens a shared file to
- write to it, and then truncates the file, the file is recreated.
- Therefore, to give users with MS-DOS workstations full write access to a
- file, assign them C (Create) permission as well as W permission.
-
- C (Create)
- User can create files and subdirectories within a shared directory. After
- creating a file, a user with C permission can read from or write to the
- file and its extended attributes only until closing it.
-
- D (Delete)
- User can delete files and subdirectories within the shared directory, but
- can't delete the shared directory itself.
-
- X (Execute)
- User can run a file (but not read or copy it). Only MS OS/2 computers
- recognize X permission. To allow a user with an MS-DOS workstation to run
- a program, grant that user R permission.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- X permission isn't needed if R permission is assigned to the user for that
- directory or file. R permission includes all rights that X grants.
- ────────────────────────────────────────────────────────────────────────────
-
- A (Change Attributes)
- User can set the physical file flags of the file.
-
- P (Change Permissions)
- User can change the permissions for the directory or file. Giving a user P
- permission for a directory allows the user to change the permissions for
- only that directory, not to change the permissions for any subdirectories
- of the directory.
-
- Y (Yes)
- Gives the user RWCDA permissions. Y serves as an abbreviation for this set
- of permissions.
-
- N (No)
- Prevents the user from accessing the directory or file. Use this
- permission to exclude individual users from access to a directory or file,
- despite the permissions that are assigned to the groups to which that user
- belongs. You can assign N permission only to individual users.
-
-
- Assigning Inherited Permissions
-
- Inherited permissions can be assigned to files and directories within a
- shared disk resource. Inherited permissions apply to an entire directory
- tree, and can only be assigned using the LAN Manager Screen. To use
- inherited permissions, you set permissions for a directory, then specify
- those permissions to be copied down through the directory tree to all files
- and subdirectories under that directory.
-
-
- Assigning Default Permissions
-
- If you don't set permissions for a directory or file, LAN Manager uses
- default permissions, determined by other permissions you have set:
-
-
- ■ If you have set explicit permissions for a parent directory of a file
- or subdirectory, then those permissions are used as the default by all
- files and subdirectories contained in the parent directory.
-
- ■ If permissions have not been set for a parent directory, and the drive
- containing the file or directory uses the file allocation table (FAT)
- file system or the high-performance file system (HPFS) provided with
- MS OS/2, then the default permissions are the permissions set for the
- drive.
-
- NOTE HPFS386 doesn't recognize default permissions set for drives.
-
- You set drive permissions by setting permissions for the drive letter
- (such as C:). Initially, a drive has no permissions.
-
-
- Figure 7.1 shows the effects of explicit and default permissions for a
- shared directory.
-
- (This figure may be found in the printed book).
-
-
- Auditing Disk Use
-
- When you share a directory on a server with user-level security, you can
- have LAN Manager audit the resource's use and record these events in an
- audit trail. You can audit different types of activity for each file and
- subdirectory within a shared resource. The audit trail is useful for
- determining how often a file or directory is used and whether access
- permissions for the file or directory are appropriate.
-
- You define what types of access to audit. The audit can include successful
- and failed attempts to open, write to, delete, and change permissions for
- each file and directory.
-
- To learn how to set audited events, see the "Setting Permissions and Audited
- Events" section, later in this chapter.
-
-
- Directory Access with Share-Level Security
-
- On a server with share-level security, each shared directory can be
- protected by a password. Any user can access the directory by supplying the
- password. This lets you control who has access to the directory by limiting
- who knows the password. You can set the password when you share the
- directory or anytime.
-
- One set of permissions is assigned for the shared directory; these
- permissions apply to every person who uses the directory. The permissions
- also apply to every file and subdirectory in the shared directory.
-
- The following list explains the access that each type of permission allows
- for directories shared on a server with share-level security.
-
- R (Read)
- Users can read and copy files, run programs, and change from one
- subdirectory to another within the shared directory. Users can also read
- the extended attributes of files.
-
- W (Write)
- Users can write the contents and extended attributes of a file.
-
- Note that when a user with an MS-DOS workstation opens a shared file to
- write to it, and then truncates the file, the file is recreated.
- Therefore, to give users with MS-DOS workstations full write access to a
- file, assign them C (Create) permission as well as W permission.
-
- C (Create)
- Users can create files and subdirectories within a shared directory. After
- creating a file, a user with C permission can read from or write to the
- file and its extended attributes only until closing it.
-
- D (Delete)
- Users can delete files and subdirectories within the shared directory, but
- can't delete the shared directory itself.
-
- X (Execute)
- Users can run a file (but not read or copy it). Only MS OS/2 computers
- recognize X permission. To allow a user with an MS-DOS workstation to run
- a program, you must assign R permission to the directory.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- X permission isn't needed if R permission is assigned. R permission includes
- all rights that X grants.
- ────────────────────────────────────────────────────────────────────────────
-
- A (Change Attributes)
- Users can set the physical file flags of the file.
-
- P (Admin only)
- Users can access the directory only if the user has administrator status.
- Users gain administrator status by connecting to the ADMIN$ resource.
-
- When you share a directory and define permissions, these permissions are
- associated with the sharename─not with the physical directory. You can share
- the same directory twice─each time with a different sharename, password, and
- permissions─to give different types of access to different users.
-
- You could, for instance, share the LEVEL1 resource (shown in Figure 7.1),
- telling the password to only a few key people, and then share the LEVEL2 and
- LEVEL3 directories separately, with more general audiences. You could also
- share LEVEL1 as two different resources with two different sharenames─giving
- one set of people RWCDX access to the first resource, and a larger group
- read-only access to the second resource. Figure 7.2 illustrates this sharing
- scheme.
-
- (This figure may be found in the printed book).
-
-
- Auditing Disk Use
-
- When you share a directory on a server with share-level security, LAN
- Manager audits all accesses to that resource. Auditing is either enabled for
- all resource uses, or disabled.
-
- When auditing=yes in the [server] section of the LANMAN.INI file, accesses
- to all shared resources will be recorded in the audit trail. When
- auditing=no, accesses to shared resources aren't recorded.
-
-
- Sharing a Directory with User-Level Security
-
- To share a directory with network users on a server with user-level
- security, you must share the directory, and then set permissions to give
- groups and users access. As you share a disk resource, you can also set up
- the auditing of certain types of access. And you can set up auditing for
- specific files and subdirectories of the shared disk resource. The following
- sections tell how to do all of these things.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- For a user at an MS-DOS workstation to run a program file (with a .COM,
- .EXE, or .BAT extension), the user must have R (Read) permission for both
- the file and the directory.
-
-
- Sharing a Directory
-
-
- ────────────────────────────────────────────────────────────────────────────
-
- To share a directory on a server with user-level security:
-
-
- 1. From the View menu, choose Shared resources.
-
- The dialog box shown in Figure 7.3 appears.
-
- (This figure may be found in the printed book).
-
- 2. Choose <Add share>.
-
- The dialog box shown in Figure 7.4 appears.
-
- (This figure may be found in the printed book).
-
- 3. Select the "Disk directory" option button, then choose <OK>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. In the "Sharename" text box, type a sharename for the directory.
-
- Sharenames can have as many as 12 characters, including letters,
- numbers, and the following characters:
-
- ! # $ % & ( ) - . @ ^ _ ` { } ~
-
- The sharename does not have to be the same as the directory name.
-
- 5. In the "Path" text box, type the absolute path (include the drive
- letter) of the directory that you want to share. Or use the "Contents
- of resource" list box with the <Dir> command button to select the
- directory.
-
- To use the "Contents of resource" list box:
-
- ■ Select the drive containing the directory, then choose <Dir> to
- see a listing of the drive's directories.
-
- ■ Select the directory of interest. If you want to share one of its
- subdirectories, choose <Dir> to see a listing. Repeat this step
- until the list box displays the directory that you want to share.
- The pathname for the selection is displayed in the "Contents of
- resource" field.
-
- 6. In the "Remark" text box, optionally type a descriptive comment to be
- displayed with the resource when users view a list of available
- resources.
-
- 7. With the "User limit" option buttons, specify how many people will be
- able to use the resource at once:
-
- ■ To set no limit on the number of users, select the "Unlimited"
- option button.
-
- ■ To set a limit, select the "Max. users" option button, and type
- the number of users to be allowed. If a number appears in the
- accompanying text box when you select the "Max. users" option
- button, this value is from the maxusers entry in the [server]
- section of the LANMAN.INI file. The number of users cannot exceed
- this value.
-
-
- 8. If you want to make the directory available only to users with
- administrator privileges, mark the "Admin only" check box.
-
- 9. Choose <OK>.
-
- The dialog box shown in Figure 7.5 appears.
-
- (This figure may be found in the printed book).
-
- From this dialog box, you can set permissions and audited events for
- the directory, and for any of its files and subdirectories. For
- information about setting permissions and audited events, see the
- following section.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If you do not want to set permissions and audited events as you share the
- resource, choose <Done> twice.
- Command Line
- ────────────────────────────────────────────────────────────────────────────
-
-
- To share a directory on a server with user-level security, type
-
-
- net share sharename=drive:path [/users:number | /unlimited] [/remark:"text"]
-
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Setting Permissions and Audited Events
-
- Permissions and audited events can be set when you share the directory, or
- changed afterwards. The procedure to set or change permissions and audited
- events is the same.
-
- For servers with local security, you can also set permissions and audited
- events for unshared resources using the following procedures.
-
- To set permissions and audited events on a server with user-level
- security:
-
-
- 1. If you are setting permissions or audited events as you share the
- resource, follow the steps in the preceding section.
-
- The "Select a File for Access Permissions" dialog box (Figure 7.5)
- appears.
-
- 2. If you are changing permissions or audited events on a previously
- shared resource, from the Accounts menu, choose File permissions.
-
- The "Select a File for Access Permissions" dialog box (Figure 7.5)
- appears.
-
- 3. To set permissions for the resource, in the "Contents of resource"
- list box, be sure that "<current directory>" is selected, then choose
- <Zoom>.
-
- The dialog box shown in Figure 7.6 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box displays permissions for the shared directory. The
- "Not permitted" list box lists all groupnames and usernames for which
- permissions have not been assigned. The "Permitted" list box lists all
- groupnames and usernames for which permissions have been assigned,
- along with the permissions they have.
-
- 4. To set the permissions for the directory:
-
- ■ To grant permissions to a group or user, in the "Not permitted"
- list box, select the groupname or username. From the "Permissions"
- check boxes, mark the permissions, then choose <Permit>.
-
- The groupname or username moves to the "Permitted" list box, with
- the selected permissions displayed.
-
- ■ To change permissions for a group or user, in the "Permitted" list
- box, select the groupname or username. From the "Permissions"
- check boxes, mark the permissions.
-
- The permissions displayed in the "Permitted" list box change as
- new permissions are assigned.
-
- ■ To assign default permissions for all of the groups and users for
- this directory, mark the "Use default permissions" check box.
-
- When prompted for confirmation, choose <OK>.
-
- NOTE On servers with user-level security, you can create a set of
- default permissions for directories. Then, when you share a new
- directory, you can use the default permissions.
- To learn how to set default permissions for a directory, see Chapter 4,
- "User-Level Security."
-
- ■ To revoke the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username, then choose >.
-
- ■ To revoke permissions for all of the groups and users for this
- directory, choose >.
-
-
- 5. To specify which types of events to audit for the directory or file,
- choose <Auditing>.
-
- The dialog box shown in Figure 7.7 appears.
-
- (This figure may be found in the printed book).
-
- 6. To turn on auditing, mark the "Auditing Enabled" check box.
-
- 7. From the "Audited events" check boxes, mark one or more events to
- audit. Or choose <Set all> to audit all of the listed events.
-
- 8. Choose <OK>.
-
- The "Access Permissions for resource" dialog box (Figure 7.6) appears.
-
- 9. Choose <OK>.
-
- The "Select a File for Access Permissions" dialog box (Figure 7.5)
- appears.
-
- 10. If you want to apply the permissions and audited events to each
- existing subdirectory and file in the directory tree of the resource,
- choose <Permit tree>.
-
- 11. If you want to assign permissions and audited events for a file or
- subdirectory within the resource, in the "Filename" list box, type the
- absolute pathname of the file or directory. Or use the "Contents of
- resource" list box with the <Dir> command button to select and display
- the filename or subdirectory.
-
- 12. Repeat steps 3-11 to set permissions and audited events for additional
- files and subdirectories.
-
- 13. Choose <Done>.
- Command Line
-
- To set permissions and audited events on a server with user-level
- security:
-
-
-
- 1. For a group or user, provide access to and set permissions for a
- resource by typing
-
- net access resource /add [name:permission[ ...]]
-
- 2. Assign audited events for a directory or file on a server with
- user-level security by typing
-
- net access /trail:{yes | no} or net access resource /failure[:{all |
- none | event[,...]}] or net access resource /success[:{all | none |
- event[,...]}]
-
-
- See Net Access, Microsoft LAN Manager Administrator's Reference.
-
- For more information about auditing resources and the audit trail, see
- Chapter 16, "Monitoring the Network."
-
-
- Sharing a Directory with Share-Level Security
-
- Sharing a directory on a server with share-level security is done from one
- dialog box. All subdirectories and files are given the permissions you
- assign for the shared directory. Also, since auditing is either enabled or
- disabled with share-level security, auditing isn't set for each resource.
-
- To share a directory on a server with share-level security:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 7.3) appears.
-
- 2. Choose <Add share>.
-
- The "What would you like to share?" dialog box (Figure 7.4) appears.
-
- 3. Select the "Disk directory" option button, then choose <OK>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. In the "Sharename" text box, type a name for the resource.
-
- Sharenames can have as many as 12 characters, including letters,
- numbers, and the following characters:
-
- ! # $ % & ( ) - . @ ^ _ ` { } ~
-
- The sharename doesn't have to be the same as the directory name.
-
- 5. In the "Path" text box, type the absolute path (include the drive
- letter) of the directory that you want to share. Or use the "Contents
- of resource" list box with the <Dir> command button to select the
- directory.
-
- To use the "Contents of resource" list box:
-
- ■ Select the drive containing the directory, then choose <Dir>.
-
- ■ Select the directory of interest. If you want to share one of its
- subdirectories, choose <Dir> to see a listing. Repeat this step
- until the selection shows the directory that you want to share.
- The pathname for the selection is displayed in the "Contents of
- resource" field.
-
- 6. In the "Remark" text box, optionally type a descriptive comment to be
- displayed with the resource when users view a list of available
- resources.
-
- 7. In the "Password" text box, optionally type a password (which can have
- as many as eight characters) for the directory.
-
- If you leave the "Password" text box blank, no password is required
- for users to access the directory.
-
- 8. With the "User limit" option buttons, specify how many people will be
- able to use the resource at once:
-
- ■ To set no limit on the number of users, select the "Unlimited"
- option button.
-
- ■ To set a limit, select the "Max. users" option button, and type
- the number of users to be allowed. If a number appears in the
- accompanying text box when you select the "Max. users" option
- button, this value is from the maxusers entry in the [server]
- section of the LANMAN.INI file. The number of users cannot exceed
- this value.
-
-
- 9. Set permissions for the directory using the "Permissions" check boxes
- by marking the check box for each permission that you want to give to
- users.
-
- Marking the "Admin only" check box restricts use of the directory to
- administrators. Users gain administrator status by connecting to the
- ADMIN$ resource.
-
- 10. Choose <OK>.
-
- 11. Choose <Done>.
-
-
- Command Line To share a directory on a server with share-level security,
- type
-
- net share sharename=drive:path [password] [/permissions:permissions]
- [/users:number | unlimited] [/remark:"text"]
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Stop Sharing a Directory
-
- To stop sharing a directory:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 7.3) appears.
-
- 2. In the list box, select the directory that you want to stop sharing,
- then choose <Stop sharing>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To stop sharing a directory, type
-
- net share sharename /delete
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
-
-
-
-
- Chapter 8 Printers
- ────────────────────────────────────────────────────────────────────────────
-
- LAN Manager shares printers through printer queues. A printer queue stores
- print jobs as users submit them, then routes each print job to a printer
- when the printer becomes available. Printer queues can route print jobs to
- one or more printers. Likewise, one printer can receive jobs from one or
- more printer queues.
-
- From a workstation, users can connect to a printer queue, then send
- documents to that queue as though they were using a local printer.
-
- In this chapter, you'll learn how to create, customize, and share printer
- queues. This chapter also describes how to control printer queues once they
- are shared.
-
- Note that you can set up printers and control printing using Print Manager,
- a Presentation Manager application. For information about using Print
- Manager, see Appendix D, "Using the MS OS/2 Print Manager with LAN Manager,"
- and your MS OS/2 manual(s).
-
-
- How Printer Queues Work
-
- LAN Manager printer queues are spooled. That is, each print job is stored in
- the queue until a printer is available. Meanwhile, the workstation that
- sends the job is free for other tasks─it doesn't have to wait for the job to
- be printed. Unspooled queues tie up the workstation until the job is
- completed.
-
- Some applications must communicate directly with certain serial printers
- (such as some PostScript(R) printers), so they cannot be used with a
- spooler. These printers can be shared through a communication-device queue
- (comm queue). To find out if a certain serial printer can be spooled, see
- your application and printer manuals. For information about sharing
- communication devices, see Chapter 9, "Communication Devices."
-
-
- Printer Queue Setups
-
- LAN Manager provides several ways to set up printer queues to work with your
- printers─one queue per printer, several queues per printer, or several
- printers per queue.
-
-
- One Queue Using One Printer
-
- The simplest queue configuration is one queue for one printer. If the
- network has only one printer, or if each printer is used for a different
- type of printing, this is the recommended method.
-
- Figure 8.1 illustrates how a printer queue works with a printer. In this
- illustration, three workstations send print jobs to the queue. The queue
- sends the first job on to the printer, and stores the other jobs until the
- printer has finished printing the first job.
-
- (This figure may be found in the printed book).
-
-
- One Queue Using Several Printers
-
- When a printer queue uses several printers, the first job in the queue
- always goes to the next available printer. This is an efficient way to share
- a group of similar printers. Figure 8.2 shows how a printer queue works with
- several printers.
-
- (This figure may be found in the printed book).
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- All printers accessed by a single queue must use the same printer driver.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Several Queues Using One or More Printers
-
- Two or more queues can send jobs to the same printer(s). This is especially
- useful if you configure the queues differently─giving them different
- priority levels, for example. As shown in Figure 8.3, jobs in a
- high-priority queue are printed before those in a low-priority queue.
-
- (This figure may be found in the printed book).
-
- This method also can be used if you have an application that requires a
- special print processor. A printer queue using that processor would be used
- for print jobs from that application, while another printer queue would be
- used for all other print jobs.
-
- Figure 8.4 shows a more complex printer setup. Queue A sends jobs to
- Printers A, B, and C. Queue B sends jobs only to Printer B, and Queue C
- sends jobs to Printers B and C.
-
- (This figure may be found in the printed book).
-
- A configuration like this one is both flexible and convenient. It offers
- flexibility to the administrator who wants to set up different queues for
- different purposes. Plus, it offers convenience to users who want to use a
- queue that sends jobs to the next available printer.
-
-
- One Queue Using Local and Remote Printers
-
- A printer queue can route jobs to printers on more than one server. The
- remote printers are shared as comm queues, and connections are made from the
- local server to the comm queue. You then create the printer queue on the
- local server, specifying the devicenames assigned to the comm queues and the
- devicenames of the local printers.
-
- You can use this method to make a printer attached to a workstation running
- the Peer service available to several users. Share the printer attached to
- that workstation as part of a comm queue; then, from a server, connect to
- that comm queue and specify its devicename as part of a printer queue.
-
- For instructions about how to use remote printers, see the "Including a
- Remote Printer in a Printer Queue" section, later in this chapter.
-
-
- Printer Queue Options
-
- The option settings for a printer queue control the configuration of the
- queue─how the queue accesses printers and uses a printer driver, print
- processor, and separator page. This section describes each option. For
- information about how to set options for a printer queue, see the "Sharing a
- Printer Queue" section, later in this chapter.
-
-
- Priority Levels
-
- If two jobs are waiting for a printer at the same time, priority levels
- determine which job prints first. Each printer queue has a priority level
- that determines what priority its jobs get when several queues are trying to
- access the same printer. When a printer finishes printing a document, it
- prints the next waiting job with the highest priority. The highest priority
- is 1, the lowest is 9, and the default is 5. If the queue receives two jobs
- with the same priority, the jobs are printed in the order received.
-
- The arrival of a high-priority job does not interrupt a job currently being
- printed.
-
-
- Printing Times
-
- You can set the times during which a printer queue can send jobs to a
- printer. This lets you queue large print jobs together, and save them for
- times when demand for the printers is low. The printer queue accepts jobs
- submitted at any time, but doesn't start printing until a designated time.
- At the queue's stop-printing time, it stops sending jobs to printers, and
- any jobs remaining in the queue are saved until the start-printing time.
-
-
- The Printer Driver
-
- Each printer queue uses a printer driver for the printers to which it routes
- jobs. A printer driver is a program that controls printing on a particular
- type of printer (for example, the printing of graphics), defining options
- such as printing quality and paper size. The default printer driver is
- IBM4201.
-
- Use the printer driver that supports the type of printer you have. If no
- compatible printer driver is available, you can use IBMNULL. (Note that with
- IBMNULL, graphics from some Presentation Manager applications may not print
- correctly.)
-
-
- The Print Processor
-
- Queued print jobs go through a print processor─a program that prepares files
- for printing.
-
- By default, the LMPRINT processor is used for LAN Manager documents. Certain
- applications, such as page-design programs, use document files containing
- special characters that require a different print processor. To print these
- files, set up a queue that sends jobs to the appropriate print processor.
-
- When setting up a queue that uses a different print processor, you can
- supply options for the print processor, if needed.
-
- If you don't want separator pages to print, you can specify PMPRINT instead
- of LMPRINT.
-
-
- The Separator Page
-
- A printer queue can cause one or more separator pages to print before each
- job. Separator pages typically tell who submitted the job and the date and
- time of printing.
-
- To use print separator pages, supply the name of a separator page file as a
- queue option. You can use LAN Manager's built-in separator page or define
- one of your own.
-
- The default separator, DEFAULT.SEP, prints the username of the person
- printing the document, the print job number, and the date and time of
- printing. (The default separator page is built into the program; DEFAULT.SEP
- is not a separate file on your disk.) Figure 8.5 shows an example of a
- default separator page.
-
- (This figure may be found in the printed book).
-
- You can create and use your own separator page files instead of the default
- separator page. Separator page files include escape codes that give
- instructions to the printer. Escape codes always start with an escape
- character, which can be any character you choose, and end with a letter or
- number. The first line of the separator page file must contain only the
- escape character.
-
- Table 8.1 shows the escape codes you can include in a separator page file.
-
- Table 8.1 Escape Codes for Separator Page Files
-
- ╓┌─────────────────────────────────┌─────────────────────────────────────────
- Code Function
- ────────────────────────────────────────────────────────────────────────────
- @N Prints the username of the person that
- submitted the job.
-
- @I Prints the job number.
-
- @D Prints the date and time the job was
- printed.
-
- @T Prints the time the job was printed.
-
- @Ltext Prints the text specified by text.
-
- Code Function
- ────────────────────────────────────────────────────────────────────────────
- @Fpathname Prints the contents of the file specified
- by pathname.
-
- @Hnn Sets a printer-specific control sequence,
- where nn is a hexadecimal number sent
- directly to the printer. To find the
- numbers to use, see your printer manual.
-
- @Wnn Sets the width of the separator page. The
- default is 80.
-
- @n Skips n number of lines. The range is 0-9.
- Skipping 0 lines moves to the next line.
-
- @B@S Begins printing in single-width block
- characters. Text is printed this way until
- @U is encountered.
-
- Code Function
- ────────────────────────────────────────────────────────────────────────────
- @B@M Begins printing in double-width block
- characters. Text is printed this way until
- @U is encountered.
-
- @U Turns off block-character printing.
-
- @E Ejects a page from the printer. Use this
- to start a new separator page or to end
- the separator page file.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- By default, separator page files are kept in the C:\SPOOL directory.
-
- The following example shows the contents of DEFAULT.SEP, which creates the
- default separator page (see Figure 8.5 for sample output of this separator
- page).
-
- @
- @B@S@N@4
- @I@4
- @U@D
- @E
-
-
- Printer Queue Security
-
- To give the appropriate users access to a printer queue, administrators
- assign permissions and/or a password to the queue.
-
- For a server with share-level security, you can assign passwords to printer
- queues. Users who know the queue's password can access the queue. You can
- also share a queue as Admin only, which makes it available only to
- administrators who have made a connection to the ADMIN$ resource. Those who
- want to print graphics from Presentation Manager applications must also
- connect to the server's IPC$ resource.
-
- For a server with user-level security, you can assign individual permissions
- to users and groups. There are three types of permission for printer queues
- on servers with user-level security:
-
-
- ■ Y (Yes) permission gives access.
-
- ■ N (No) denies access.
-
- ■ Y+P (Yes+P) gives access to the queue and the right to set permissions
- for other users accessing that queue.
-
-
- If several printer queues will be serving the same or similar groups of
- users, it may be helpful to create a default set of printer queue
- permissions. These can be applied quickly to a new queue simply by marking
- the "Use default permissions" check box as you share the queue. This is
- useful mainly with user-level servers, on which each person must have
- permission to gain access to the queue. For instructions on how to do this,
- see Chapter 4, "User-Level Security."
-
-
- Sharing a Printer Queue
-
- This section explains how to share a printer queue, change printer queue
- options, and stop sharing a printer queue.
-
- When you share the queue for the first time, LAN Manager automatically
- displays the dialog boxes that allow you to set the queue's options. If you
- stop sharing the queue, LAN Manager keeps a record of the printer queue's
- options so you can share it again later.
-
-
- Adding a Printer Queue to a Server's Shared Resources
-
- To give network users access to a printer queue, you need to share that
- queue with the network. This is true whether you are creating a printer
- queue for the first time, or resharing a queue that is already created. When
- you create a new queue, you must assign a sharename by which users can refer
- to the queue. You must also set options for the queue.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Before you can share a printer queue, you must set up each printer using the
- MS OS/2 Print Manager. For information about adding printers, see your MS
- OS/2 manual(s).
- ────────────────────────────────────────────────────────────────────────────
-
- To share a printer queue:
-
-
- 1. From the View menu, choose Shared resources.
-
- The dialog box shown in Figure 8.6 appears.
-
- (This figure may be found in the printed book).
-
- 2. Choose <Add share>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Select the "Printer" option button, then choose <OK>.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- The list box shows printer queues that are created but are not
- currently shared, if any. If the server has share-level security, the
- "Password" text box appears in the dialog box.
-
- 4. Specify a new or existing sharename for the printer queue:
-
- ■ In the "Sharename" text box, type a new sharename.
-
- ■ From the "Queue" list box, select an existing sharename.
-
-
- 5. In the "Remark" text box, type a descriptive comment for the printer
- queue.
-
- This comment is visible to users viewing the resources available on
- the server.
-
- 6. If the server has share-level security, a "Password" text box is
- displayed. In the "Password" text box, type a password to allow only
- users who know the password to access the queue. Without a password,
- anyone can use the queue.
-
- The password can have as many as 15 characters.
-
- 7. From the "User limit" option buttons, select one option:
-
- ■ Select the "Max. users" option button to set a limit. Type the
- number of users in the accompanying text box.
-
- If a number appears in the accompanying text box when you select
- the "Max. users" option button, this value is from the maxusers
- entry in the [server] section of the LANMAN.INI file. The number
- of users cannot exceed this value.
-
- ■ Select the "Unlimited" option button to specify no limit.
-
-
- 8. Mark the "Admin only" check box to make the queue accessible only to
- administrators.
-
- 9. Choose <OK>.
-
- If a printer queue with the sharename you specified doesn't already
- exist, a message box asks if you want to create it. (Note that you
- cannot use the same sharename for more than one queue.) When prompted
- for confirmation, choose <OK>.
-
- 10. Choose <OK>.
-
- If the server has user-level security, another dialog box appears,
- allowing you to set options for the queue. For an explanation of how to
- set the options for the queue, see the following section.
-
-
- Command Line To share a printer queue:
-
-
- ■ Share a new printer queue by typing
-
- net share sharename=devicename[,...]
-
- ■ Share an existing printer queue by typing
-
- net share sharename /print
-
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Setting Options for a Printer Queue
-
- When you share a new queue, LAN Manager creates the queue and lets you set
- the configuration options for the queue.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Before you can use a device driver as a printer queue option, and before you
- can use a print processor with a printer queue, they must be installed using
- the MS OS/2 Control Panel. For information about adding a device driver and
- a print processor, see your MS OS/2 manual(s).
- ────────────────────────────────────────────────────────────────────────────
-
- To set options for a new printer queue:
-
-
- 1. Follow the steps in the preceding section to share the new queue.
-
- The dialog box shown in Figure 8.7 appears.
-
- (This figure may be found in the printed book).
-
- 2. In the "Priority" text box, type the priority level for the queue.
-
- The range is 1-9; the default is 5. To set the highest priority for
- the queue, use 1.
-
- 3. In the "Printer device(s)" text box, type the devicename(s) of the
- printer(s) to which the queue will send jobs.
-
- If the queue will send jobs to more than one printer, use a space,
- comma, or semicolon to separate the devicenames. To include a device
- as part of a printer queue, you must add that printer using the MS
- OS/2 Print Manager. For more information about adding printers, see
- your MS OS/2 manual(s).
-
- 4. In the "Separator file" text box, type the name of the separator page
- file you want to use with the queue, if any.
-
- To specify a file in the C:\SPOOL directory (the default location for
- separator page files), type just the filename. To specify a file in
- any other directory, type its entire pathname. The separator page
- provided by LAN Manager is DEFAULT.SEP.
-
- 5. In the "Print after" text box, specify the time at which the queue can
- start sending jobs.
-
- Use 12-hour format. The default value is 12:00AM.
-
- 6. In the "Print until" text box, specify the time after which the
- printer queue can no longer send jobs.
-
- Use 12-hour format. The default value is 11:59PM.
-
- 7. In the "Print processor" text box, specify the print processor
- (LMPRINT is the default).
-
- 8. In the "Parameters" text box, type the values required for the print
- processor.
-
- 9. In the "Driver name" text box, type the name of the printer driver.
-
- 10. In the "Comment" text box, type a comment.
-
- 11. Choose <OK>.
-
- For a server with user-level security, the "Add Permissions for Printer
- Queue" dialog box appears. Use this dialog box to add permissions and
- enable auditing. For an explanation of how to add permissions and
- enable auditing, see the following section.
-
-
- Command Line To set options for a new printer queue, type
-
- net print sharename [/priority:number] [/route:devicename[,...]]
- [/separator:pathname] [/after:time] [/until:time] [/driver:filename]
- [/processor:pmname] [/remark:"text"]
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Setting Permissions and Audited Events
-
- On a server with user-level security, you can set permissions and audited
- events for a printer queue. For an explanation of the types of permissions,
- see the "Printer Queue Security" section, earlier in this chapter.
-
- To set permissions and audited events for a printer queue:
-
-
- 1. If you are setting permissions or audited events as you share the
- queue, follow the steps in the preceding sections.
-
- 2. If you are changing permissions or audited events on a previously
- shared queue, from the Accounts menu, choose Other permissions.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Set permissions for the printer queue:
-
- ■ To grant permissions to a group or user, in the "Not permitted"
- list box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select a
- permission.
-
- Choose <Permit>.
-
- Note that the selected groupname or username moves to the
- "Permitted" list box.
-
- ■ To change permissions for a group or user, in the "Permitted" list
- box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select a
- permission.
-
- ■ To revoke permissions for a group or user, in the "Permitted" list
- box, select the groupname or username, then choose >.
-
- ■ To revoke permissions for all groups and users, choose >.
-
- ■ To use the default permissions, mark the "Use default permissions"
- check box.
-
-
- 4. To enable auditing for accesses to the resource, from the "Enable
- auditing for" check boxes, mark one or both of the check boxes.
-
- 5. Choose <OK>.
-
- 6. Choose <Done>.
-
-
- Command Line To set permissions for a printer queue, type
-
- net access resource /add [name:permission[ ...]]
-
- See Net Access, Microsoft LAN Manager Administrator's Reference.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- On servers with user-level security, you can create a set of default
- permissions for printer queues. Then, when you share a new printer queue,
- you can use the default permissions.
-
- To learn how to set default permissions for a printer queue, see Chapter 4,
- "User-Level Security".
- ────────────────────────────────────────────────────────────────────────────
-
-
- Including a Remote Printer in a Printer Queue
-
- You can create a printer queue that routes jobs to both local and remote
- printers. This is called a "distributed printer queue."
-
- To set up and share a distributed printer queue:
-
-
- 1. On the remote server, share the printer(s) as part of a comm queue.
-
- Do this on each remote server that controls printers for this queue.
- For further instructions, see Chapter 9, "Communication Devices."
-
- 2. On the local server, make connections to the remote comm queue(s).
-
- For information about how to connect to a shared comm queue, see the
- Microsoft LAN Manager User's Guide for MS OS/2.
-
- 3. Use the MS OS/2 Print Manager to add a printer using the local
- devicename.
-
- For more information about adding printers, see your MS OS/2
- manual(s).
-
- 4. Create the printer queue on the local server, following the procedures
- in the preceding sections.
-
- Set up the printer queue to route jobs to the devicename(s) of the
- local printer(s) and to the devicename(s) assigned to the remote comm
- queue(s).
-
-
- Command Line To set up and share a distributed printer queue:
-
-
- 1. On the remote server, share the printer as a comm queue by typing
-
- net share sharename=devicename /comm
-
- 2. On the local server, make a connection to the comm queue by typing
-
- net use devicename \\computername\sharename /comm
-
- 3. On the local server, create a printer queue by typing
-
- net share sharename /print
-
- 4. On the local server, redirect output for the new printer queue to the
- remote comm queue by typing
-
- net print sharename /route:devicename
-
-
- See Net Print, Net Share, and Net Use, Microsoft LAN Manager Administrator's
- Reference.
-
-
- Changing Options for a Printer Queue
-
- You can change the options for an existing printer queue, whether or not it
- is currently shared. Changes you make will take effect immediately. Two
- procedures follow, each of which allows you to change different options.
-
- To change the priority level, printer list, separator file, printing
- times, and print processor options for a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The dialog box shown in Figure 8.8 appears.
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select a printer queue, then choose <Zoom>.
-
- The "Printing Options for Queue" dialog box (Figure 8.7) appears.
-
- 3. Change the text boxes for the options you want to modify.
-
- For more information, see steps 2-11 of the "Setting Options for a
- Printer Queue" section, earlier in this chapter.
-
- 4. Choose <Done>.
-
-
- To change the devices, maximum number of users, and remark options:
-
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 8.6) appears.
-
- 2. In the list box, select a printer queue, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Change the text boxes or check boxes for the options you want to
- modify.
-
- 4. Choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To change options for a printer queue, type
-
- net print sharename [/priority:number] [/route:devicename[,...]]
- [/separator:pathname] [/after:time] [/until:time] [/driver:filename]
- [/processor:pmname] [/remark:"text"]
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Stop Sharing a Printer Queue
-
- When you stop sharing a printer queue, it is no longer available to the
- network. LAN Manager saves the name and option settings in a queue
- configuration file for use if you decide to share the same queue again.
-
- To stop sharing a printer queue:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 8.6) appears.
-
- 2. In the list box, select the printer queue, then choose <Stop sharing>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To stop sharing a printer queue, type
-
- net share sharename /delete
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Deleting a Printer Queue
-
- If you remove a printer from the network, you can delete the printer queue
- from the server. Deleting the queue removes that queue's record─including
- its settings and related permissions─from the server.
-
- To delete a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the queue, then choose <Delete>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
- NOTE If the printer queue contains print jobs, the queue's status
- will change to "Pending delete" until all jobs print. Then the queue
- will be deleted.
-
-
-
- Managing Printers, Queues, and Print Jobs
-
- You can control printer queues, printers, and print jobs with a variety of
- procedures. You can
-
-
- ■ View a list of printer queues and print jobs.
-
- ■ Hold or release a printer queue. Holding a printer queue prevents it
- from sending jobs to printers.
-
- ■ Purge a printer queue, removing all pending print jobs.
-
- ■ Hold or release a print job in a queue. Holding a job prevents it from
- printing.
-
- ■ Restart a print job from the beginning.
-
- ■ Move a print job to the first or last position in the queue.
-
- ■ Delete a print job.
-
- ■ Stop the job currently being printed.
-
-
-
- Viewing Queues and Job Information
-
- You can view a list of the server's printer queues, a single queue, and the
- print jobs in each queue.
-
- To view information about all the printer queues on a server:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- The list box shows all of the printer queues on the server, whether or
- not they are currently shared. Under the name of each queue is a list
- of the print jobs in that queue.
-
- 2. Choose <Done>.
-
-
- Command Line To view information about all the printer queues on a
- server, type
-
- net print [\\computername]
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
- To view information about a single printer queue on a server:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 8.6) appears.
-
- 2. In the list box, select a printer queue, then choose <View queue
- contents>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box shows the sharename and status of the queue. Below
- this, an indented list displays the print jobs that are currently in
- the queue.
-
- 3. Choose <Done>.
-
- 4. Choose <Done>.
-
-
- Command Line To view information about a single printer queue on a
- server, type
-
- net print [\\computername\]sharename
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Holding and Releasing a Printer Queue
-
- You can hold a printer queue, preventing it from sending any jobs to
- printers. (You can't hold a job once it is printing, however.) When a queue
- is held, the printer(s) finishes printing the current job(s), but all
- further jobs remain in the queue until the queue is released. Releasing the
- queue returns it to normal status.
-
- To hold a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the queue, then choose <Hold>.
-
- The status message for the queue changes to "Queue Held."
-
- 3. Choose <Done>.
-
-
- To release a held printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the held queue, then choose <Release>.
-
- The status message for the queue changes to "Queue Active."
-
- 3. Choose <Done>.
-
-
- Command Line To hold a printer queue or release a held printer queue,
- type
-
- net print [\\computername\]sharename [/hold | /release]
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Purging Print Jobs from a Printer Queue
-
- Purging a printer queue deletes all jobs in the queue except the one
- currently printing.
-
- To purge a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the queue, then choose <Purge>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
- Command Line
-
- To purge a printer queue, type
-
-
- net print [\\computername\]sharename /purge
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Holding and Releasing a Print Job
-
- You can hold any print job. The held job remains in the queue until
- released. Other jobs in the queue will be printed.
-
- To hold a print job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the job, then choose <Hold>.
-
- The status message for the job changes to "Held." The user who sent
- the job receives an alert message saying that the job is being held.
-
- 3. Choose <Done>.
-
-
- To release a held job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the held job, then choose <Release>.
-
- The status message for the job changes to "Waiting" or "Printing." The
- user who sent the job is notified that the job is again scheduled for
- printing.
-
- 3. Choose <Done>.
-
-
- Command Line To hold a print job or release a held print job:
-
-
- 1. Find the job number for the print job by typing
-
- net print [\\computername\]sharename
-
- 2. Hold or release the print job by typing
-
- net print [\\computername] job# [/hold | /release]
-
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Restarting a Print Job
-
- You can restart a print job, printing it again from the beginning. This is
- useful if a job is interrupted by an error or printer problem.
-
- To restart a print job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the job, then choose <Restart>.
-
- 3. Choose <Done>.
-
-
- Command Line To restart a print job, type
-
- net device devicename /restart
-
- See Net Device, Microsoft LAN Manager Administrator's Reference.
-
-
- Moving a Print Job in a Printer Queue
-
- At times, you may want to change the position of a job already in the queue.
- With LAN Manager, you can move a job to the beginning of the queue.
- Likewise, LAN Manager lets you move jobs to the end of the queue to delay
- printing.
-
- To move a print job to the first or last position in a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the job, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. To move the job to the top of the queue, select the "First in queue"
- option button. To move the job to the bottom of the queue, select the
- "Last in queue" option button.
-
- 4. Choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To move a print job to the first or last position in a
- printer queue:
-
-
- 1. Find the job number for the job by typing
-
- net print [\\computername\]sharename
-
- 2. Move the job by typing
-
- net print [\\computername] job# [/first | /last]
-
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Deleting a Print Job
-
- While a job is waiting in a printer queue, you can delete the job.
-
- To delete a print job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 8.8) appears.
-
- 2. In the list box, select the job, then choose <Delete>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- The user who submitted the job is notified that the job has been
- deleted.
-
- 4. Choose <Done>.
-
-
- Command Line To delete a print job:
-
-
- 1. Find the job number for the print job by typing
-
- net print [\\computername\]sharename
-
- 2. Delete the job by typing
-
- net print [\\computername] job# /delete
-
-
- See Net Print, Microsoft LAN Manager Administrator's Reference.
-
-
- Canceling a Print Job that Is Printing
-
- While a job is printing, you can cancel the job.
-
- To cancel a print job that is printing:
-
-
- 1. From the Status menu, choose Device status.
-
- The dialog box shown in Figure 8.9 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box shows the status of each shared device on the server,
- and the user currently using each device (if any).
-
- 2. In the list box, select the device printing the job, then choose
- <Kill>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- Printing stops and the job is deleted from the queue. The user who
- submitted the job is notified that the job has been deleted.
-
- 4. Choose <Done>.
-
-
- Command Line To stop a print job that is printing, type
-
- net device devicename /delete
-
- See Net Device, Microsoft LAN Manager Administrator's Reference.
-
-
- Pausing and Continuing a Printer
-
- You can pause an individual printer on the network. When you pause a
- printer, it finishes printing the current job but will not accept new jobs
- from any printer queue until you continue it.
-
- To pause a printer:
-
-
- 1. From the Status menu, choose Device status.
-
- The "Shared Device Status" dialog box (Figure 8.9) appears.
-
- 2. In the list box, select the printer, then choose <Pause>.
-
- The status message for the printer changes to "Paused."
-
- 3. Choose <Done>.
-
-
- To continue a paused printer:
-
-
- 1. From the Status menu, choose Device status.
-
- The "Shared Device Status" dialog box (Figure 8.9) appears.
-
- 2. In the list box, select the printer, then choose <Continue>.
-
- Note that the status message for the printer changes.
-
- 3. Choose <Done>.
-
-
- Command Line To pause a printer and continue a paused printer:
-
-
- ■ Pause a printer by typing
-
- net pause print=devicename
-
- ■ Continue a paused printer by typing
-
- net continue print=devicename
-
-
- See Net Continue and Net Pause, Microsoft LAN Manager Administrator's
- Reference.
-
-
-
-
-
-
- Chapter 9 Communication Devices
- ────────────────────────────────────────────────────────────────────────────
-
- You can give network users access to communication devices attached to any
- server on the network. Communication devices include modems, image scanners,
- and serial printers.
-
- As an administrator, you decide how to set up and share communication
- devices. You also monitor the use of shared communication devices, making
- any needed adjustments to their setup.
-
- In this chapter, you will learn how to create and share communication-device
- queues (comm queues) for both individual communication devices and for pools
- of communication devices. This chapter also explains how to change queue
- options, view the queue's status, clear requests from a queue, and stop
- sharing a comm queue.
-
-
- How Comm Queues Work
-
- For a communication device to be shared, the device must be attached to a
- network server. It can be connected to any of the server's serial (COM) or
- parallel (LPT) ports.
-
- To share a communication device, you create and share a comm queue. You
- assign a sharename to the queue─not to the communication device itself.
-
- To use a communication device, the workstation sends a request to the comm
- queue. If the communication device is available, the queue passes the
- request to it.
-
- If the communication device is not available─because it is already in
- use─the request waits in the queue. The queue stores requests as they
- arrive. Each time the communication device finishes with a request, the
- queue sends it the next one. Figure 9.1 shows how a queue controls
- communication devices.
-
- While a request waits in a comm queue, the workstation that sent the request
- also waits. (Users with MS OS/2 workstations can work in other MS OS/2
- sessions while their requests wait in a queue.) When the request is sent
- from the queue to the communication device, the user can begin using the
- device.
-
- (This figure may be found in the printed book).
-
-
- Comm Queue Setups
-
- LAN Manager gives you several options for setting up comm queues.
-
-
- One Queue Using One Communication Device
-
- You can set up one queue for each communication device. This is a simple
- choice if you have only one communication device of a certain type─one modem
- or one image scanner, for example.
-
-
- One Queue Using Several Communication Devices
-
- You can set up a queue to send requests to more than one communication
- device. A group of communication devices receiving requests from a single
- queue is called a pool. When one of these queues receives a request, it
- searches its pool for the next available communication device and sends the
- request to that device. Figure 9.2 illustrates this concept.
-
- This is an efficient way to use a group of several similar devices, such as
- a group of modems.
-
- (This figure may be found in the printed book).
-
-
- Several Queues Using One Communication Device
-
- You can set up more than one queue to send requests to the same
- communication device, with the queues having different priority levels. The
- queue's priority levels determine which request is processed first when a
- communication device has requests pending in different queues─requests from
- a high-priority queue are processed before those from a low-priority queue.
- Figure 9.3 shows two queues serving one communication device. Priority
- levels are explained in detail in the "Priority Levels" section, later in
- this chapter.
-
- (This figure may be found in the printed book).
-
-
- Several Queues to Several Communication Devices
-
- You can set up several queues to send requests to a particular pool of
- devices as well. Again, this is useful if you vary the priority levels of
- the queues.
-
- Figure 9.4 shows a complex setup for sharing communication devices. Queue A
- sends requests to Modems A, B, and C. Queue B sends requests to Modem B.
- Queue C sends requests to Modems B and C.
-
- (This figure may be found in the printed book).
-
-
- Priority Levels
-
- You assign each comm queue a priority level from 1 through 9. The highest
- priority is 1, the lowest is 9, and the default is 5. Each comm queue
- assigns its priority level to all requests it receives.
-
- When a communication device becomes available and has requests waiting in
- several queues, it processes the next request in the queue with the highest
- priority.
-
- The arrival of a new high-priority request does not interrupt or end a
- request being processed. The device always finishes the current request
- before starting a new one.
-
-
- Setting Up Comm Queues
-
- This section contains procedures for
-
-
- ■ Sharing a comm queue
-
- ■ Changing the way an existing comm queue is set up
-
- ■ Stopping the sharing of a comm queue
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Once you share a communication device, you should no longer use the device
- without using the queue, unless you first pause the queue.
-
- For example, suppose you share the communication device attached to a
- server's COM1 port with the comm queue MODEM, and then want to use the modem
- as you work at the server. You should not use COM1 directly. Doing this can
- disrupt the queue. Instead, either pause the MODEM queue, or connect to it
- and assign it another of the server's devicenames (such as COM4:), then use
- COM4:.
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
- Sharing a Comm Queue
-
- When you share a comm queue on a server with user-level security, you assign
- permissions for each queue and set audited events. On a server with
- share-level security, you assign a password to the queue. The following
- procedure explains how to share a comm queue. For information about how to
- set permissions and audited events, see the following section, "Setting
- Permissions and Audited Events."
-
- To share a comm queue:
-
-
- 1. From the View menu, choose Shared resources.
-
- The dialog box shown in Figure 9.5 appears.
-
- (This figure may be found in the printed book).
-
- 2. Choose <Add share>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Select the "Comm-device" option button, then choose <OK>.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- If the server has share-level security, the "Password" text box
- appears in the dialog box.
-
- 4. In the "Sharename" text box, type a sharename for the queue.
-
- 5. In the "Devices" text box, type the devicename(s).
-
- You can use devicenames COM1-COM9 and LPT1-LPT9. Use a space, comma,
- or semicolon to separate multiple devicenames.
-
- 6. In the "Remark" text box, type a descriptive comment for the comm
- queue.
-
- This comment is visible to users viewing the resources available on
- the server.
-
- 7. If the server has share-level security, a "Password" text box is
- displayed. In the "Password" text box, type a password to allow only
- users who know the password to access the queue. If the queue has no
- password, anyone can use the queue.
-
- The password can have as many as 15 characters.
-
- 8. From the "User limit" option buttons, specify how many people will be
- able to use the comm queue:
-
- ■ To set no limit on the number of users, select the "Unlimited"
- option button.
-
- ■ To set a limit, select the "Max. users" option button, and type
- the number of users to be allowed.
-
- If a number appears in the accompanying text box when you select
- the "Max. users" option button, this value is from the maxusers
- entry in the [server] section of the LANMAN.INI file. The number
- of users cannot exceed this value.
-
-
- 9. Mark the "Admin only" check box to make the queue accessible only to
- administrators.
-
- 10. In the "Priority" text box, type a priority level for the queue.
-
- 11. Choose <OK>.
-
- If the server has user-level security, the "Add Permissions for
- Comm-device Queue" dialog box appears. Use this dialog box to add
- permissions and enable auditing. For an explanation of how to add
- permissions and enable auditing, see the following section.
-
- 12. Choose <Done>.
-
-
- Command Line To share a comm queue:
-
-
- 1. Share the comm queue by typing
-
- net share sharename=devicename[,...] /comm [password] [/users:number |
- /unlimited] [/remark:"text"]
-
- 2. Set the options for the comm queue by typing
-
- net comm sharename [/route:devicename[,...]] [/priority:number]
-
-
- See Net Comm and Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
-
- Setting Permissions and Audited Events
-
- On a server with user-level security, you can set permissions and audited
- events for a comm queue.
-
- There are three types of permission for comm queues on servers with
- user-level security:
-
-
- ■ Y (Yes) permission gives access.
-
- ■ N (No) permission denies access.
-
- ■ Y+P (Yes+P) permission gives access to the queue and the right to set
- permissions for other users accessing that queue.
-
-
- You can also set default permissions, which are the permissions assigned to
- the \COMM resource. For information about how to set default permissions,
- see Chapter 4, "User-Level Security."
-
- On a server with share-level security, you assign a password for each queue,
- but you don't set permissions. Also, audited events are set for the server,
- not for each comm queue.
-
- To set permissions and audited events for a comm queue:
-
-
- 1. If you are setting permissions or audited events as you share the
- queue, follow the steps in the preceding section.
-
- 2. If you are changing permissions or audited events on a previously
- shared queue, from the Accounts menu, choose Other permissions.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The "Permitted" list box shows groups and users with permissions to
- use the queue. The "Not permitted" list box shows all other groups and
- users.
-
- 3. Set permissions for the comm queue:
-
- ■ To grant permissions to a group or user, in the "Not permitted"
- list box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select a
- permission.
-
- Choose <Permit>.
-
- ■ To change the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username.
-
- From the "Assigned permission" option buttons, select a
- permission.
-
- ■ To revoke the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username, then choose >.
-
- ■ To revoke permissions for all groups and users, choose >.
-
- ■ To use the default permissions, mark the "Use default permissions"
- check box.
-
-
- 4. To enable auditing for accesses to the resource, from the "Enable
- auditing for" check boxes, mark one or both of the check boxes.
-
- 5. Choose <OK>.
-
- 6. Choose <OK>.
- Command Line
-
- To set permissions and audited events for a comm queue:
-
-
-
- 1. Set permissions for the comm queue:
-
- ■ Set permissions for a comm queue on a user-level server by typing
-
- net access resource [/add name:permission[ ...]] or net access
- resource [/grant name:permission[ ...]] | [/change name:permission[
- ...]] | [/revoke name[ ...]]
-
- ■ Set permissions for a comm queue on a share-level server by typing
-
- net share sharename /comm /permissions:permissions
-
-
- 2. Set audited events for the comm queue by typing
-
- net access resource [/trail:{yes | no}] or net access resource
- /failure[:{all | none | event[,...]}] or net access resource
- /success[:{all | none | event[,...]}]
-
-
- See Net Access and Net Share, Microsoft LAN Manager Administrator's
- Reference.
-
-
- Changing Options for a Comm Queue
-
- You can change the options for an existing comm queue, whether or not it is
- currently shared. Changes you make will take effect immediately.
-
- To change the devices, maximum number of users, and remark options:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 9.5) appears.
-
- 2. In the list box, select the queue, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Change the text boxes or check boxes for the options you want to
- modify.
-
- 4. Choose <OK>.
-
- 5. Choose <Done>.
-
-
- To change the priority level and device options:
-
-
-
- 1. From the View menu, choose Comm-device queues.
-
- The dialog box shown in Figure 9.6 appears.
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select a queue, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. To change the list of devices to which the queue routes requests, in
- the "Devices" text box, type the devicenames for the queue (COM1-COM9
- and/or LPT1-LPT9).
-
- Use a space, comma, or semicolon to separate multiple devicenames.
-
- 4. To change the queue's priority, in the "Priority" text box, type the
- value (1-9).
-
- 5. Choose <OK>.
-
- 6. Choose <Done>.
-
-
- Command Line To change the options for a comm queue, type
-
- net comm sharename [/route:devicename[,...]] [/priority:number]
-
- See Net Comm, Microsoft LAN Manager Administrator's Reference.
-
-
- Stop Sharing a Comm Queue
-
- When you stop sharing a comm queue, that queue is removed.
-
- To stop sharing a comm queue:
-
-
- 1. From the View menu, choose Shared resources.
-
- The "Shared Resources at \\server" dialog box (Figure 9.5) appears.
-
- 2. In the list box, select the queue, then choose <Stop sharing>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To stop sharing a comm queue, type
-
- net share sharename /delete
-
- See Net Share, Microsoft LAN Manager Administrator's Reference.
-
-
- Managing Comm Queues and Requests
-
- You can view a list of comm queues that the server is sharing, along with
- the number of requests in each queue. You can also purge a comm queue,
- deleting all of the requests that are pending.
-
-
- Viewing Comm Queues
-
- When you view a list of the server's comm queues, the list shows the number
- of requests currently in each queue. You can also choose to view more
- information about requests in a particular comm queue.
-
- To view a list of comm queues on a server:
-
-
- 1. From the View menu, choose Comm-device queues.
-
- The "Comm-device Queues on \\server" dialog box (Figure 9.6) appears.
- The list box shows each comm queue on the server and the number of
- requests in each queue. If you have a request waiting in the queue,
- the number of requests ahead of your own is also shown.
-
- 2. To get more information about requests in a particular queue, in the
- list box, select the queue, then choose <Zoom>.
-
- 3. Choose <Done>.
-
-
- Command Line To view a list of comm queues on a server, type
-
- net comm
-
- See Net Comm, Microsoft LAN Manager Administrator's Reference.
-
-
- Purging Requests from a Comm Queue
-
- You can purge a comm queue, deleting all of the requests that are pending,
- or purge all pending requests from all shared communication device queues.
- This does not affect requests currently being processed by a communication
- device.
-
- To purge requests from one or all comm queues on a server:
-
-
- 1. From the View menu, choose Comm-device queues.
-
- The "Comm-device Queues on \\server" dialog box (Figure 9.6) appears.
-
- 2. To purge all requests from a selected queue, in the list box, select
- the queue, then choose <Purge self>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. To purge all requests from all queues, choose <Purge all>.
-
- 5. When prompted for confirmation, choose <OK>.
-
- 6. Choose <Done>.
-
-
- Command Line To purge requests from a comm queue, type
-
- net comm sharename /purge
-
- See Net Comm, Microsoft LAN Manager Administrator's Reference.
-
-
-
-
-
- Chapter 10 Profiles
- ────────────────────────────────────────────────────────────────────────────
-
- A server's current configuration of shared and used resources can be saved
- in a profile. A profile is a file containing the LAN Manager commands
- necessary to create that configuration. Loading the profile recreates the
- configuration.
-
- You can set up a server to load a profile automatically each time the server
- starts, and to save a profile each time the server stops.
-
- In this chapter, you will learn how to save and load server profiles. You
- will also find out how to set up a server to save and load profiles
- automatically.
-
-
- How Profiles Work
-
- For a workstation that is not running the Peer service, the only commands
- you can save in a profile are net use commands, which make connections to
- shared resources. The workstation profile is discussed in the Microsoft LAN
- Manager User's Guide.
-
- For a server, or a workstation running the Peer service, a profile can
- contain commands to share resources (net share) and commands to configure
- printer queues and comm queues (net print and net comm), as well as net use
- commands. When you use the LAN Manager Screen to save a server profile, you
- can choose which types of commands to save. There are four types of commands
- you can save in a profile:
-
-
- ■ net use commands, which make connections to shared resources. Profiles
- don't include any passwords required to access resources on servers
- with share-level security. For workstations not running the Peer
- service, only net use commands are saved.
-
- ■ net share commands, which share the server's resources.
-
- NOTE When net share commands are saved on a server with share-level
- security, resource passwords are also saved. Be sure that only
- authorized users have access to server profiles that contain resource
- passwords.
-
- ■ net print commands, which configure shared printer queues, determining
- such options as the devices the queue uses, the priority levels,
- printing hours, the print processor, the printer driver, and the
- separator page file.
-
- ■ net comm commands, which configure shared comm queues, determining
- such options as the devices the queue uses and the priority level.
-
-
- If no other pathname is specified, profiles are stored in the
- LANMAN\PROFILES directory. Profiles normally have a .PRO extension, and if
- you save or load a profile without specifying a filename extension, LAN
- Manager adds the .PRO extension.
-
- If no other filename is specified, a workstation uses the filename
- NETLOGON.PRO. If NETLOGON.PRO has been created to save workstation
- connections, it is automatically loaded when the Workstation service is
- started and you log on. For a server profile, if no other filename is
- specified, the filename is SRVAUTO.PRO. If SRVAUTO.PRO has been created, it
- is automatically loaded when you start the Server service.
-
- When you use the LAN Manager Screen to load a profile, you can specify
- whether the profile will replace or be appended to the server's current
- configuration. If you replace the current configuration, the server stops
- sharing all resources before loading the profile. If the profile contains
- net use commands, any connections the server has to other shared resources
- also are canceled before the profile is loaded.
-
- If you append a profile, the profile does not delete any shared resources or
- cancel any connections. If the profile shares a resource with a sharename
- that is already in use, LAN Manager displays an error message and the
- existing resource remains shared.
-
- LAN Manager can save and load the profile automatically each time the server
- starts and stops. However, when you save or load a profile automatically,
- LAN Manager doesn't save or load net use commands in the profile. For
- information about how to set up the automatic saving and loading of the
- server profile, see the "Loading and Saving Profiles Automatically" section,
- later in this chapter.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Profiles do not affect administrative resources that are automatically
- shared when the server starts. LAN Manager does not stop sharing these
- resources when you load a profile, and does not save commands to share these
- resources when you save a profile. These resources include the disk
- administrative resources (such as A$), and, for servers with user-level
- security, IPC$ and ADMIN$. For more information about these resources, see
- Chapter 6, "Administrative Resources."
- ────────────────────────────────────────────────────────────────────────────
-
-
- Saving a Server Profile
-
- You can save a server profile locally or on a server where you are
- performing remote administration. When you create a profile, the profile
- contains settings for the server of current focus.
-
- For example, to save the local computer's configuration on a remote server,
- first save a profile with the current focus set on the local computer. Then
- change the current focus and load that profile on the remote server. You can
- then save the configuration as a profile on the remote server.
-
- You can update a profile at any time by the same method used to create it.
- When you update a profile, the current configuration replaces all settings
- in the profile. Profile files should never be edited.
-
- To save a server profile:
-
-
- 1. Adjust the server's configuration to include settings you want in the
- profile:
-
- ■ Use the View menu's Shared resources command to share the
- resources that you want the profile to include. For instructions,
- see Chapters 6 through 9.
-
- ■ Use the View menu's Used resources command to make any resource
- connections that you want the profile to include. For
- instructions, see the Microsoft LAN Manager User's Guide.
-
-
- 2. From the Config menu, choose Save profile.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The "Contents of path" list box displays files in the LANMAN\PROFILES
- directory.
-
- 3. To view the server's directories, in the "Contents of path" list box,
- select a directory or select "<parent directory>," then choose <Dir>.
-
- This allows you to change to other levels of the directory tree.
-
- 4. From the "Save current" check boxes, mark the type(s) of settings to
- save in the profile.
-
- 5. If you have set the current focus on a remote server, adjust the
- "Contents of path" list box to display profiles for the computer on
- which you want to save the profile:
-
- ■ To display the files on the local computer, select the "Local
- computer" option button.
-
- ■ To display the files on the remote server, select the "Remote
- server \\server" option button.
-
-
- 6. If you are creating a new profile, in the "Filename" text box, type a
- filename, then choose <OK>.
-
- No filename extension is needed; LAN Manager will give the filename
- the extension .PRO, and save it in the directory shown in the
- "Contents of path" list box.
-
- 7. If you want to update an existing profile, in the "Contents of path"
- list box, select the filename, then choose <OK>.
-
- NOTE If the filename NETLOGON.PRO appears in the "Filename" text box,
- you should use SRVAUTO.PRO or another filename to save server
- configurations. In loading NETLOGON.PRO (the profile for
- workstations), LAN Manager ignores net share, net print, and net comm
- commands.
-
- 8. If a profile with the filename you specified already exists, a message
- box prompts for confirmation to replace the existing file. Choose
- <OK>.
-
- 9. Choose <OK>.
-
-
- Command Line To save a server profile:
-
-
- ■ Save the current configuration by typing
-
- net save filename
-
- ■ Save the current configuration of the local server in a profile on a
- remote server by typing
-
- net admin \\computername /command net save filename
-
-
- See Net Admin and Net Save, Microsoft LAN Manager Administrator's Reference.
-
-
-
- Loading a Server Profile
-
- You can load a server profile either locally or remotely (on the server of
- current focus).
-
- The profile you're loading can replace the current profile or can be
- appended to the profile. However, when you load a profile using the command
- line, the profile can only replace the current profile.
-
- To load a server profile:
-
-
- 1. If you want to load a profile on a remote server, set the current
- focus on that server.
-
- 2. From the Config menu, choose Load profile.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The "Contents of path" list box displays files in the LANMAN\PROFILES
- directory of the server of current focus.
-
- 3. To view the server's directories, in the "Contents of path" list box,
- select a directory or select "<parent directory>," then choose <Dir>.
-
- This allows you to change to other levels of the directory tree.
-
- 4. If you are in a remote administration session and want to load a
- profile from the local server, from the "Display files on" option
- buttons, select "Local computer" to view a listing of files in the
- local server's profiles directory.
-
- NOTE The "Display files on" option buttons determine only the server
- from which the profile is loaded. With either option, the profile is
- loaded on the server of current focus.
-
- 5. In the "Contents of path" list box, select the profile that you want
- to load; the selection is displayed in the "Filename" text box. Or, in
- the "Filename" text box, type the filename.
-
- No filename extension is needed; LAN Manager will give the filename
- the extension .PRO, and save it in the directory shown in the
- "Contents of path" list box.
-
- 6. Select one of the two "Load options" option buttons:
-
- ■ To add the profile's commands to the server's current
- configuration, select the "Append to existing configuration"
- option button.
-
- ■ To have the profile replace the server's existing configuration,
- select the "Replace existing configuration" option button.
-
-
- 7. Choose <OK>.
-
- NOTE If a command in a profile causes an error, LAN Manager gives you
- the choice of continuing to load the profile or canceling the loading.
-
- Command Line
-
- To load a server profile that replaces the current configuration,
- type
-
-
- net load [drive:path] filename
-
- See Net Load, Microsoft LAN Manager Administrator's Reference.
-
-
- Loading and Saving Profiles Automatically
-
- You can have a server automatically load a profile each time the Server
- service starts and save a profile each time the Server service stops. If no
- other pathname is specified, the automatic profile is SRVAUTO.PRO, stored in
- the LANMAN\PROFILES directory.
-
- Two entries in the [server] section of the LANMAN.INI file─autoprofile and
- autopath─control how the server uses automatic profiles.
-
- The autoprofile entry determines whether the server loads the automatic
- profile, saves the automatic profile, or does both. The entry has four
- possible values:
-
- none
- Does not use the server's automatic profile.
-
- load
- Loads a profile when the Server service starts.
-
- save
- Saves a profile when the Server service stops.
-
- both
- Loads a profile when the Server service starts, and saves a profile when
- the server stops.
-
- The autopath entry specifies the pathname, relative to the LANMAN\PROFILES
- directory, for the automatic profile. If autopath is blank, LAN Manager uses
- LANMAN\PROFILES\SRVAUTO.PRO. You can specify any filename. To indicate a
- file in a directory not relative to LANMAN\PROFILES, supply an absolute
- pathname.
-
- When you installed LAN Manager, a SRVAUTO.PRO file, containing a command to
- share the PUBLIC directory, was created. The PUBLIC directory is the default
- share used for the Peer service.
-
- When a server saves a profile automatically, it saves the configuration of
- the server at the time the Server service is stopped. The server saves
- commands to share resources (net share), set printer queue options (net
- print), and set comm queue options (net comm). The server does not save
- commands to use shared resources (net use).
-
- When a server loads a profile automatically, the profile is
- appended─existing resource configurations and connections are not canceled.
- Any net use commands in the profile are not loaded.
-
- To have the server automatically load a standard profile each time it
- starts, just save that configuration in the profile SRVAUTO.PRO.
-
- To have the server also save a profile each time it stops or use a different
- automatic profile, edit the LANMAN.INI file. Changes to the autoprofile or
- autopath LANMAN.INI entries take effect when the Server service is
- restarted.
-
-
-
-
-
-
- PART IV Advanced Features
- ────────────────────────────────────────────────────────────────────────────
-
- Part 4 introduces some useful LAN Manager features that go beyond the
- basics.
-
- Chapter 11 explains the console screen, useful for monitoring and
- controlling shared devices on a public-access server.
-
- Three optional services enhance LAN Manager's capabilities. The Netrun
- service allows users to run programs in the server's memory, and
- accommodates distributed applications (see Chapter 12). The Replicator
- service is used to broadcast periodic updates of files and directories to
- other computers (see Chapter 13). And the Remoteboot service enables
- workstations to boot from software stored on a central server (see Chapter
- 14).
-
- Features discussed in Chapters 15 and 16 help keep the server running
- smoothly. Chapter 15 deals with safeguarding data. LAN Manager's
- fault-tolerance system can be used to monitor and correct disk errors, and
- to mirror or duplex drives. The UPS service, also discussed, provides
- orderly shutdowns when power fails. Chapter 16 discusses auditing, server
- statistics, and other network monitoring tools.
-
-
-
-
-
-
- Chapter 11 Running an Unattended Server
- ────────────────────────────────────────────────────────────────────────────
-
- To secure an unattended server that is physically available to users, LAN
- Manager includes a console version of the LAN Manager Screen. This screen is
- especially for servers with printer queues and communication-device queues
- (comm queues). Users can view resources and modify their own requests for
- shared devices (on servers with user-level security). The console screen
- also has menu commands for administrators to control devices and queues, and
- a command for changing a password.
-
- This chapter tells how the console version of the LAN Manager Screen secures
- an unattended server, and how a server using the console screen is used and
- administered.
-
-
- Administering an Unattended Server
-
- The console screen is displayed by typing net console and providing an exit
- password. The display cannot be removed without supplying the exit password.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Supply an exit password to prevent users from removing the display and
- performing administrative tasks.
- ────────────────────────────────────────────────────────────────────────────
-
- The console screen prevents users from changing sessions in MS OS/2 (by
- pressing ALT+ESC or CTRL+ESC). Attempting to access other sessions results
- in the following message box:
-
- (This figure may be found in the printed book).
-
- To return to the console screen, choose OK.
-
- Before displaying the console screen, complete administrative tasks such as
- starting services and sharing printers and communication devices. The
- Workstation, Messenger, and Netpopup services start with the net console
- command. The console screen, however, provides no way to start any of the
- other LAN Manager services. You might want to start the Server service and
- log on to the network before displaying the console screen. To perform
- administrative tasks on a server with user-level security, a user with admin
- privilege, or print and comm operator privileges (verified by a password),
- must be logged on at the server.
-
- A server with the console screen displayed can be administered remotely.
-
- For information about the LAN Manager services, see Chapter 2, "Getting
- Started." To learn how to share queues, see Part 3.
-
-
- Using the Console Screen
-
- The console screen limits users' access to the server, while giving them
- control over their own print jobs (if the server has user-level security).
- It shows the status of printer and communication devices that the server is
- sharing. Administrators can use the screen to monitor and control the status
- of the server's queues and control print jobs in local printer queues.
-
- The following sections tell how to start the console screen and how to
- perform tasks using the menu commands.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- No command-line equivalents are given for these procedures, because net
- commands can't be used when the console screen is displayed.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- Starting the Console Screen
-
- To start the console version of the LAN Manager Screen:
-
-
- 1. At the MS OS/2 prompt, type
-
- net console
-
- If the Workstation service isn't running, LAN Manager displays a
- message box while it starts the service.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the "Password" text box, type a password.
-
- The password can have as many as 14 characters.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- LAN Manager does not prompt for confirmation, and you do not see the
- password as you type
-
-
- 3. Choose <OK>.
-
-
-
- Removing the Console Screen
-
- To remove the console screen, press F3. When prompted, supply the exit
- password.
-
-
- Screen Menus and Commands
-
- After you type a password, a screen similar to the one shown in Figure 11.1
- appears. The screen displays menus and the status of the server's printer
- queues.
-
- (This figure may be found in the printed book).
-
- From menus on the console version of the LAN Manager Screen, you can perform
- the following tasks:
-
- View menu
-
- Printer queues
- Display the configuration, status, and queued jobs for the server's
- printer queues. With user-level security, users can control their own
- print jobs. Administrators can reconfigure and control the queue, and
- can control jobs in a queue.
-
- Comm-device queues
- Display a sharename and the number of requests pending for the
- server's comm queues.
-
- Exit F3
- Remove the console screen.
-
- Message menu
-
- Send a typed message
- Send messages to network users.
-
- Status menu
-
- Device status
- Display the status of a printer or communication device shared in a
- queue. Administrators can change a device's status.
-
- Accounts menu
-
- Change your password
- Allow users to change their passwords if the server has user-level
- security.
-
- Help menu
- Provides context-sensitive help for most tasks, as well as a glossary of
- terms.
-
- The following sections tell how to use the commands in these menus.
-
-
- Printer Queues
-
- The View menu's Printer queues command can be used to view the contents,
- status, and configuration of the server's spooled printer queues. An
- administrator can use this command to change the status or configuration of
- a queue or control its print jobs.
-
-
- Viewing Printer Queue Information
-
- Anyone can view information about the jobs held in queues, the queues'
- configurations, and the status of the jobs and the queues. The Printer
- queues command initially displays status and content information, but can
- also display configuration options for a selected queue. The following
- procedure tells how to view both.
-
- To view the contents, status, or configuration of a local printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- For each printer queue on the server, the status of the queue and the
- number of jobs in the queue is shown. The job number and size of each
- job are displayed in the indented list beneath the queue status.
-
- 2. To view configuration options for a particular queue, in the list box,
- select the queue, then choose <Zoom>.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- This dialog box shows the following options for the selected queue:
-
-
- Sharename
- The name for the queue.
-
- Status
- The current status for the queue, which is Active, Waiting, or Paused.
-
- Priority
- The priority level, from 1 to 9 (1 is highest priority), for jobs in
- the queue.
-
- Printer device(s)
- The device(s) to which this queue routes jobs.
-
- Separator file
- The file, if any is in use, that prints one or more separator pages
- before each print job.
-
- Print after
- The time at which the queue starts sending jobs to a printer(s). Jobs
- that are requested during hours other than the queue's printing hours
- are held in the queue.
-
- Print until
- The time after which the queue no longer sends jobs to a printer(s).
-
- Print processor
- The filename of the print processor, if any is in use.
-
- Parameters
- The values supplied for the print processor program.
-
- Drivername
- The Presentation Manager device driver for the queue.
-
- Comment
- A descriptive comment displayed in resource lists.
-
-
- 1. Choose <OK>.
-
- 2. Choose <Done>.
-
-
-
- Changing the Status of a Printer Queue
-
- Changing the status of a printer queue─holding, releasing, purging, or
- deleting it─requires that you have admin privilege or print operator
- privilege and know the exit password.
-
- To change the status of a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 11.2) appears.
-
- 2. In the list box, select the printer queue.
-
- 3. Choose one of the following command buttons:
-
- ■ <Hold> to suspend all jobs except those that are printing.
-
- ■ <Release> to reactivate a held queue.
-
- ■ <Delete> to delete the printer queue.
-
- ■ <Purge> to remove all pending requests from a queue. (Jobs that
- are printing are not affected.)
-
-
- 4. If you choose <Delete>, a prompt for confirmation appears. Choose
- <OK>.
-
- 5. If you choose <Hold>, <Release>, or <Purge>, and after the
- confirmation prompt if you choose <Delete>, the following dialog box
- appears:
-
- (This figure may be found in the printed book).
-
- 6. In the "Password" text box, type the exit password.
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
-
- Viewing Print Job Information
-
- For any print job, a user can view information about its length, how long it
- has been queued or printing, the user who requested the job, and the queue
- and printer handling it. This is done using the View menu's Printer queues
- command.
-
- To view information about a print job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 11.2) appears.
-
- 2. In the list box, select a print job.
-
- 3. Choose <Zoom>.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- This dialog box shows the following information about the selected
- print job:
-
-
- Job #
- The job number for the request.
-
- Username
- The user who submitted the request.
-
- Sharename
- The name for the printer queue.
-
- Size
- The size in bytes of the document to be printed.
-
- Time queued
- The amount of time (in minutes and seconds) a job has been queued.
-
- Time printing
- The amount of time (in minutes and seconds) a job has been printing.
-
- Printing on
- The device that is printing a current job.
-
- Status
- The status for the job, which is Spooled, Held, Printing on (device),
- Held on (device), Out of paper on (device), Error on (device), Offline
- on (device), or Waiting.
-
- The "Printing Options for Job" dialog box also contains a text box for
- supplying a comment about the job and a set of option buttons for moving
- the request to the top or bottom of the queue.
-
-
- 1. To close the dialog box without making changes, choose <Cancel>.
-
- 2. Choose <Done>.
-
-
-
- Changing the Position of a Print Job
-
- You can change the position of a job in a printer queue, and can supply a
- comment that is displayed in job lists. For a server with user-level
- security, users, from their workstations, can move their own print jobs down
- in a queue, but can't move them up. Moving a print job that you do not own
- requires that you have admin privilege or print operator privilege and know
- the exit password.
-
- To change the position of a print job in a printer queue:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 11.2) appears.
-
- 2. In the list box, select a print job.
-
- 3. Choose <Zoom>.
-
- The "Printing Options for Job" dialog box (Figure 11.4) appears.
-
- 4. Select one of the "Move job to" option buttons:
-
- ■ "Unchanged" cancels a "First in queue" or "Last in queue"
- selection.
-
- ■ "First in queue" moves the job to the top of the queue so that it
- will be the next job to print.
-
- ■ "Last in queue" moves the job to the bottom of the queue, so that
- all other jobs print first. The user who owns the job can select
- this option.
-
- The "Enter User Password" dialog box (Figure 11.3) appears.
-
-
- 5. In the "Password" text box, type the exit password.
-
- 6. Choose <OK>.
-
- 7. Choose <Done>.
-
-
-
- Changing the Status of a Print Job
-
- Users can hold, release, restart, or delete their own print jobs using the
- View menu's Printer queues command. This can't be done at servers with
- share-level security. An administrator can change the status of any print
- job in a printer queue shared by the server, regardless of the type of
- security. Changing the status of a print job that you do not own requires
- that you have admin privilege or print operator privilege and know the exit
- password.
-
- To change the status of a print job:
-
-
- 1. From the View menu, choose Printer queues.
-
- The "Print Queues on \\server" dialog box (Figure 11.2) appears.
-
- 2. In the list box, select a print job.
-
- 3. Choose one of the following command buttons:
-
- ■ <Hold> to keep the job in the queue and suspend it from printing.
-
- ■ <Release> to release a job that has been held.
-
- ■ <Restart> to reprint, from the beginning, a print job that has
- been interrupted.
-
- ■ <Delete> to delete the job, canceling the printing.
-
-
- 4. If you choose <Delete>, a prompt for confirmation appears. Choose
- <OK>.
-
- 5. If you choose <Hold>, <Release>, or <Restart>, and after the
- confirmation prompt if you choose <Delete>, the "Enter User Password"
- dialog box (Figure 11.3) appears.
-
- 6. In the "Password" text box, if the print job is your own, type your
- own password. Otherwise, type the exit password.
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
-
- Comm-device Queues
-
- You can check the availability of comm queues on the server using the View
- menu's Comm-device queues command.
-
- To check the status of a comm queue:
-
-
- 1. From the View menu, choose Comm-device queues.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The list box shows all comm queues shared by this server. For each
- queue, it shows how many requests are pending, and how many of these
- are ahead of requests made from this server.
-
- 2. Choose <Done>.
-
-
-
- Exit
-
- To remove the console version of the LAN Manager Screen:
-
-
- 1. From the View menu, choose Exit.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the "Password" text box, type the exit password that was used to
- start the console screen.
-
- 3. Choose <OK>.
-
-
-
- Send a Typed Message
-
- You can use the Message menu to send a typed message to one or more network
- users. The message can be sent to a list of names, or it can be broadcast to
- everyone in a domain. For more information about sending messages, see the
- Microsoft LAN Manager User's Guide.
-
- To send a message:
-
-
- 1. From the Message menu, choose Send a typed message.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. If you want to send the message only to specified people, select the
- "Name" option button. Then, in the text box to the right of the "Name"
- option button, type the name(s) you want to receive the message.
-
- Use a space to separate multiple names.
-
- 3. If you want to broadcast the message to everyone in a domain, select
- the "Domain" option button. Then, in the text box to the right of the
- "Domain" option button, type the domain name.
-
- A message can only be broadcast throughout one domain at a time.
-
- 4. In the "Message" text box, type a message.
-
- The maximum length for a message depends on the setting of the message
- buffer at both sending and receiving computers (see the sizmessbuf
- entry in the [messenger] section of the LANMAN.INI file).
-
- 5. Choose <OK>.
-
-
-
- Device Status
-
- The Status menu contains the Device status command, used to check or change
- the status of devices shared through server queues. Any user can view the
- status of a device. By supplying a privileged password, a user can also
- change the status of a device, or the status of a request routed to the
- device.
-
-
- Viewing Device Status Information
-
- To view status information for shared devices on the server:
-
-
- 1. From the Status menu, choose Device status.
-
- A dialog box similar to the following appears:
-
- (This figure may be found in the printed book).
-
- For each device, the list box displays the status, how long that
- status has been in effect, and which user's job or request is being
- processed.
-
- 2. Choose <Done>.
-
-
-
- Changing the Status of a Device
-
- Changing the status of a device requires that you have admin privilege, or
- comm or print operator privilege, and know the exit password. Changing
- status is pausing or continuing a printer, restarting a print job, or
- canceling the request that a communication device or printer is processing.
-
-
- To change the status of a device:
-
-
- 1. From the Status menu, choose Device status.
-
- The dialog box shown in Figure 11.5 appears.
-
- 2. In the list box, select a device.
-
- 3. Choose one of the following command buttons:
-
- ■ <Pause> to pause a printer. Pausing a printer also pauses the
- document that is printing. (Communication devices cannot be
- paused.)
-
- ■ <Continue> to restart a paused printer, continuing the current
- print job.
-
- ■ <Restart> to reprint, from the beginning, a print job that has
- been interrupted.
-
- ■ <Kill> to cancel the request being processed by a printer or
- communication device.
-
-
- 4. If you choose <Kill>, a prompt for confirmation appears. Choose <OK>.
-
- 5. If you choose <Pause>, <Continue>, or <Restart>, and after the
- confirmation prompt if you choose <Kill>, the "Enter User Password"
- dialog box (Figure 11.3) appears.
-
- 6. In the "Password" text box, type the exit password.
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
-
- Changing Your Password
-
- Using the Accounts menu's Change your password command, you can change your
- password. The password change occurs just as it does when the change is made
- from a workstation. This command is valid only for servers with user-level
- security.
-
- To change your password:
-
-
- 1. From the Accounts menu, choose Change your password.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the "Old password" text box, type your current password.
-
- The password is not displayed as you type it.
-
- 3. In the "New password" text box, type a different password.
-
- The password can have as many as 14 characters and is not displayed as
- you type it.
-
- 4. Choose <OK>.
-
-
-
-
-
-
-
- Chapter 12 Sharing Processing Power
- ────────────────────────────────────────────────────────────────────────────
-
- There are two ways to share processing power with LAN Manager: using LAN
- Manager's Netrun service or using distributed applications.
-
- With the Netrun service, you can let users run programs on a server from MS
- OS/2 workstations. As an administrator, you decide how to set up the Netrun
- service, what programs to run under it, and which people can use them.
-
- Distributed applications are software products, such as Microsoft SQL
- Server, that are designed to run on a network. In these applications,
- individual computers run programs that cooperate to get a single job done.
- Distributed applications are similar to the Netrun service, but are not
- controlled by LAN Manager.
-
- In this chapter you will learn how to set up a server to use the Netrun
- service, how to start and stop the service, how to specify which programs
- can be used with the Netrun service, and how to control the number of people
- using the Netrun service.
-
-
- Using the Netrun Service
-
- When a user runs a program with the Netrun service, the program runs on the
- server, but the person uses an MS OS/2 workstation to start the program and
- specify what input the program uses and where the program's output goes.
-
- This service lets users take advantage of the greater memory, disk space,
- and processing speed that servers usually have. It gives them a way to run
- large, time-consuming programs on a server, leaving their own workstations
- free for other work.
-
- The Netrun service also provides an efficient way to run programs that use
- data files kept on the server. When these programs run on the server, the
- data does not have to be transported from server to workstation, as is the
- case when a workstation runs this type of program.
-
- Only programs with a .EXE extension can be run under Netrun. Interactive,
- screen-oriented programs such as Presentation Manager applications, word
- processors, and spreadsheets cannot be used.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Before making a commercial program available for use with Netrun, check the
- program's licensing agreement. The licensing terms may limit the number of
- users who can use a program simultaneously, or may prevent the program's use
- with the Netrun service.
- ────────────────────────────────────────────────────────────────────────────
-
-
- Creating a Run Path
-
- To specify the programs that users can run on the server, you define a run
- path. The run path is a list of directories containing programs available
- for use with Netrun. To use a program with Netrun, the program must be in a
- directory in the server's run path. The run path is set in the [netrun]
- section of the LANMAN.INI file, or can be adjusted when you start the Netrun
- service.
-
- When defining the run path, be sure that directories in the run path contain
- only programs that you want to allow users to run. For example, if you put
- LANMAN\NETPROG in the run path, users have full administrative access to the
- server.
-
- The directories in the run path do not need to be shared for the Netrun
- service to work─in fact, there is a good reason not to share them. If a
- directory in the run path is shared, a user can add a new program to that
- directory and run the program on the server. If you share a directory that
- is in the run path, limit users' access to the directory when you assign
- permissions. For more information, see Part 2, "Managing Security."
-
-
- Controlling Access to Netrun and Distributed Applications
-
- The Netrun service and distributed applications create and use named pipes
- to send information back and forth between computers running the
- application. On servers with user-level security, you can assign permissions
- to these named pipes to control access to the programs. For the Netrun
- service, this named pipe is PIPE\LANMAN\NETRUN. For distributed
- applications, see the manuals for these applications to find the names of
- named pipes they create.
-
- Also, IPC$ must be shared for the Netrun service or distributed applications
- to work. IPC$ is an administrative resource that controls how interprocess
- communication (IPC) works on servers. IPC$ is automatically shared on
- servers with user-level security, but you must explicitly share IPC$ on
- servers with share-level security. For more information about sharing the
- IPC$ resource, see Chapter 6, "Administrative Resources."
-
- All programs running under the Netrun service run as if started at the
- server by a user with admin privilege. As a result, all network file
- security (including local security) is bypassed. It is advisable to make
- only carefully designed programs available to non-administrators via the
- Netrun service. In particular, do not make the MS OS/2 command interpreter,
- CMD.EXE, available for use with the Netrun service.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If security is important, run the server with user-level security, which
- allows more control over the Netrun service.
- ────────────────────────────────────────────────────────────────────────────
-
- The following sections tell how to control access to programs in the run
- path on servers with user-level and share-level security. It also tells how
- to control the number of users running programs on the server
- simultaneously.
-
-
- User-Level Security
-
- On a server with user-level security, restrict access to programs available
- through the Netrun service or distributed applications by setting the
- permissions for the named pipe resource (PIPE\LANMAN\NETRUN for the Netrun
- service). Only those users with permissions to use the named pipe can use
- the Netrun service or the distributed application.
-
- You can assign the following permissions for a named pipe to a user or
- group:
-
- Permitted access (Yes)
- User or group can use the named pipe. (Y includes the Read and Write
- permissions.)
-
- Denied access (No)
- User or group cannot use the named pipe.
-
- Permitted access; can change permissions (Yes + P)
- User or group can use, and set access permissions for, the named pipe.
-
- You can also set default permissions, which are the permissions assigned for
- the \PIPE resource.
-
- To control access to individual programs, set the permissions for each
- program file in the run path. Only users who have R or X (Read or Execute)
- permission for a program can run the program with the Netrun service.
-
- For information about how to set permissions for directories and files, see
- Chapter 7, "Disk Resources."
-
- To set permissions for a named pipe resource:
-
-
- 1. From the Accounts menu, choose Other permissions.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. From the "Access type" option buttons, select "Named pipes."
-
- 3. Choose <Add entry>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. In the "Sharename" text box, type the name of the pipe. For the Netrun
- service, type PIPE\LANMAN\NETRUN.
-
- 5. Set the permission for the named pipe:
-
- ■ To grant permissions for a group or user, in the "Not permitted"
- list box, select the groupname or username. From the "Assigned
- permission" option buttons, select the permission you want to
- assign for the group or user. Then choose <Permit>. The groupname
- or username moves to the "Permitted" list box.
-
- ■ To change the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username. From the "Assigned
- permission" option buttons, select the permission you want to
- assign for the group or user.
-
- ■ To revoke the permissions for a group or user, in the "Permitted"
- list box, select the groupname or username. Then choose >.
-
- ■ To reset the permissions for this resource to the default
- permissions, mark the "Use default permissions" check box.
-
- ■ To revoke permissions for all users, choose >.
-
-
- 6. To audit successful or failed attempts to use this resource (or both),
- from the "Enable Auditing for" check boxes, mark the appropriate check
- box(es).
-
- 7. Choose <OK>.
-
- 8. Choose <Done>.
-
-
- Command Line To set permissions for a named pipe resource, type
-
- net access resource [/add name:permission[ ...]] or net access resource
- [/grant name:permission[ ...]] | [/change name:permission[ ...]] | [/revoke
- name[ ...]]
-
- See Net Access, Microsoft LAN Manager Administrator's Reference.
-
-
- Share-Level Security
-
- On a server with share-level security, you must explicitly share IPC$ to be
- able to use the Netrun service or to run distributed applications. You can
- assign a password to IPC$ when you share it. Users must supply this password
- as part of the command to run a program with the Netrun service or with a
- distributed application. Assigning a password to IPC$ has other effects. If
- you assign a password to IPC$, users must explicitly connect to IPC$ and
- supply the password before they can view the resources shared by the server,
- use the Netrun service on the server, or run a distributed application on
- the server. Administrators will also have to type the password before
- remotely administering the server. To do this, they will have to type a
- command with the following form:
-
- net use \\server\ipc$ password
-
- Note that on a server with share-level security you do not assign
- permissions to the named pipes.
-
- For more information about IPC$, see Chapter 6, "Administrative Resources."
-
-
-
- Controlling the Number of Netrun Users
-
- The maxruns entry in the LANMAN.INI file's [netrun] section defines the
- maximum number of users who can run programs simultaneously on the server
- using the Netrun service. The range for maxruns is 1-10; the default is 3
- users.
-
- If you change the value of maxruns while the Netrun service is running, you
- must restart the Netrun service for the change to take effect.
-
-
- Managing the Netrun Service
-
- This section explains how to set up the server to run the Netrun service and
- how to start and stop the Netrun service.
-
-
- Setting Up the Server for the Netrun Service
-
- Before starting the Netrun service on a server, you must complete four
- tasks:
-
-
- 1. Change the runpath entry in the LANMAN.INI file's [netrun] section.
-
- Type the pathname of each directory containing programs that you want
- to make available. Use a semicolon to separate multiple pathnames.
-
- For example, the following LANMAN.INI entry makes the programs in the
- SORT and DB\PROGS directories available for use with the Netrun
- service:
-
- runpath=c:\sort;c:\db\progs
-
- 2. If the server has share-level security, share the IPC$ resource. (IPC$
- is automatically shared on a server with user-level security.)
-
- For information about IPC$ and how to share it, see Chapter 6,
- "Administrative Resources."
-
- 3. Share a directory on the server.
-
- Before anyone can use the Netrun service to run a program on a server,
- they must connect to a shared directory on the server. Therefore, you
- must be sure that a directory is shared, and that those users who will
- use the Netrun service have access to the directory.
-
- The directory you share does not have to be in the run path, and
- directories you put in the run path do not have to be shared. You
- share the directory only so that people using the Netrun service can
- make a connection to the appropriate server.
-
- For information about how to share a directory, see Chapter 7, "Disk
- Resources."
-
- 4. On servers with user-level security, be sure that users who will run
- programs with the Netrun service have permission to use the named pipe
- PIPE\LANMAN\NETRUN. Also, be sure each user has either R or X (Read or
- Execute) permission for each program that they will be running with
- the Netrun service.
-
-
-
- Starting the Netrun Service
-
- When you start the Netrun service, you can specify the maximum number of
- users who can use it, and set the run path. There are two ways to start the
- Netrun service using the Config menu. You can choose the Control services
- command and set Netrun options, or you can choose the Server options
- command, and start Netrun as part of the server configuration. Both
- procedures are described in the sections that follow.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- When you start the Netrun service for the first time and when you add
- programs to the server's run path, be sure to tell the appropriate users.
- For security reasons, users cannot use the LAN Manager Screen or any
- commands to find out what programs are available for use.
- ────────────────────────────────────────────────────────────────────────────
-
- To start the Netrun service and set options:
-
-
- 1. From the Config menu, choose Control services.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select "Netrun."
-
- 3. Choose <Start>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. In the list box, select the option you want to modify and, in the
- "Value" text box, enter the value.
-
- 5. Choose <Set>.
-
- 6. Choose <OK>.
-
- 7. Choose <Done>.
-
-
- To start the Netrun service as part of the server configuration:
-
-
- 1. From the Config menu, choose Server options.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. From the "Start server services" check boxes, mark "Netrun service."
-
- 3. Choose <OK>.
-
- NOTE You cannot set the run path using this procedure.
-
- Command Line
-
- To start the Netrun service and set options, type
-
-
- net start netrun [/maxruns:number] [/runpath:pathname]
-
- See Net Start Netrun, Microsoft LAN Manager Administrator's Reference.
-
-
- Starting Netrun Automatically
-
- You can have the Netrun service start automatically each time the server
- starts by adding netrun to the list of services in the srvservices entry of
- the LANMAN.INI file's [server] section. For more information about the
- LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference.
-
-
- Stopping the Netrun Service
-
- Before stopping the Netrun service, be sure nobody is running a program
- using the Netrun service. If you stop the Netrun service while such a
- program is running, the program will fail.
-
- To stop the Netrun service:
-
-
- 1. To see if anyone is using the Netrun service, from the Status menu,
- select Opened files.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box shows which server files are currently in use and who
- is using them. If PIPE\LANMAN\NETRUN is listed, then the person whose
- username appears by the resource is using the Netrun service.
-
- 2. Choose <Done>.
-
- 3. If nobody is using the Netrun service, from the Config menu, choose
- Server options.
-
- The "Set Configuration for Server \\server" dialog box (Figure 12.1)
- appears.
-
- 4. From the "Start server services" check boxes, unmark the "Netrun
- service" check box.
-
- 5. Choose <OK>.
-
-
- Command Line To stop the Netrun service:
-
-
- 1. See if anyone is using the Netrun service by typing
-
- net file
-
- If the resource PIPE\LANMAN\NETRUN is listed, then the person whose
- username appears by that resource is using the Netrun service.
-
- 2. If nobody is using the Netrun service, type
-
- net stop netrun
-
-
- See Net File and Net Stop, Microsoft LAN Manager Administrator's Reference.
-
-
-
- Adding a Program
-
- At any time after you begin using the Netrun service, you can modify the
- list of programs available under the Netrun service.
-
- To add a program for use with the Netrun service:
-
-
- 1. Move the new program to a directory in the run path, or add the
- directory containing the program to the run path.
-
- If you add a directory to the run path, be sure the directory includes
- only programs that you want to give users access to.
-
- To add a directory to the run path, add the pathname of the directory
- to the runpath entry in the LANMAN.INI file's [netrun] section. Use a
- semicolon to separate multiple pathnames. For details on how to do
- this, see the "Creating a Run Path" section, earlier in this chapter.
-
- 2. If the server has user-level security, be sure that the users who will
- run the new program have either R or X (Read or Execute) permission
- for the program file.
-
- 3. If you added a directory to the run path, you must restart the Netrun
- service before the new directories are recognized.
-
- For instructions on how to stop and start the Netrun service, see the
- "Starting the Netrun Service" and "Stopping the Netrun Service"
- sections, earlier in this chapter.
-
-
-
- Removing a Program
-
- You have three options for removing a program from use with the Netrun
- service:
-
-
- ■ Move the program to a directory not in the run path.
-
- ■ Remove the directory containing the program from the run path. This
- also prevents all other files in the directory from being used with
- the Netrun service.
-
- After you remove a directory from the run path, stop and restart the
- Netrun service.
-
- ■ If the server has user-level security, you can modify a user's
- permissions for the program. Removing the user's RX (Read and Execute)
- permissions prevents the person from running the program with Netrun.
- For information about using permissions with user-level security, see
- Chapter 4, "User-Level Security."
-
-
-
-
-
-
-
- Chapter 13 Replicating Files and Directories
- ────────────────────────────────────────────────────────────────────────────
-
- The Replicator service lets you maintain identical sets of files and
- directories on different servers and MS OS/2 workstations. Replication
- simplifies the task of updating and coordinating files. If users need access
- to particular files, you can update the files on one server and let
- replication take care of updating the files on other workstations and
- servers.
-
- The Replicator service can replicate administrative and application program
- source files, including configuration profiles and application directories.
- This service, for example, is used to maintain a set of identical logon
- scripts on all servers with user-level security that process logon requests
- in a domain.
-
- Replication is controlled by options to the service that can be set using
- the LANMAN.INI file or from the command line using the net start replicator
- command.
-
- This chapter describes the replication process. It tells how to configure
- LAN Manager servers to export files during replication, and how to set up
- servers and MS OS/2 workstations to receive the updates.
-
-
- How Replication Works
-
- To replicate a set of files and directories on several computers, you
- designate an export server on which you maintain a master set of files and
- directories to be replicated. Only a LAN Manager server can be configured as
- an export server. LAN Manager servers and MS OS/2 workstations that receive
- the file replicas are configured as import servers.
-
- All files and directories to be replicated are kept in the export server's
- export directory. Import servers have a corresponding import directory.
- Export servers can replicate directory trees with as many as 32 levels. Each
- directory can contain as many as 200 files and subdirectories.
-
- The Replicator service monitors the export directory. When you change a
- file, or add or delete a directory or file in the export directory, the
- Replicator service makes the equivalent change in the complementary import
- directories on all import servers. Files cannot be replicated if they are
- open.
-
- From an export server, replication can be targeted─replicating to some files
- on one group of import servers and to other files on another group─by
- creating subdirectories under the export directory. Files in the export
- directory itself are not replicated.
-
- Export servers replicate only those subdirectories for which there is a
- matching directory directly under the import directory on the import server.
-
-
- A network can have any number of export and import servers. A server can be
- both an export and an import server; workstations can be configured only as
- import servers.
-
- The import directory path can be local or remote. To replicate files
- locally, specify both an export and import directory path on the export
- server. This creates "mirror" copies of the data; these are useful for
- updating shared directories on the export server.
-
- A remote import directory path has the effect of "pushing" data changes to
- the remote target. This can be used to replicate data to LAN Manager 1.x
- servers, which do not support the Replicator service.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Two export servers should not replicate the same directories and files to
- the same import servers. Import servers can only synchronize with one export
- server for a specific directory.
-
- ────────────────────────────────────────────────────────────────────────────
-
-
- The REPL.INI File
-
- For each directory immediately below the export directory, you can create a
- REPL.INI file, which controls how much of the subdirectory tree is
- replicated, and under what conditions. The REPL.INI file contains two
- entries: extent and integrity. For each entry, the value is either tree or
- file.
-
- The extent entry specifies whether or not all subdirectories are replicated.
- If extent equals tree, all files and subdirectories are replicated. Setting
- extent equal to file replicates only files in the first-level directory.
-
- If integrity equals tree, all files and subdirectories must be stable (no
- changes) for a specified interval before any replication takes place. If
- integrity equals file, each file can be replicated as soon as it is changed.
-
- If you don't create a REPL.INI file for one of these directories, the
- Replicator service uses the following default values:
-
- extent=tree integrity=file
-
- Each entry (extent and integrity) must be on a different line in the file.
-
- Figure 13.1 shows a typical export directory that replicates two
- subdirectories, RECEIPTS and OFFICES. The REPL.INI file is shown for each
- subdirectory.
-
- (This figure may be found in the printed book).
-
- The entire RECEIPTS directory tree is replicated (extent=tree), but only
- after all files in the tree are stable for the specified interval
- (integrity=tree). In the OFFICES subdirectory, the STRATEGY.TXT and
- HISTORY.TXT files are replicated, but not the CURRENT and PLANNED
- subdirectories (extent=file). Because integrity=file for this subdirectory,
- HISTORY.TXT can be open while STRATEGY.TXT is being replicated.
-
- The following procedures tell how to prepare an export server to send
- replicas, and how to prepare an import server to receive replicated
- directories using the Replicator service.
-
-
- Preparing an Export Server
-
- For information about exporting logon scripts for user-level security, see
- Chapter 4, "User-Level Security."
-
- To prepare an export server for replication:
-
-
- 1. Edit the LANMAN.INI file's [replicator] section:
-
- ■ For the replicate entry, change the value to export. You can set
- up the server as both an export and import server
- (replicate=both).
-
- ■ For the exportpath entry, specify the path to the server's export
- directory tree. By default, the Replicator service expects
- REPL\EXPORT (relative to the LANMAN directory).
-
- ■ For the exportlist entry, specify the list of import servers and
- domains to receive update notices; 0-32 names can be included.
- When specifying a computername, do not include the two backslashes
- (\\) at the beginning of the name. Use a semicolon to separate
- multiple names. The default is the export server's domain.
-
- ■ For the interval entry, specify how often (in minutes) the
- Replicator service checks the export directory for changes. The
- range is 1-60; the default is 5 minutes.
-
- ■ For the guardtime entry, specify the number of minutes the export
- directory must be stable (no file changes) before it can be
- replicated to import servers. The range is 0 to (interval/2); the
- default is 2 minutes.
-
- ■ For the pulse entry, specify how often the export server sends
- update messages to an import server when no change occurs. This
- value is in multiples of interval minutes. The range is 1-10; the
- default is 3.
-
- ■ For the random entry, specify the maximum number of seconds import
- servers can stagger the replication of files. The range is 1-120;
- the default is 60 seconds.
-
- NOTE With the exception of replicate, each entry in the
- [replicator] section of the LANMAN.INI file pertains to either
- export or import servers, but not both.
-
-
- 2. To start the Replicator service automatically, add replicator to the
- list of services in the srvservices entry in the [server] section of
- LANMAN.INI.
-
- 3. Create the export directory tree specified by the exportpath entry.
-
- 4. Within the export directory tree:
-
- ■ Create a subdirectory for each set of files that you want to
- replicate.
-
- ■ Copy the files to be replicated into each subdirectory.
-
- ■ If you don't want to accept the default REPL.INI settings
- (extent=tree, integrity=file) for any of the subdirectories,
- create a REPL.INI file in the subdirectory with the desired extent
- and integrity values.
-
-
- 5. Start the Replicator service for the changes to take effect.
-
-
-
- Assigning Permissions for Replication
-
- To replicate files and directories to an import server, the Replicator
- service must be able to access the export directory tree on behalf of the
- import server. Regardless of the method used, the import server must have RA
- (Read and Change Attribute) permissions for the export directory tree.
-
-
- Method for User-Level Security
-
- On an import server with user-level security, there are two ways to grant
- access to the export directory tree:
-
-
- ■ Set the tryuser entry in the [replicator] section of the import
- server's LANMAN.INI file to yes. This causes the Replicator service to
- try to replicate using the permissions for the user logged on at the
- import server. For replication to take place, the user must have an
- account on the export server and have RA permissions on the
- REPL\EXPORT directory.
-
- If tryuser=no or the replication fails, the Replicator service tries
- the next method.
-
- ■ Set the logon entry in the [replicator] section of the import server's
- LANMAN.INI file to username, where username is the name of a user
- account that has RA permissions on the REPL\EXPORT directory on the
- export server. Also, set the password entry to that account's password
- on the export server. For replication to occur, no users can be logged
- on at the import server.
-
-
- Creating a Default Access Account - The simplest way to give access to
- multiple import servers is to create a group on the export server, giving
- the group RA (Read and Change Attribute) permissions for the export
- directory tree. This group contains an account for each import server.
-
- To create a default access account:
-
-
- 1. On the export server, create the group rep.
-
- 2. Create user accounts using the computernames of each import server,
- and add them to the rep group.
-
- Set the minimum password length to 0, and do not assign passwords to
- the accounts.
-
- 3. Assign the rep group RA (Read and Change Attribute) permissions for
- the export directory tree.
-
-
- For information about creating groups and user accounts, controlling
- password restrictions, and setting permissions for a directory or file, see
- Chapter 4, "User-Level Security."
-
-
- Method for Share-Level Security
-
- On a server with share-level security, the export directory tree
- (LANMAN\REPL\EXPORT) is automatically shared as REPL$ with RA (Read and
- Change Attribute) permissions when you start the Replicator service. It is
- shared without a password.
-
-
- Preparing an Import Server
-
- To prepare an import server for replication:
-
-
- 1. Edit the LANMAN.INI file's [replicator] section:
-
- ■ For the replicate entry, change the value to import. If
- configuring a LAN Manager server, you can set up the server as
- both an import and export server (replicate=both).
-
- ■ For the importpath entry, specify the path to the import
- directory. By default, the Replicator service expects REPL\IMPORT
- (relative to the LANMAN directory).
-
- ■ For the importlist entry, specify the list of export servers and
- domains that will replicate files to the import server; 0-32 names
- can be included. When specifying a computername, do not include
- the two backslashes (\\) at the beginning of the name. Use a
- semicolon to separate multiple names. The default is the import
- server's domain.
-
- ■ For the tryuser entry, indicate whether the Replicator service
- should try to replicate files on an import server if a user is
- logged on at the server. The default is yes. A no value means
- files will not be replicated while a user is logged on.
-
- ■ For the logon entry, specify a username for the Replicator service
- to use when logging on at the import server. The entry is not used
- while a user is logged on.
-
- ■ For the password entry, specify the password the Replicator
- service is to use with the logon entry.
-
-
- 2. To start the Replicator service automatically, add replicator to the
- list of services in the srvservices entry in the [server] section
- (servers only) or the wrkservices entry in the [workstation] section
- of the LANMAN.INI file.
-
- NOTE With the exception of replicate, each entry in the [replicator]
- section of the LANMAN.INI file pertains to either export or import
- servers, but not both.
-
- 3. Create the import directory tree specified by the importpath entry.
-
- 4. Within the import directory tree, create a subdirectory with the same
- name as each first-level subdirectory that you want to replicate in
- the export server's export directory tree.
-
- For example, to replicate the directory tree shown in Figure 13.1, you
- would create the first-level directories RECEIPTS and OFFICES. When
- extent=tree in the REPL.INI file (the default value), the Replicator
- service creates the needed subdirectories within those directories.
-
- 5. Start the Replicator service for the changes to take effect.
-
-
-
- Maintaining Replication
-
- Users should not change any of the files in import directories. These
- changes are overwritten when the Replicator service updates the import
- directory.
-
- To ensure that files and directories in the export directory are not
- replicated while they are being updated, in a first-level subdirectory of
- the export directory, create a file named USERLOCK. USERLOCK doesn't have to
- contain any data; its presence prevents replication.
-
- In the REPL directory tree shown in Figure 13.1, putting a USERLOCK file in
- the RECEIPTS directory would prevent replication of all files in the
- RECEIPTS, JANUARY, and FEBRUARY subdirectories.
-
- USERLOCK files are only in effect when integrity=tree in the export
- directory's REPL.INI file. If integrity=file, the USERLOCK file is ignored.
-
- To indicate the import directory's replication status, the Replicator
- service puts a signal file in each first-level subdirectory. Signal files
- have the following meanings:
-
- OK.RP$
- The directory is receiving regular updates from an export server, and the
- data is identical to that of the export. The date of this file is set to
- the last time an update was received.
-
- NO_MASTR.RP$
- The directory is not receiving updates. Either the export server is not
- running, or it has stopped exporting this directory. This file is also
- placed in newly created import directories when the Replicator service
- first starts.
-
- NO_SYNC.RP$
- The directory is receiving updates from an export server, but the data is
- not up to date. This could be due to a communication failure, open files
- on the import or export server, the import server not having access
- permissions at the export server, or the export server going down
- suddenly. The date of this file is set to the time the directory first
- became out of date.
-
-
- Stopping Replication
-
- Stopping replication of files is easily done on either an export server or
- an import server.
-
- To stop replication:
-
-
- 1. On an export server, use any of the following methods:
-
- ■ Stop the Replicator service.
-
- ■ Delete files from the export directory.
-
- ■ Delete the first-level subdirectory (and its contents) that you no
- longer wish to export.
-
- ■ Place a USERLOCK file in the subdirectories you want to
- temporarily stop replicating.
-
-
- 2. On an import server, use one of two methods:
-
- ■ Stop the Replicator service.
-
- ■ Delete the first-level subdirectory for any directories or files
- for which replicas are no longer needed.
-
-
-
-
-
-
-
- Chapter 14 Using the Remoteboot Service
- ────────────────────────────────────────────────────────────────────────────
-
- When you boot a computer, the operating system is loaded into memory. The
- LAN Manager Remoteboot service, running on a server, supports MS OS/2 or
- MS-DOS workstations that boot using the server's hard disk instead of their
- own. Each participating workstation has a network adapter card that
- retrieves startup and configuration software from the server when the
- workstation starts; the workstation does not need to have a hard disk at
- all. This process is known as remoteboot, or remote program load (RPL).
-
- For remoteboot, workstations must have a Token-Ring network adapter card
- with the RPL ROM chip installed.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- The server's MS OS/2 license does not extend to other computers. You must
- have one valid MS-DOS or MS OS/2 license for each remoteboot workstation.
- ────────────────────────────────────────────────────────────────────────────
-
- The Microsoft LAN Manager Installation Guide describes how to install the
- Remoteboot service on one server and set it up to boot one workstation.
-
- This chapter describes the following:
-
-
- ■ Adding remoteboot workstations
-
- ■ Supporting other versions of MS-DOS (version 4.01 is initially
- supported)
-
- ■ Customizing device drivers for each workstation
-
- ■ Replicating remoteboot support to other servers for backup
-
- ■ Booting from one server and sharing work directories from another
- server
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- The LANMAN directory in the following procedures may have another pathname
- on the server; this is set during installation. The default is C:\LANMAN.
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
- Adding a Remoteboot Workstation to the Network
-
- Once the Remoteboot service is set up to boot one workstation, you can
- modify the server to boot additional workstations.
-
- Adding a workstation includes the following processes:
-
-
- ■ Creating remoteboot directories
-
- ■ Adjusting user-level security
-
- ■ Adding a workstation record in the RPL.MAP file
-
- ■ Adding a .FIT file for the workstation
-
- ■ Modifying configuration files for an MS OS/2 workstation
-
- ■ Enabling the remoteboot process on a workstation with a hard disk
-
-
-
- Creating Remoteboot Directories
-
- To create remoteboot directories for the new workstation:
-
-
- 1. Choose a computername for the workstation; the computername can have
- as many as eight characters.
-
- 2. Create a workstation directory in the server's LANMAN\RPL\MACHINES
- directory.
-
- Name the directory LANMAN\RPL\MACHINES\computername, where
- computername is the workstation's name. For example, for the computer
- RM150, you could create the logon directory LANMAN\RPL\MACHINES\RM150.
-
- 3. Copy the LANMAN\RPL\MACHINES\DEFAULT directory to
- LANMAN\RPL\MACHINES\computername.
-
- The DEFAULT directory contains a CONFIG.SYS and STARTUP.CMD file and a
- LANMAN subdirectory with a LANMAN.INI file.
-
- 4. Create a work directory for the workstation in the server's
- LANMAN\RPLUSER directory.
-
- Name the directory LANMAN\RPLUSER\computername, where computername is
- the workstation's name. Or, create a subdirectory in the workstation's
- work directory for each user. For example, for the computer RM150, you
- could create the work directory LANMAN\RPLUSER\RM150, and then within
- it create a subdirectory for each user.
-
- 5. For an MS OS/2 workstation, copy all of the files in the
- LANMAN\RPLUSER\DEFAULT subdirectory to LANMAN\RPLUSER\computername.
-
- Or, if you set up the account under the user's name, copy the
- directory to LANMAN\RPLUSER\computername\username.
-
-
-
- Adjusting User-Level Security
-
- On a server with user-level security, you must create user accounts and
- assign permissions to allow access for remoteboot workstation users.
-
- If the server has user-level security:
-
-
- 1. Create a user account with the workstation's computername, adding the
- account name to the rpl group.
-
- Do not assign a password to this account. This account is used by the
- server to establish the identity of the workstation at boot time.
-
- 2. Create a user account for each person who will use the workstation.
-
- Use account names different from the computername. If you want to
- restrict this user to work only at this workstation, specify the
- computername of the workstation in the "Valid workstations" field (the
- net user /workstation option).
-
- 3. Assign the computer's account RWCDXA permissions for the work
- directory that the person will use. Specify that these permissions are
- to be inherited (using <Permit> and <Permit tree> in the LAN Manager
- Screen for administrators).
-
- 4. Assign the computer's account RX permissions for the
- LANMAN\RPL\MACHINES\computername directory and specify that these
- permissions are to be inherited.
-
-
-
- Adding a Workstation Record
-
- When a remote workstation sends out a boot request over the network, a
- server checks whether its LANMAN\RPL\RPL.MAP file contains a workstation
- record for the workstation. If no record is found, the server waits until
- the number of requests specified in field 3 of the server record is received
- from the workstation. If this number is reached within the time specified in
- field 4 of the server record, the server boots the workstation using a copy
- of the enabled default workstation record.
-
- To add a new workstation record to a server's RPL.MAP file:
-
-
- 1. To make a backup copy of the RPL.MAP file, type
-
- copy rpl.map rpl.old
-
- 2. On the server, edit the RPL.MAP file's default workstation record,
- typing the server's computername in field 5.
-
- 3. RPL.MAP is initially adjusted to boot workstations with MS-DOS. To
- boot the workstation with MS OS/2:
-
- ■ Edit the default MS-DOS workstation record, replacing the R that
- begins field 12 with D. This disables the MS-DOS record.
-
- ■ Edit the default MS OS/2 workstation record, replacing the D that
- begins field 12 with R. This enables the MS OS/2 record.
-
-
- 4. Start the server's Server and Remoteboot services.
-
- 5. Start the remote workstation, and allow time for the server to respond
- to the workstation's boot request.
-
-
-
- Enabling Workstation Records
-
- When booting a workstation remotely for the first time, the server
- automatically creates a copy of the default workstation record in the
- RPL.MAP file and copies the workstation's adapter ID into field 1 of the new
- workstation record. Figure C.5 shows the RPL.MAP file as it appears when a
- new workstation record is added to the end of it.
-
- ???????????? DEFAULT ~ DOS401 RPLSERVR ~ ~ ~ ~,,, Z R_DOS ~ ~
- ???????????? DEFAULT ~ FITS\DEFAULT RPLSERVR ~ ~ ~ ~,,, ~ D_OS2 ~ ~
- .
- .
- .
- 10005A25DDF8 DEFAULT ~ DOS401 RPLSERVR ~ ~ ~ ~,,, Z D_DOS ~ ~
-
- Figure C.5 A new workstation record in RPL.MAP
-
- The new record is automatically appended to the end of the RPL.MAP file. To
- boot the workstation using the new record, you must enable the record.
- Otherwise, the workstation will continue to use the default workstation
- record each time it boots.
-
- To enable a new workstation record:
-
-
- 1. Edit the new workstation record in the RPL.MAP file, making the
- following changes:
-
- ■ Type the workstation's computername in field 2.
-
- ■ Replace the D that begins field 12 with R.
-
-
- 2. If the workstation was booted using MS OS/2, change field 4 of the
- record to the pathname of the workstation's .FIT file
- (FITS\computername).
-
- 3. To put the RPL.MAP file changes into effect, reboot the workstation.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If the workstation has a hard drive, you must use the rplenabl utility to
- prepare the workstation for using the Remoteboot service. For information
- about rplenabl, see the "Enabling the Remoteboot Process on a Workstation's
- Hard Disk" section, later in this chapter.
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
- Adding a .FIT File for the Workstation
-
- Each workstation uses a file index table (.FIT file) to translate pathnames
- of certain files to the actual locations of the files on the server running
- the Remoteboot service. For example, if the user types c:\config.sys, the
- server running the Remoteboot service translates this to
- LANMAN\MACHINES\computername\CONFIG.SYS.
-
- To prepare a .FIT file for the first remoteboot workstation:
-
-
- 1. Change directories to the LANMAN\RPL\FITS directory.
-
- 2. Edit DEFAULT.FIT, changing all occurrences of RPLSERVR to the boot
- server's computername.
-
- 3. Copy DEFAULT.FIT to computername.FIT.
-
- 4. In the new computername.FIT file, change all instances of DEFAULT to
- the new workstation's computername.
-
-
-
- Adjusting Configuration Files for an MS OS/2 Workstation
-
- Each MS OS/2 remoteboot workstation has its own CONFIG.SYS, STARTUP.CMD,
- OS2INIT.CMD, and LANMAN.INI files, but uses a central copy of the MS OS/2
- and LAN Manager software. (MS-DOS remoteboot workstations use a central copy
- of the MS-DOS and LAN Manager initialization files.) You need to modify the
- workstation's own configuration files to suit that workstation. (For
- example, be sure to type the name of the server's domain for the domain
- entry in the workstation's LANMAN.INI file.)
-
- This section describes other adjustments you may need to make to the
- CONFIG.SYS and computer.FIT files.
-
-
- Video Display Device Drivers
-
- By default, the remoteboot workstation is configured to use the same type of
- video display as the one used by the server. If the workstation and server
- have different video display types, modify the CONFIG.SYS and computer.FIT
- files for the workstation.
-
- To configure the workstation for a video display that is different than the
- server's:
-
-
- 1. Modify CONFIG.SYS:
-
- ■ If the workstation has an EGA display monitor, find the three
- lines preceded by
-
- REM for VGA, use these
-
- Insert the word REM at the beginning of each of these three lines
- to comment out the lines.
-
- Find the three lines preceded by
-
- REM for EGA, use these
-
- Remove REM from the beginning of each of these three lines to
- enable the EGA configuration.
-
- ■ If the workstation has a CGA display monitor, find the three lines
- preceded by
-
- REM for VGA, use these
-
- Insert the word REM at the beginning of each of these three lines
- to comment out the lines.
-
- Add the following lines:
-
- devinfo=scr,cga,c:\os2\viotbl.dcp set video_devices=vio_ibmcga set
- vio_ibmcga=device(bvhcga)
-
- ■ Add configuration lines for any drivers the workstation requires
- that are not provided in the default CONFIG.SYS. Copy the drivers
- into the LANMAN\RPL\MACHINES\computername directory.
-
-
- 2. In the new computername.FIT file, you may need to add a display device
- driver for the workstation. If the workstation uses the same type of
- display monitor as the server, don't change anything. If the
- workstation uses a different display monitor, type the following line
- in the computername.FIT file:
-
- c:\os2\dll\display.dll os2\dll\xxxxxx.dll
-
- where xxxxxx is the appropriate display driver for the workstation.
- The display driver is one of the following:
-
- ■ IBMCGA
-
- ■ IBMEGA
-
- ■ IBMVGA
-
- NOTE If you want to allow users to edit their configuration
- files, copy the contents of LANMAN\RPL\MACHINES\DEFAULT into the
- workstation's work directory instead of
- LANMAN\RPL\MACHINES\computername. Then change all MACHINES
- subdirectory references in the workstation's .FIT file to
- \\servername\WRKFILES.
-
-
-
- Memory Swapping
-
- If the remote workstation has memory swapping enabled, the path for the swap
- file (the swappath entry) in LANMAN\RPL\MACHINES\computername\CONFIG.SYS
- should be set to use the workstation's hard disk (if it has one). This
- ensures that the swapper information is available to MS OS/2 should the
- server go down, and the user will not lose the use of the workstation.
-
- If the remote workstation is diskless, the server can be used for the
- swappath; however, if the server goes down, the user will have to wait for
- it to come back up before using the workstation. If this is a concern, turn
- swapping off for diskless MS OS/2 workstations.
-
- To use a remoteboot workstation's local hard disk for memory swapping:
-
-
- 1. On the server, change directories to the
- LANMAN\RPL\MACHINES\computername directory.
-
- 2. Edit the CONFIG.SYS file, setting the parameters as follows (pathname
- is the path of the swap directory):
-
- swappath=d:\pathname memman=swap,move,swapdos
-
-
- To use the server for swapping:
-
-
- 1. On the server, change directories to the
- LANMAN\RPL\MACHINES\computername directory.
-
- 2. Edit the CONFIG.SYS file, setting the parameters as follows:
-
- swappath=c:\os2\system memman=swap,move,swapdos
-
-
- To turn swapping off for either case, change the CONFIG.SYS file as follows:
-
-
- memman=noswap,move
-
-
- Other CONFIG.SYS Options
-
- To increase performance, change the libpath line to the following:
-
- libpath=c:\os2\dll;c:\lanman\netlib;c:\;
-
- If the workstation does not have a hard drive or if its hard drive does not
- have any HPFS partitions, comment out the following line by adding REM to
- the beginning of the line:
-
- ifs=c:\os2\hpfs.ifs -c:64
-
- If the workstation will not use the DOS session, set the protectonly line to
- read protectonly=yes and comment out the following lines:
-
- device=c:\os2\dos.sys device=c:\os2\ega.sys
-
-
- Enabling the Remoteboot Process on a Workstation's Hard Disk
-
- Before a workstation with a hard disk can be booted remotely, its hard disk
- must be properly configured for the Remoteboot service. This does not
- prevent users from accessing the hard disk after the workstation is booted.
-
-
- Use the LAN Manager rplenabl utility to prepare the workstation to use the
- Remoteboot service. Later, if you want to boot the workstation using its
- hard disk, run the rpldsabl utility to disable the Remoteboot configuration.
-
- To configure a workstation's hard disk for the remoteboot process:
-
-
- 1. Create a LAN Manager utility disk:
-
- ■ Format an MS-DOS floppy disk.
-
- ■ Copy the files RPLENABL.EXE and RPLDSABL.EXE from the
- LANMAN\RPL\DOS directory to the disk.
-
-
- 2. Boot MS-DOS on the workstation.
-
- 3. Put the LAN Manager utility disk in drive A and type
-
- rplenabl
-
- 4. Remove the disk, and press CTRL+ALT+DEL.
-
- The Remote Program Load Module information is displayed as the RPL ROM
- chip initializes the network adapter card.
-
-
-
- Disabling the Remoteboot Process on a Workstation's Hard Disk
-
- If you no longer want to boot a workstation remotely and it contains a
- bootable hard disk, run the rpldsabl utility to disable the Remoteboot
- service configuration and let the workstation boot using its hard disk.
-
- To disable the Remoteboot configuration:
-
-
- 1. Boot MS-DOS on the workstation.
-
- 2. Put the LAN Manager utility disk containing the rpldsabl utility in
- drive A and type
-
- rpldsabl
-
- 3. Remove the disk, and press CTRL+ALT+DEL.
-
- The workstation will now boot from its hard disk.
-
-
-
- Booting More than One Version of MS-DOS
-
- The following procedure tells how to create custom image files that allow
- some workstations to boot MS-DOS 4.01 and others to boot MS-DOS versions
- 3.20, 3.30, and 3.31.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- MS-DOS version 3.11 and IBM(R) DOS version 4.00 are not supported by the
- Remoteboot service.
- ────────────────────────────────────────────────────────────────────────────
-
- To create custom image files:
-
-
- 1. Make the directory LANMAN\RPL\DOSxxx, where xxx corresponds to the
- version of MS-DOS that you want to boot (for example, DOS330).
-
- 2. Copy all files from the MS-DOS version 3.xx installation disks to
- LANMAN\RPL\DOSxxx.
-
- 3. Change directories to the LANMAN\RPL\DOS directory.
-
- 4. In the LANMAN\RPL\DOS directory:
-
- ■ Copy the CONFIG.SYS file to DOSxxx.SYS.
-
- ■ Copy AUTOEXEC.BAT to DOSxxx.BAT.
-
- ■ Copy DOS401.DEF to DOSxxx.DEF.
-
-
- 5. Edit the DOSxxx.DEF file in the following ways, substituting the
- MS-DOS version number for xxx:
-
- ■ Change all occurrences of DOS401 to DOSxxx.
-
- ■ Change NETWKSTA.400 as shown in the following list:
-
- ─For MS-DOS version 4.01, use NETWKSTA.400
-
- ─For MS-DOS version 3.31, use NETWKSTA.330
-
- ─For MS-DOS version 3.30, use NETWKSTA.330
-
- ─For MS-DOS version 3.20, use NETWKSTA.320
-
- ■ Change LANMAN\RPL\DOS\CONFIG.SYS to LANMAN\RPL\DOS\DOSxxx.SYS.
-
- ■ Change LANMAN\RPL\DOS\AUTOEXEC.BAT to LANMAN\RPL\DOS\DOSxxx.BAT.
-
-
- 6. Add the appropriate lines to DOSxxx.DEF for any device drivers that
- you are adding to the DOSxxx.SYS file.
-
- For example, to add the enhanced memory adapter driver for a 286
- workstation, add the following line:
-
- ...\dosxxx\xma2ems.sys a:\xma2ems.sys
-
- 7. Make the necessary changes to DOSxxx.SYS or DOSxxx.BAT for each
- workstation.
-
- For example, to add the enhanced memory adapter driver for a 286
- workstation, add the following line to DOSxxx.SYS:
-
- device=a:\xmaems.sys frame=xxxx p254=yyyy p255=zzzz
-
- If you add a line to run a .COM or .EXE file, put the line after the
- a:\net logon line.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- When changing DOSxxx.BAT, be sure that the command a:\rplterm is the last
- line of the file. You should not use DOSxxx.BAT to start application
- programs. Doing so prevents rplterm from executing, and prevents users from
- using the A
- drive.───────────────────────────────────────────────────────────────────────
-
-
- 8. Ensure that the LANMAN\RPL\DOS directory is the current directory.
-
- 9. Put a formatted MS-DOS version x.xx system disk into drive A.
-
- 10. Create a new image file by typing
-
- makeimg dosxxx
-
- 11. In the RPL.MAP file, edit the workstation record for each workstation
- that is to run MS-DOS version x.xx, changing field 4 from DOS401 to
- DOSxxx.
-
- 12. Reboot any MS-DOS version x.xx workstations to put the changes into
- effect.
-
-
- Each time that you add a device driver entry to DOSxxx.SYS, you must add a
- corresponding entry to the LANMAN\RPL\DOS\DOSxxx.DEF file.
-
- Any time that you change files referenced in DOSxxx.DEF, and any time that
- you make changes to DOSxxx.DEF, or to the CONFIG.SYS, AUTOEXEC.BAT, or
- LANMAN.INI file in the LANMAN\RPL\DOS directory, you must run the makeimg
- utility to build a new image file.
-
-
- Adding Device Drivers
-
- At times, the default setup for booting workstations remotely is not
- adequate for all workstations. For example, to add a mouse to a remote
- workstation, you must add the pathname of the device driver to the MS-DOS
- boot image file or the MS OS/2 CONFIG.SYS file. Differences in workstation
- microprocessors also present a need for customized image files. For example,
- a 286 workstation needs a different extended memory device driver than does
- a 386 workstation.
-
- The process for adding device drivers is different for MS-DOS and MS OS/2.
- The following procedures tell how to add device drivers to the boot
- configuration for MS-DOS and MS OS/2.
-
-
- Adding Device Drivers to MS-DOS Workstations
-
- To boot different configurations based on workstation and user needs, you
- must create a directory to hold the specialized device driver files. In this
- directory, create a custom boot image file to boot the driver software on
- the workstation.
-
- To add a device driver to a remoteboot MS-DOS workstation:
-
-
- 1. On the server, create the directory LANMAN\RPL\CUSTOM.
-
- 2. Copy the device driver to the LANMAN\RPL\CUSTOM directory.
-
- 3. Change directories to the LANMAN\RPL\DOS directory.
-
- 4. In the LANMAN\RPL\DOS directory:
-
- ■ Copy the CONFIG.SYS file to CUSTOM.SYS.
-
- ■ Copy the AUTOEXEC.BAT file to CUSTOM.BAT.
-
- ■ Copy the DOS401.DEF file to CUSTOM.DEF.
-
-
- 5. Edit the CUSTOM.DEF file, adding a line for each device driver that
- you want to add to the workstation.
-
- For example, if the device driver is in the LANMAN\RPL\CUSTOM
- directory, add the following line:
-
- ...\custom\drivername a:\drivername
-
- 6. Edit the CUSTOM.SYS file, adding the following line for each new
- device driver:
-
- device= a:\drivername
-
- 7. Put the formatted MS-DOS 4.01 system disk in drive A, and create a new
- boot image file by typing
-
- makeimg custom
-
- This creates the boot image file CUSTOM.IMG.
-
- 8. For each workstation that will boot using the CUSTOM.IMG file, edit
- its workstation record in the RPL.MAP file, changing field 4 from
- DOS401 to CUSTOM.
-
- 9. Reboot each workstation to load the device drivers(s).
-
-
-
- Adding Device Drivers to MS OS/2 Workstations
-
- To add a device driver to a remoteboot MS OS/2 workstation:
-
-
- 1. On the server, edit the LANMAN\RPL\MACHINES\computername\CONFIG.SYS
- file, adding the following line for each new device driver:
-
- device=c:\os2\drivername
-
- 2. Copy the device driver(s) to the C:\LANMAN\RPL\OS2 directory.
-
- 3. Reboot each workstation to load the device driver(s).
-
-
-
- Booting from One Server and Sharing Work Directories from Another Server
-
- If many workstations boot remotely on the network, you may want to have one
- server provide the Remoteboot service and one or more servers share the
- workstations' work directories. This reduces the amount of disk space that
- the server requires, and it balances out the boot process among network
- servers, improving performance at boot time.
-
- To provide boot service from one server and work directories from another,
- complete the following processes.
-
- On the server providing the disk space for work directories:
-
-
- 1. Create the LANMAN\RPLUSER directory.
-
- 2. Create a LANMAN\RPLUSER\computername subdirectory for each workstation
- that the server will service.
-
- 3. For each workstation that is to boot MS OS/2, copy the
- LANMAN\RPLUSER\DEFAULT directory and its contents to the
- LANMAN\RPLUSER\computername directory.
-
- 4. If the server has user-level security, create the necessary user
- accounts and assign permissions for the workstation.
-
- See the "Adjusting User-Level Security" section, earlier in the
- chapter.
-
- 5. Share the LANMAN\RPLUSER directory as the WRKFILES resource.
-
- If the server has share-level security, share the resource with no
- password, and assign RWCDXA permissions.
-
-
- On the server providing the Remoteboot service:
-
-
- 1. For MS OS/2 workstations:
-
- ■ Edit the LANMAN\RPL\FITS\computername.FIT file for each
- workstation, changing all occurrences of \\RPLSERVR\WRKFILES to
- \\servername\WRKFILES, where servername is the computername of the
- server that is sharing the work directories.
-
-
- 2. For MS-DOS workstations:
-
- ■ Edit the LANMAN\RPL\DOS\AUTOEXEC.BAT file, changing each
- occurrence of ~~~~~~~~~~~~~~~5\WRKFILES to \\servername\WRKFILES.
-
- ■ Change directories to LANMAN\RPL\DOS, and rerun the makeimg
- utility.
-
-
-
- When you have made the changes, reboot the workstations to put the changes
- into effect.
-
-
-
-
-
- Chapter 15 Guarding Against Data Loss
- ────────────────────────────────────────────────────────────────────────────
-
- LAN Manager offers two features for assuring that server data is always
- reliable and available. The fault-tolerance system helps save data should a
- disk error occur, and performs fault monitoring. The UPS (uninterruptible
- power supply) service performs orderly shutdowns during power failures. Both
- the fault-tolerance system and UPS service are included with LAN Manager;
- however, the UPS service also requires a battery and data cable.
-
- This chapter explains the fault-tolerance system and how to perform error
- correction. How to use a battery to keep the server running if there is a
- power failure is also described.
-
-
- Understanding the Fault-Tolerance System
-
- The fault-tolerance system monitors disk operations and lets you correct
- disk errors. The fault-tolerance system can be installed on any workstation
- or server using MS OS/2 1.2, and can be administered remotely on any server
- that is sharing IPC$ and ADMIN$. For information about installing the
- fault-monitoring system, see the Microsoft LAN Manager Installation Guide.
-
- Fault monitoring detects errors that occur while performing hard-disk read
- and write operations. When you monitor disk operations, the fault-tolerance
- system issues an alert when an error occurs. Error correction helps recover
- and restore data that would be lost due to a disk error. Error correction is
- best supported by a computer with the high-performance file system (HPFS).
-
- Part of preventing data loss is ensuring that there are two copies of data
- at all times. Two methods for this are drive mirroring and drive duplexing.
-
-
- A mirrored or duplexed drive consists of a primary partition and a secondary
- partition. The secondary partition is invisible to the operating system and
- maintains the same data as the primary partition. If the data on the two
- partitions differs, the drives are synchronized through drive verification,
- which ensures that the mirrored or duplexed drives are identical.
-
- Drive mirroring sets up two identical partitions on separate hard disks
- using the same disk controller. MS OS/2 treats these partitions as a single
- logical drive (such as drive D). Drive mirroring can only be performed on a
- computer with HPFS and two hard disks.
-
- Drive duplexing is like drive mirroring except that the two hard disks are
- controlled by separate disk controllers. This provides protection against
- errors caused by a faulty controller and provides better performance. Drive
- duplexing can only be performed on a computer with HPFS, two hard disks, and
- two disk controllers.
-
- If a disk error occurs during normal operation, the fault-tolerance system
- automatically recovers data through hotfixing. Hotfixing detects bad sectors
- and reroutes data to a good sector in a reserved area on the disk. Hotfixing
- is automatic and can only be done on a drive with HPFS.
-
- For example, if a bad read error occurs on the mirrored drive D, you receive
- an alert, and the fault-tolerance system redirects the read to the secondary
- partition. It then performs a hotfix to fix the corrupted sector of drive D.
- The hotfix corrects both the primary and secondary partitions.
-
- Drive fault monitoring is possible regardless of the number of disks in the
- system and whether they are mirrored, duplexed, or neither. You don't need a
- LAN Manager server with HPFS for drive fault monitoring. However, if no
- disks are mirrored or duplexed, the detectable errors and the alerts are
- limited.
-
- The fault-tolerance system supports as many as 24 disk partitions (the MS
- OS/2 drive limit), where a mirrored or duplexed drive counts as two
- partitions.
-
-
- The Fault-Tolerance Utilities
-
- Three utilities─ftsetup, ftmonit, and ftadmin─control the disk
- fault-tolerance system. These utilities are explained in the following
- sections, and are discussed in the Microsoft LAN Manager Administrator's
- Reference.
-
-
- ■ The ftsetup utility is used to install the fault-tolerance system, to
- configure fault monitoring, and to mirror and duplex drives. The
- ftsetup utility is controlled through the Disk Fault Tolerance Setup
- Screen. To display this screen, at the MS OS/2 prompt, type ftsetup.
-
- ■ The ftmonit utility, which is the fault-tolerance monitor, is run
- automatically when run=ftmonit.exe is added to CONFIG.SYS. (This line
- is added to CONFIG.SYS as part of the fault-tolerance system
- installation.) The ftmonit utility controls fault-tolerance monitoring
- and reports errors. By default, errors are logged and administrators
- are alerted about errors. The ftmonit utility is controlled through
- the ftadmin screen, or through the ftmonit command.
-
- ■ The ftadmin utility is used to view the fault tolerance error log,
- manage fault tolerance on remote servers, view drive statistics, and
- control error correction and disk verification. The ftadmin utility is
- controlled through a Presentation Manager screen. To display the
- ftadmin screen, at the MS OS/2 prompt, type ftadmin.
-
-
-
- Configuring Drive Mirroring or Duplexing
-
- The fault-tolerance setup utility ftsetup is used to configure drive
- mirroring or duplexing. This can involve creating or removing the mirror or
- duplex of a drive, deleting partitions, and exposing drives. The utility
- requires the same procedure for mirroring and duplexing, and it steps you
- through these processes. You can use the ftsetup utility to delete disk
- partitions to create more space for drive mirroring or duplexing. For a
- complete explanation of the ftsetup utility and screen, see the Microsoft
- LAN Manager Installation Guide.
-
- Any partition that is formatted for HPFS and is not the boot volume can be
- mirrored or duplexed on a computer system that has two hard disks. Floppy
- disk drives and redirected network drives cannot be mirrored or duplexed.
-
- Whenever you change the configuration of a mirrored or duplexed drive, you
- must restart the computer to put the change into effect.
-
-
- Mirroring and Unmirroring Drives
-
- The procedures for mirroring and duplexing drives are the same. Remember
- that to duplex a drive, the hard disks that contain the primary and
- secondary partitions must have separate disk controllers.
-
- To mirror or duplex a drive:
-
-
- 1. At the MS OS/2 prompt, type
-
- ftsetup
-
- The ftsetup screen displays two menus, Config and Exit.
-
- 2. From the Config menu, choose Mirror drive(s).
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. In the list box, select the drive or drives that you want mirrored or
- duplexed, then choose <OK>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 4. Choose <OK>.
-
- 5. Choose the Exit menu.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 6. Choose <OK>.
-
- 7. Restart the computer.
-
- When the system restarts, the following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 8. Continue formatting the drive:
-
- ■ To label the drive with the default volume label, choose <OK>.
-
- ■ To give the drive a different volume label, choose <Cancel>. After
- the drive has been formatted, you will be prompted to type the
- volume label.
-
-
- 9. If you choose <Cancel>, the following dialog box appears:
-
- (This figure may be found in the printed book).
-
- Type the volume label, then choose <OK>.
-
- The system issues a prompt when formatting is complete.
-
- 10. Choose the Exit menu.
-
- A normal system startup continues. Any startup batch programs specified
- are run.
-
-
- To unmirror a drive, you perform a procedure similar to mirroring the drive.
-
-
- To unmirror a drive:
-
-
- 1. At the MS OS/2 prompt, type
-
- ftsetup
-
- The ftsetup screen displays two menus, Config and Exit.
-
- 2. From the Config menu, choose Unmirror drive(s).
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. In the list box, select the drive or drives that you want to unmirror,
- then choose <OK>.
-
- The fault-tolerance system issues a prompt that it is writing changes
- to the partition table, and that you must restart the system for
- changes to take effect.
-
- 4. Choose the Exit menu.
-
- 5. Restart the computer.
-
-
-
- Exposing a Drive
-
- In a mirrored or duplexed pair, a secondary partition that doesn't have an
- associated primary partition is called an orphaned drive. Orphaned drives
- appear as a ? drive icon in the ftadmin screen. For example, if you have a
- mirrored drive and the hard disk with the primary partition goes bad and
- needs to be replaced, the ? drive icon appears when you next start the
- system. This indicates that the secondary partition has been orphaned.
-
- You can expose the secondary partition, making it visible to the operating
- system. Once an orphaned drive is exposed, you can remirror it and make it
- the primary partition.
-
- When you expose an orphaned drive, it is given a drive letter, which may
- change the drive letters of the other drives. To sort out any changes in the
- drive letter configuration, note the volume label on each drive. Though
- drive letters may change, volume labels don't.
-
- To expose an orphaned drive:
-
-
- 1. At the MS OS/2 prompt, type
-
- ftsetup
-
- The ftsetup screen displays two menus, Config and Exit.
-
- 2. From the Config menu, choose Exposed orphaned drive(s).
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box lists the orphaned drives.
-
- 3. From the list of orphaned drives, select the drive or drives that you
- want to expose, then choose <OK>.
-
- The ftsetup screen appears. When you restart the computer, the
- selected partition is exposed.
-
- 4. Choose the Exit menu.
-
- 5. Restart the computer.
-
-
-
- Deleting a Partition
-
- You can use the ftsetup utility to delete any partitions that aren't
- mirrored, except for the boot volume (drive C). Deleting a partition frees
- hard-disk space for use as secondary partitions. The procedure for deleting
- a partition is similar to the use of the MS OS/2 fdisk command.
-
- To delete a partition:
-
-
- 1. At the MS OS/2 prompt, type
-
- ftsetup
-
- The ftsetup screen displays two menus, Config and Exit.
-
- 2. From the Config menu, choose Delete drive(s).
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- This dialog box lists the partitions that can be deleted.
-
- 3. From the list of partitions, select the partition or partitions to
- delete, then choose <OK>.
-
- The ftsetup screen appears. When you restart the computer, the
- selected partition is deleted.
-
- 4. Choose the Exit menu.
-
- 5. Restart the computer.
-
-
-
- Using the ftadmin Screen
-
- The ftadmin utility, which manages fault-tolerance disk maintenance, is a
- full-screen MS OS/2 application that runs in a Presentation Manager window.
- You can start ftadmin on any computer that has the fault-tolerance system
- installed and is running version 1.2 of MS OS/2. You can use this utility to
- manage fault tolerance on a server for which you have administrative
- privileges.
-
- Using the ftadmin screen, you can
-
-
- ■ Manage fault tolerance on a local or remote server
-
- ■ View drive statistics
-
- ■ View error information for logical drives
-
- ■ Adjust ftmonit settings
-
- ■ Verify and resynchronize mirrored drives and duplexed drives
-
- ■ View and correct disk faults
-
-
- Online help is available through the ftadmin screen's Help menu. The
- commands on the Help menu work the same as those for other Presentation
- Manager applications. For details, see your operating system manual(s).
-
- LAN Manager does not have to be running to use ftadmin. However, if the
- workstation or server is not started, you can only monitor errors on the
- local computer. If the workstation or server is started, an administrator
- can monitor and correct errors on local and remote servers.
-
- When you start ftadmin, you see a screen similar to the one in Figure 15.1.
-
- (This figure may be found in the printed book).
-
- The elements of the ftadmin screen are
-
-
- ■ The title bar, which shows the server of current focus for the ftadmin
- utility.
-
- ■ The menu bar, which shows the five menus (View, Verify, Correct,
- Options, and Help) available with ftadmin.
-
- ■ The drive information line, which shows an icon for each of the
- computer's logical drives. Floppy-disk and redirected drives are not
- shown.
-
- Drives C, D, G, and H in Figure 15.1 are represented by the standard
- icon for a drive that isn't mirrored or duplexed. The icon is
- "doubled" for mirrored or duplexed drives E and F. A "cracked" icon,
- such as the ones for drives E and F, indicates errors have occurred.
- For drives containing critical errors, color monitors show a red icon.
-
- The ? drive icon identifies an orphaned drive.
-
- ■ The error information window, which shows information about disk
- errors on the selected drive. On color monitors, critical errors are
- red. For each error, five columns of information appear:
-
-
- Drive
- Tells the logical drive on which the error occurred.
-
- Code
- Displays a numerical code that identifies the error.
-
- Level
- Tells the error's severity (Critical, Error, and Warning, in order of
- decreasing severity).
-
- Disk Block
- Tells which disk block had the error.
-
- Date/Time
- Tells when the error occurred.
-
- From menus on the ftadmin screen, you can perform the following tasks:
-
- View menu
-
- Available servers
- Select the server for ftadmin to administer.
-
- Drive statistics
- Display fault-tolerance information such as read, write, and fault
- statistics about drives, and information on mirroring.
-
- FTMONIT settings
- Turn alerting for the ftmonit fault-monitoring utility on or off.
-
- Exit
- Exit the ftadmin screen.
-
- Verify menu
-
- Selected drive
- Verify the selected mirrored or duplexed drive.
-
- All drives
- Verify all of the server's mirrored or duplexed drives.
-
- Correct menu
-
- Selected error
- Correct the selected error.
-
- All errors on selected drive
- Correct all errors on the selected logical drive.
-
- All errors on all drives
- Correct all errors on all displayed logical drives.
-
- Options menu
-
- Show full drive information
- Replace the drive information line with a window that gives
- information about mirroring, errors, and when the drive was verified.
-
- Sort errors by time
- Display the errors in the error information window from oldest to most
- recent.
-
- Sort errors by severity
- Display the errors in the error information window in order of
- decreasing severity.
-
- Help menu
-
- Help for help
- See how to display help information and how to use the help window.
-
- Extended help
- Display general help information.
-
- Keys help
- See how to use the keyboard with the ftadmin utility.
-
- Help index
- Display an index of topics for which online help is available.
-
- About FTADMIN
- Display the version number of the ftadmin utility.
-
- The following sections describe the tasks that are performed using ftadmin.
-
-
-
- Focusing ftadmin on a Remote Server
-
- The ftadmin utility can be used to monitor and correct errors locally and
- remotely. To set the ftadmin focus on a remote computer, use the View menu's
- Available servers command. You can view the servers in any domain in which
- the workstation participates.
-
- To focus the ftadmin screen on a remote server:
-
-
- 1. From the View menu, choose Available servers.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select the server that you want to monitor or, in the
- "Set server to" text box, type the server's computername.
-
- 3. Choose Choose.
-
- 4. If you are prompted to supply a password, in the "Enter password" text
- box, type the password, then choose OK.
-
- The ftadmin screen (Figure 15.1) returns, displaying drive information
- for the server you specified.
-
-
-
- Viewing Drive Statistics
-
- Drive statistics are available for each drive, whether it is mirrored,
- duplexed, or neither. These are fault-monitoring statistics that tell you
- whether the drive is mirrored, and how many reads and writes, recovered and
- unrecovered faults, and hotfixed faults have occurred.
-
- To view or clear the statistics for a drive:
-
-
- 1. If you want to monitor a remote server, use the View menu's Available
- servers command to change the ftadmin focus.
-
- Follow the steps in the "Focusing ftadmin on a Remote Server" section,
- earlier in this chapter.
-
- 2. In the ftadmin screen's drive information line, select the drive of
- interest.
-
- 3. From the View menu, choose Drive statistics.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- These statistics have the following meanings:
-
-
- Status
- Tells whether or not errors have been detected.
-
- Primary partition
- Tells whether the primary partition is enabled or disabled. When a
- partition is enabled, the system can perform reads and writes from it.
- A disabled partition has critical errors that must be corrected, and
- it cannot accommodate reads and writes.
-
- Secondary partition
- Tells whether the secondary partition is enabled or disabled. This
- line appears shaded if the drive is not mirrored.
-
- Mirror status
- Tells whether or not the drive is mirrored.
-
- Reads from primary
- Tells the number of successful reads from the primary partition.
-
- Reads from secondary
- Tells the number of successful reads from the secondary partition in a
- mirrored or duplexed pair. This line appears shaded if the drive is
- not mirrored.
-
- Writes to primary
- Tells the number of successful writes to the primary partition.
-
- Writes to secondary
- Tells the number of successful writes to the secondary partition in a
- mirrored or duplexed pair. This line appears shaded if the drive is
- not mirrored.
-
- Recovered faults
- Tells the number of read faults that were recovered from a mirrored or
- duplexed drive.
-
- Unrecovered faults
- Tells the number of faults for which recovery was not possible.
-
- Hotfixed faults
- Tells the number of read or write requests that failed, but were
- hotfixed. The hotfixed faults may have occurred on a drive that was
- mirrored or duplexed, or one that was not.
-
-
- 1. Choose OK.
-
-
-
- Viewing Information about Logical Drives
-
- To view information about a server's logical drives, from the Options menu,
- choose Show full drive information. The information window shown in Figure
- 15.2 replaces the drive information line (as shown in Figure 15.1). Error
- information moves to the bottom of the window.
-
- (This figure may be found in the printed book).
-
- For each logical drive, the window reports whether the drive is mirrored,
- the severity of the worst error on the drive (under "Status"), the physical
- disks associated with the logical drive, and the time when the drive was
- last verified.
-
- To remove the logical drive display, from the Options menu, choose the Show
- full drive information command (it works as a toggle switch).
-
-
- Changing the Error Information Display
-
- Two Options menu commands control the order in which the information in the
- error information window appears. To sort errors by time of occurrence, from
- oldest to most recent, choose Sort errors by time. To sort errors by
- severity, with the most severe errors first, choose Sort errors by severity.
-
-
-
- Turning Disk Alerts On and Off
-
- By default, ftmonit issues an alert when disk errors occur. The users who
- receive alerts are specified by the alertnames entry in the [server] section
- of the LANMAN.INI file. If the workstation is not started when a disk error
- occurs, ftadmin starts the workstation and then sends the alert (this allows
- the alert to be displayed).
-
- Three classes of fault-tolerance alert indicate different levels of error
- severity:
-
- Warning
- Informs the user that a bad read or write operation failed or that a
- hotfix was performed. No alert is sent, but an error message appears in
- the error information window of the ftadmin screen. The drive icon appears
- cracked.
-
- Error
- Informs the user of more severe disk errors, such as excessive disk
- failures or verification failures. An alert is sent, and an error message
- appears in the error information window. The drive icon appears cracked.
-
- Critical error
- Informs the user of critical disk errors, such as a complete disk failure
- or an orphaned drive. An alert is sent, and an error message appears in
- the error information window. The drive icon appears cracked. On color
- monitors, the error message and drive icon are red.
-
- When run=ftmonit.exe in CONFIG.SYS, and you change ftmonit settings, you are
- notified when you exit the ftadmin utility that CONFIG.SYS has been
- modified. When the ftmonit utility is running, any changes you make take
- effect immediately. If the ftmonit utility is not running, and
- run=ftmonit.exe is in CONFIG.SYS, changes will take effect the next time you
- restart the computer.
-
- To turn disk error alerts on or off:
-
-
- 1. From the View menu, choose FTMONIT settings.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. To turn disk error alerting on, mark the "Send alerts to
- administrators" check box. To cancel disk error alerting, unmark the
- check box.
-
- 3. Choose Set.
-
-
-
- Verifying Drives
-
- The commands on the Verify menu check one or all pairs of mirrored or
- duplexed drives on the server to ensure that the data on the primary and
- secondary partitions is identical. Verification also synchronizes mirrored
- or duplexed drive pairs that are not exact duplicates of each other as the
- result of disk errors or power loss.
-
- Verify drives when you restart the computer after a power interruption (if
- the UPS service is not in effect), but not before first correcting all
- errors on the drive.
-
- ────────────────────────────────────────────────────────────────────────────
- CAUTION
-
- Always correct errors before verifying a drive. If you verify a drive before
- correcting the errors, you may duplicate an error onto a mirrored drive.
- ────────────────────────────────────────────────────────────────────────────
-
- The verification process is automatic when you choose a Verify menu command.
- Two commands control whether you verify a single drive or all drives. To
- verify a single drive, choose Selected drive. To verify all drives, choose
- All drives. If you choose to verify all drives, you are prompted that the
- process will take awhile.
-
-
- Correcting Disk Errors
-
- Most disk errors that the disk fault-tolerance system detects can be
- corrected. As part of fault recovery, the fault-tolerance system prompts you
- about the type of error detected and provides information about the best way
- to correct the error.
-
- For purposes of fault recovery, four types of error are monitored:
-
-
- ■ Self-correcting and ftadmin-corrected errors
-
- ■ Mirrored or duplexed drives with partitions containing dissimilar
- information (referred to as cracked mirrors)
-
- ■ Repeated drive failures
-
- ■ Complete hard-disk failures
-
-
- During error correction, you can correct selected errors, all errors on a
- drive, or all errors on all drives. Some errors are self-correcting and
- don't require your intervention. More serious errors require that you
- perform an action as part of the error correction.
-
- For a complete list of errors and corresponding corrective actions for disk
- errors found by the fault tolerance system, see the "Disk Error Correction
- Codes" section, later in this chapter.
-
- To perform error correction:
-
-
- 1. In the ftadmin screen's error information window, select the error or
- drive on which you want to perform error correction.
-
- 2. From the Correct menu, choose one of the following commands:
-
- ■ If you selected an error, choose Selected error.
-
- ■ If you selected a drive, choose All errors on selected drive.
-
- ■ If you want to correct all drives, choose All errors on all
- drives.
-
- NOTE Using the mouse to double-click an error message has the
- same effect as selecting that drive and choosing Selected error.
- Double-clicking a drive icon on the drive information line has the
- same effect as selecting that drive and choosing All errors on
- selected drive.
-
- If you choose All errors on all drives, the following dialog box
- appears:
-
- (This figure may be found in the printed book).
-
-
- 3. If you want to correct all errors automatically, choose No. To confirm
- each correction, choose Yes.
-
- 4. If you choose No, the following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The ftadmin utility will correct all errors on the selected drive. If
- any errors cannot be corrected, the following dialog box appears:
-
- (This figure may be found in the printed book).
-
- These errors will be listed in the "Error Information" field of the
- ftadmin screen.
-
- 5. To correct these remaining errors, correct each error individually, or
- correct all errors and, when prompted "Confirm each corrective action
- before taken," choose Yes. If you choose Yes, a message box appears,
- describing each error and the corrective action to be taken.
-
-
- The following sections describe the types of errors that can occur, and the
- corrective steps taken to recover from the errors. Included are the dialog
- boxes displayed when you perform and confirm error correction.
-
-
- Automatically Corrected Errors
-
- In the course of normal system operation, bad disk sectors might be found.
- In most instances, these are self-correcting, and the fault-tolerance system
- hotfixes them without losing or corrupting data. A message in the error
- information window informs you of the error, but no alert is sent.
-
- For a hotfix, the correction procedure is automatic. When you select the
- error to correct, the following dialog box appears:
-
- (This figure may be found in the printed book).
-
- Choose Continue to move to the next error, or choose Cancel to return to the
- ftadmin screen, ending the correction session.
-
- When the error can be corrected by the ftadmin utility, administrative
- intervention is nominal. For example:
-
- (This figure may be found in the printed book).
-
- Choose Yes to correct the error, No to leave the error uncorrected, or
- Cancel to cancel the error correction session.
-
-
- Correcting Cracked Mirrored Drives
-
- When partitions in a mirrored or duplexed pair contain dissimilar
- information, the drive is called a cracked mirror. The drive icon on the
- ftadmin screen appears cracked, and the fault-tolerance system sends an
- error alert. Actions such as powering off or restarting the system without
- using the Presentation Manager Shutdown procedure can cause cracked mirrors.
-
- In most cases, you can correct the error that caused the cracked mirror by
- verifying the drive and remirroring disk sectors. In some cases, drive
- verification won't correct the error, and you need to back up the drive,
- reformat it, and restore it.
-
- The ftadmin utility cannot completely correct a cracked mirror
- automatically. It recommends a course of action that requires administrative
- intervention. For example:
-
- (This figure may be found in the printed book).
-
- Choose Yes to correct the error.
-
-
- Repeated Disk Failures
-
- Occasional failures on a hard disk are usually no problem. However, repeated
- failures can indicate that a hard disk is going to completely fail. The
- fault-tolerance system sends an error alert when a disk's failure rate gets
- excessive. When you choose corrective action for excessive disk failures,
- you see a dialog box similar to the following one:
-
- (This figure may be found in the printed book).
-
- Excessive failures can indicate that the disk should be reformatted or
- replaced. When you get an excessive-failure alert, make a backup copy of all
- drives that have a primary or secondary partition on the failing disk. Next,
- run the diagnostics for the hard disk (supplied by the disk manufacturer) to
- determine whether the disk needs reformatting.
-
- If the diagnostics require a low-level format of the disk, the reformatting
- may remove or destroy all disk partitions. If a secondary partition is
- destroyed, the system marks the primary partition as unmirrored. If the
- primary partition is destroyed, leaving just the secondary (an orphaned
- drive), the secondary partition is represented by a ? drive icon.
-
- You can expose the orphaned drive, making it visible to the operating
- system. You can then make the exposed drive the primary partition, mirroring
- or duplexing it using the ftsetup utility.
-
-
- Complete Disk Failure
-
- Even if a disk fails completely, data on mirrored drives is not lost.
- Recovery steps vary, depending on whether the failed disk contains the boot
- drive (drive C). When a hard disk fails completely, a dialog box similar to
- the following one appears:
-
- (This figure may be found in the printed book).
-
- Choose Continue or Cancel, and then follow one of the next two procedures to
- replace the disk and recover its data.
-
- To recover from a failed disk that doesn't contain the boot drive (drive
- C):
-
-
- 1. Expose all orphaned drives.
-
- (Use the ftsetup utility, following the steps in the "Exposing a
- Drive" section, earlier in this chapter.)
-
- 2. Back up all drives that lost primary or secondary partitions on the
- damaged disk.
-
- 3. Install the replacement hard disk.
-
- 4. Run ftsetup to mirror or duplex all drives that were previously
- mirrored or duplexed.
-
- This makes partitions on the new disk secondary partitions.
-
- To recover from a failed disk that contains the boot drive (drive
- C):
-
-
-
- 1. Replace the disk that failed.
-
- 2. Restart the computer using the MS OS/2 installation disk.
-
- 3. Use the MS OS/2 fdisk utility to format the boot volume.
-
- 4. Restart the computer and restore data such as MS OS/2 and LAN Manager
- to the boot volume.
-
- 5. Expose all orphaned drives.
-
- (Use the ftsetup utility, following the steps in the "Exposing a
- Drive" section, earlier in this chapter.)
-
- 6. Back up all drives that need to be remirrored.
-
- 7. Run ftsetup to mirror or duplex all drives that were previously
- mirrored or duplexed.
-
- This makes partitions on the new disk secondary partitions.
-
-
-
- Disk Error Correction Codes
-
- This section describes the errors and corresponding corrective actions for
- disk errors found by the fault-tolerance system. Table 15.1 lists the error
- codes and describes the disk error. Table 15.2 lists the correction code and
- corrective action necessary to correct disk errors. The correction codes
- correspond to the error correction code.
-
- Table 15.1 Error Codes
-
- ────────────────────────────────────────────────────────────────────────────
- ERR001
- Write to primary partition failed; write to secondary partition succeeded.
-
- ERR002
- Write to primary partition succeeded; write to secondary partition failed.
-
- ERR003
- Read from primary partition failed; read recovered from secondary
- partition.
-
- ERR004
- Read from secondary partition failed; read recovered from primary
- partition.
-
- ERR005
- Write to primary partition and secondary partition failed.
-
- ERR006
- Write to unmirrored drive failed.
-
- Table 15.1 Error Codes (continued)
-
- ERR101
- Read from unmirrored drive failed.
-
- ERR102
- Read from primary partition and secondary partition failed.
-
- ERR103
- Excessive failure rate detected on primary partition; read requests routed
- to secondary partition.
-
- ERR104
- Excessive failure rate detected on secondary partition; read requests
- routed to primary partition.
-
- ERR105
- Primary partition shut down due to complete failure; all requests routed
- to secondary partition.
-
- ERR106
- Secondary partition shut down due to complete failure; all requests routed
- to primary partition.
-
- ERR107
- Low-confidence compare of mirrored partitions failed; all read requests
- routed to primary partition.
-
- ERR108
- Complete compare of mirrored partitions failed; all read requests routed
- to primary partition.
-
- ERR201
- Excessive error rate detected on unmirrored drive.
-
- ERR202
- Complete failure detected; alternate partition not available.
-
- ERR209
- Secondary partition of mirrored drive not found.
-
- ERR210
- Secondary partition found with no matching primary.
-
- ERR212
- Error buffer was overrun; one or more errors may not have been logged.
-
- ────────────────────────────────────────────────────────────────────────────
- Table 15.2 lists the correction codes that correspond to the error codes
- listed in Table 15.1.
-
- Some of the disk errors have two corresponding correction codes (labeled a
- and b). The corrective action for these errors is dependent on the cause of
- the disk error.
-
- Table 15.2 Correction Codes
-
- ────────────────────────────────────────────────────────────────────────────
- COR001
- Self correcting (by HPFS). No administrator action required.
-
- COR002
- Self correcting (by HPFS). No administrator action required.
-
- COR003a
- Self correcting (by HPFS386). No administrator action required.
-
- COR003b
- Copy file to new location on disk, delete old copy and mark disk block as
- bad.
-
- COR004a
- Self correcting (by HPFS386). No administrator action required.
-
- COR004b
- Read file and write it back sequentially, forcing a hotfix to occur in the
- file system.
-
- COR005
- Self correcting (by HPFS). No administrator action required.
-
- COR006
- Self correcting (by HPFS). No administrator action required.
-
- COR101
- Run RECOVER on the offending file.
-
- COR102
- Run RECOVER on the offending file.
-
- COR103
- It is strongly recommended that you back up the drive. The physical disk
- on which the primary partition resides may need to be replaced.
-
- COR104
- It is strongly recommended that you back up the drive. The physical disk
- on which the secondary partition resides may need to be replaced.
-
- COR105
- It is strongly recommended that you back up the drive. The physical disk
- on which the primary partition resides may need to be replaced.
-
- Table 15.2 Correction Codes (continued)
-
- COR106
- It is strongly recommended that you back up the drive. The physical disk
- on which the secondary partition resides may need to be replaced.
-
- COR107
- Verify the drive. If verification fails, back up the drive, reformat, and
- restore it.
-
- COR108
- Verify the drive. If verification fails, back up the drive, reformat, and
- restore it.
-
- COR201
- It is strongly recommended that you back up the drive immediately, as it
- may fail soon.
-
- COR202
- No error recovery is possible. The drive may need to be replaced, and data
- may be lost.
-
- COR209
- Change the drive to nonmirrored. In order to remirror the drive, back it
- up, then run FTSETUP.
-
- COR210
- Expose the secondary partition as a nonmirrored drive. Note that this may
- cause drive letters to change.
-
- COR212
- Verify the drive. If verification fails, back up the drive, reformat, and
- restore it.
-
- ────────────────────────────────────────────────────────────────────────────
- Using an Uninterruptible Power Supply
-
- An uninterruptible power supply (UPS) is a battery connected to a server
- that keeps the server running during a power failure. If power to the server
- is interrupted, this battery keeps the server running until the UPS service
- can manage a safe shutdown, or until an administrator stops the server.
-
- The UPS battery must be connected to a serial port. See the battery's
- manufacturing instructions for information about how to install a UPS.
-
-
- Using the UPS Service
-
- During a power failure, the UPS service immediately pauses the Server
- service to prevent any new connections. It then sends out an alert that a
- power failure has occurred. The UPS service then waits an interval of time
- specified by the messdelay entry in the [ups] section of LANMAN.INI. If
- power is restored during this interval, another alert is sent, informing the
- administrator that power has been restored.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- The Messenger and Netpopup services must be running for UPS-based alerts to
- be displayed as soon as they are sent. If these services are not started,
- you may not be aware of power failures at the server.
- ────────────────────────────────────────────────────────────────────────────
-
- If power is not restored during this interval, the UPS service warns users
- who have sessions with the server to end their sessions, and displays a
- message at the server advising that all sessions be closed.
-
- The UPS service notifies users and administrators that a shutdown is
- imminent. The service repeats this alert at intervals specified by the
- messtime entry in the [ups] section of LANMAN.INI. These alerts continue
- until power is restored, the server receives a low-battery signal from the
- battery (the battery is about to run out of power), or the battery timer
- expires.
-
- If power is restored, all users are sent an alert that power is back, and
- normal operations are resumed.
-
- If the server receives a low-battery signal or the battery timer expires,
- the UPS service informs all users that the server is about to shut down. The
- UPS service then runs the net stop server and net stop workstation commands.
-
- Before the UPS service stops the server and workstation, LAN Manager allows
- 30 seconds in which to run a .CMD batch program. For example, you can set up
- a .CMD batch program to close any open application files. The .CMD path and
- file are specified by the UPS service cmdfile option in LANMAN.INI.
-
-
- Configuring the UPS Service
-
- If a server has a UPS battery installed, the UPS service should be one of
- the services that starts with the Server service. This way, the UPS service
- will be running should there be a power failure at the server. To arrange
- for this, add ups to the list of services in the srvservices entry in the
- [server] section of LANMAN.INI.
-
- All time intervals and options that the UPS service uses are configurable.
- These options are listed in Table 15.3.
-
- Table 15.3 Configuration Options for the UPS Service
-
- ────────────────────────────────────────────────────────────────────────────
- batterytime
- Sets the number of seconds the server can run on a battery before the UPS
- service initiates shutdown. This optional entry is used only if no low
- battery signal is available. The range is 0-28800; the default is 60
- seconds.
-
- cmdfile
- Specifies a .CMD batch program of commands to be run before the server
- shuts down. The pathname can be either absolute or relative to the LAN
- Manager root directory (LANMAN). The batch program has only 30 seconds to
- complete before the UPS service ends the program.
-
- messdelay
- Sets the number of seconds between initial power failure and the first
- message sent to users. No messages are sent if power is restored within
- this interval. The range is 0-120; the default is 5 seconds.
-
- messtime
- Sets the number of seconds between messages sent to users notifying them
- of a power failure. The range is 30-300; the default is 120 seconds.
-
- recharge
- Specifies the number of minutes of recharge time required for each minute
- of battery runtime. This entry is optional. The range is 5-250; the
- default is 100 minutes.
-
- signals
- Specifies the signals available from the battery. The value is a
- three-digit binary number. For information about the signals the battery
- sends and receives, see the manual supplied with the battery.
-
-
- ■ The first digit is 1 if the battery can signal the UPS service upon
- power failure, or 0 if it cannot. The default is 1.
-
- ■ The second digit is 1 if the battery signals the UPS service of a low
- battery condition (2 minutes of power remaining), or 0 if it cannot.
- The default is 0.
-
- ■ The third digit is 1 if the battery can accept a shut-off signal from
- the UPS service, or 0 if it cannot. The default is 0. If the third
- digit is 1, the UPS service conducts an orderly shutdown of the LAN
- Manager software, and the battery stops providing backup power. When
- the battery detects power restoration, it restarts the computer.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If neither of the first two digits of signals is set to 1, the UPS service
- will not
- start.───────────────────────────────────────────────────────────────────────
-
-
-
-
- Table 15.3 Configuration Options for the UPS Service (continued)
-
- voltlevels
- Specifies the voltage levels for the signals listed in the signals option.
- The value is a three-digit binary number. For information about signal
- voltage, see the manual supplied with the battery.
-
-
- ■ The first digit is 0 if the battery uses negative voltage, and 1 if it
- uses positive voltage to signal the UPS service of a power failure.
- The default is 1.
-
- ■ The second digit is 0 if the battery uses negative voltage, and 1 if
- it uses positive voltage to signal the UPS service there is less than
- 2 minutes of power remaining. The default is 0.
-
- ■ The third digit is 0 if the battery recognizes negative voltage as the
- shutoff signal, and 1 if it recognizes positive voltage as the shutoff
- signal. The default is 0.
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If the low battery voltage level is not set correctly, the Server service
- will not start.
-
- ─────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
- Starting the UPS Service
-
- If the UPS service isn't started automatically with the Server service, you
- can start the service from the LAN Manager Screen or from the command line.
- Both methods allow you to make temporary changes to the service
- configuration at startup.
-
- To start the UPS service:
-
-
- 1. From the Config menu, choose Control services.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the list of services, select "UPS."
-
- 3. Choose <Start>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- You can use this dialog box to override five of the UPS service's
- configuration values. The list box shows the values for entries in the
- [ups] section of LANMAN.INI that can be overridden when the UPS
- service starts. These options are described in Table 15.3.
-
- 4. To override any UPS service values, in the list box, select the entry
- or, in the "Option" text box, type the entry.
-
- 5. In the "Value" text box, type the new value.
-
- 6. Choose <Set>.
-
- If you want to go back to the LANMAN.INI value, choose <Reset> to
- display the initial value for the selected entry. Or choose <Reset
- all> to display LANMAN.INI values for all entries.
-
- 7. To change additional values, repeat steps 4, 5, and 6.
-
- 8. Choose <OK>.
-
- 9. Choose <Done>.
-
-
- The values that you specified apply until the UPS service stops. When the
- service restarts, the LANMAN.INI values are used unless alternative values
- are specified.
-
- Command Line To start the UPS service, type
-
- net start ups [/messdelay:seconds] [/messtime:seconds]
- [/batterytime:seconds] [/cmdfile:pathname] [/recharge:minutes]
- [/signals:###] [/voltlevels:###]
-
- See Net Start UPS, Microsoft LAN Manager Administrator's Reference.
-
-
-
-
-
- Chapter 16 Monitoring the Network
- ────────────────────────────────────────────────────────────────────────────
-
- LAN Manager keeps records of events that occur on the network. These records
- are stored in audit trail, statistic, and error log files. You can use these
- records to help isolate problems and work out solutions.
-
- This chapter describes how to set up and use LAN Manager's record-keeping
- system to set up automatic alerts, display server statistics, control
- sessions to a server, and synchronize network clocks.
-
-
- Auditing a Server on the Network
-
- LAN Manager audits by recording network events such as valid and invalid
- logon attempts, and events related to resource use, such as the opening of
- files in shared directories. When auditing is enabled, audit messages are
- created whenever a network event or resource use occurs, and are logged in
- the server's audit trail. The audit trail is useful for examining how often
- a resource is used and whether access permissions set for the resources are
- appropriate.
-
- Entries in the [server] section of the LANMAN.INI file determine when
- auditing is enabled and what is audited. By default, auditing is disabled.
-
-
- Establishing Audited Events in LANMAN.INI
-
- Auditing is available for servers with either user-level or share-level
- security. You can audit events for individual resources, such as opening and
- using files, or you can audit network-related events such as logon attempts
- and shared resource access. For information about setting audit events for
- each resource (such as directories, files, and printers), see Part 3,
- "Sharing Resources."
-
- Which network events are audited is controlled by the auditing and
- noauditing entries in the [server] section of the LANMAN.INI file. The
- auditing entry can have a value of yes or no, and you can list events to be
- audited. Listing audited events configures auditing for the special needs of
- the server. For example, to audit only logon attempts, in LANMAN.INI, set
- auditing=logon.
-
- Another way to audit only particular events is to set auditing=yes and list
- events that are not to be audited in the noauditing entry. All events except
- the noauditing events are audited. For example, to audit all events except
- each logon attempt and each time a service starts or stops, set auditing=yes
- and noauditing=logon,service.
-
- If both auditing and noauditing have events listed, the same event cannot be
- listed under each entry. When there is a list for each entry, the events to
- be audited are determined by the auditing entry.
-
- When you modify audited events in LANMAN.INI, you must restart the Server
- service for the changes to take effect.
-
- The events that can be audited for servers with user-level and share-level
- security are different. Because you don't set resource permissions for each
- user or group in share-level security, audited events are limited. With
- share-level security, you can only audit when a user starts or stops a
- service, starts or ends a session at a server, or uses a resource.
-
- Table 16.1 lists the type of security with which the audited event can be
- specified, and gives the meaning of each event that can be audited.
-
- Table 16.1 Audited Events
-
- ────────────────────────────────────────────────────────────────────────────
- User- and Share-Level Security
-
- service
- Records each time a user starts or stops one of the server's services.
-
- sesslogon
- Records each time an attempt is made to start or end a session with
- the server.
-
- badsesslogon
- Records each time a user fails to start a session with the server.
-
- goodsesslogon
- Records each time a user starts a session with the server.
-
- use
- Records each time a person uses a shared resource.
-
- baduse
- Records each time a user fails in an attempt to use a shared resource.
-
- gooduse
- Records each time a user successfully uses a shared resource. However,
- gooduse will not be audited if a shared resource allows for an
- unlimited number of users.
-
- Table 16.1 Audited Events (continued)
-
- User-Level Security
-
- logon
- Records each time a user attempts to log on.
-
- logonlimit
- Records each time a user exceeds logon hours for the user account.
-
- netlogon
- Records each time a user logs on to the network.
-
- goodnetlogon
- Records each time a user successfully logs on to the network.
-
- permissions
- Records each time a user makes changes to the list of permissions for
- a file.
-
- resource
- Records each time a user accesses a resource in a way that is defined
- in the auditing options for the resource.
-
- userlist
- Records each time a user makes changes to the user accounts database.
-
- ────────────────────────────────────────────────────────────────────────────
- Additionally, you can set the size of the audit trail with the maxauditlog
- entry in the [server] section of LANMAN.INI, or with the /maxauditlog:n
- option of the net start server and net config server commands. For example,
- reduce the size of the trail if you don't need extensive audit information.
- The range is 0-65535 kilobytes; the default is 100 kilobytes.
-
-
- Modifying Audited Events
-
- The values for the auditing and noauditing entries can be modified
- temporarily as you start the server by using either the Config menu's
- Control services command or Server options command. For information about
- changing the server's configuration options using the Control services
- command, see Chapter 2, "Getting Started."
-
- The following procedure describes how to modify audited events using the
- Config menu's Server options command.
-
- If the server has share-level security, not all events shown on the LAN
- Manager Screen can be modified. Those events that can't be audited appear as
- shaded in the "Auditing the Server \\server" dialog box. Changes made in
- this way remain in effect until the server is restarted.
-
- To modify audited events when you start the server:
-
-
- 1. Be sure the Server service is stopped.
-
- 2. From the Config menu, choose Server options.
-
- The dialog box shown in Figure 16.1 appears.
-
- (This figure may be found in the printed book).
-
- If the server has share-level security, the "User security" check box
- will not be marked.
-
- 3. Choose <Auditing>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- The last three events in the "Audited events" list are shaded and not
- available for a server with share-level security.
-
- 4. Mark the "Auditing enabled" check box.
-
- 5. From the "Audited events" check boxes, mark the events you want to
- audit.
-
- 6. Choose <OK>.
-
- The "Set Configuration for Server \\server" dialog box (Figure 16.1)
- appears.
-
- 7. To restart the Server service, from the "Start server services" check
- boxes, mark "Server."
-
- 8. Choose <OK>.
-
-
- Command Line To modify audited events when you start the server:
-
-
- 1. Be sure the Server service is stopped.
-
- 2. Specify audited events by typing
-
- net start server /auditing:{yes | no | event[,...]}
- /noauditing:event[,...]
-
-
- See Net Start Server, Microsoft LAN Manager Administrator's Reference.
-
-
- Viewing, Saving, and Clearing the Audit Trail
-
- The audit trail records the events you have specified to be audited,
- including network events and resource use. The audit trail is stored as a
- file with the filename NET.AUD in the LANMAN\LOGS directory─the default
- directory for audit files. The audit trail can be viewed, saved, and cleared
- using the Status menu's Audit trail command. The audit trail can be viewed
- and cleared (not saved) with the net audit command.
-
- You can save the audit trail to the file AUDIT.SAV at any time. This does
- not clear the audit trail. AUDIT.SAV is overwritten each time the audit
- trail is saved. To keep a permanent record, copy AUDIT.SAV to another file.
-
- When you clear the audit trail, the information is moved to the file
- AUDIT.BAK. This file is overwritten each time the audit trail is cleared.
-
- For servers with share-level security, the audit trail displays information
- about when a service has been started or stopped, when a user has started or
- ended a session at the server, and when a resource has been accessed.
-
- For servers with user-level security, more detailed records are available. A
- range of actions related to access and logon attempts can be reported, with
- users identified. The audit trail for user-level servers provides the
- following information:
-
-
- ■ The username of the person who performed the audited event. Asterisks
- appear if no username is available.
-
- ■ The type of audited event. These types of events are as follows:
-
-
- Server
- Audits actions such as starting and stopping the server.
-
- Session
- Audits sessions started with the server.
-
- Share
- Audits actions such as starting and stopping the sharing of resources.
-
- Access
- Audits resource access.
-
- Access Denied
- Audits failed attempts to access a resource.
-
-
- ■ The date and time of the audited event.
-
-
- To view, save, and clear the audit trail:
-
-
- 1. To view the audit trail, from the Status menu, choose Audit trail.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. To save the contents of the audit trail in the AUDIT.SAV file, choose
- >.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. To clear the audit trail and start a new audit record, choose <Clear>.
-
- 5. When prompted for confirmation, choose <OK>.
-
- 6. Choose <Done>.
-
-
- Command Line To view and clear the audit trail:
-
-
- 1. View the audit trail by typing
-
- net audit [/count:number] [/reverse]
-
- 2. Clear the audit trail by typing
-
- net audit /delete
-
-
- See Net Audit, Microsoft LAN Manager Administrator's Reference.
-
-
- The Alert System
-
- LAN Manager sends messages called alerts under certain conditions ─for
- example, when a user's quota of disk space is almost reached, or when the
- printer is out of paper. The Alerter service sends these alerts.
-
- The receiving computer must be running the Messenger service to receive
- alerts. If the Netpopup service is running, the alert is displayed on the
- screen.
-
- There are three classes of alerts:
-
-
- ■ Error alerts are messages about network or system errors. These
- messages are stored in the error log. For more information about the
- error log, see "The Error Log" section, later in this chapter.
-
- ■ Print alerts relate to printer events, such as when a print job is
- completed, or the printer is out of paper. A print alert is sent only
- to the user who submitted the print job.
-
- ■ Admin alerts are messages about server and resource use, which are
- sent only to those users specified by the alertnames entry in the
- [server] section of LANMAN.INI. For instance, an admin alert is sent
- when a maximum number of users are using a resource, or too many logon
- violations have occurred.
-
-
- The sizalertbuf entry in the [alerter] section of LANMAN.INI controls the
- size of the alert buffer for a server. You can also modify this entry
- temporarily when you start the server. You may want to increase the size of
- the buffer if you will be sending a large amount of alerts.
-
-
- Starting the Alerter Service
-
- If you want alerts to always be sent, start the Alerter service along with
- the Server service by adding alerter to the srvservices entry in the
- [server] section of LANMAN.INI.
-
- You can also start the Alerter service from the Config menu's Server options
- command or Control services command. With the Server options command, you
- enable the "Admin alerter" option. With the Control services command, you
- can adjust the size of the alert buffer. The following procedure tells how
- to do this.
-
- To start the Alerter service:
-
-
- 1. From the Config menu, choose Control services.
-
- The dialog box shown in Figure 16.2 appears.
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select Alerter, then choose <Start>.
-
- The dialog box shown in Figure 16.3 appears.
-
- (This figure may be found in the printed book).
-
- 3. To adjust the size of the alert buffer, in the "Value" text box, type
- the number (of kilobytes) that you want to use for the alert buffer.
-
- The range is 512-16384; the default is 3072 kilobytes.
-
- 4. Choose <Set>.
-
- 5. Choose <OK>.
-
- 6. Choose <Done>.
-
-
- Command Line To start the Alerter service, type
-
- net start alerter [/sizalertbuf:bytes]
-
- See Net Start Alerter, Microsoft LAN Manager Administrator's Reference.
-
-
- Configuring Alerts
-
- For some alert conditions, you can specify when LAN Manager should notify
- you. For example, you can have an alert sent when a user makes 10
- unsuccessful attempts to log on.
-
- To control when and to whom LAN Manager sends alerts and the alert
- conditions to be checked, use the alert entries in the [server] section of
- LANMAN.INI file. The following entries determine how alerts work on the
- server:
-
- accessalert
- Sets the number of resource access violations within the alertsched
- interval that will trigger an alert. This entry only applies to servers
- with user-level security. The range is 0-65535; the default is 5
- violations.
-
- alertnames
- Lists the users to receive admin alerts.
-
- alertsched
- Sets the number of minutes when the server checks for alert conditions and
- sends any needed messages. The range is 0-65535; the default is 5 minutes.
-
- diskalert
- Sets the amount of free disk space (in kilobytes) that triggers a
- full-disk alert. The range is 0-65535; the default is 300 kilobytes.
-
- erroralert
- Sets the number of errors that can occur within the time period specified
- by the alertsched entry. The range is 0-65535; the default is 5 errors.
-
- logonalert
- Sets the number of logon violations that can occur within the time period
- specified by the alertsched entry. The range is 0-65535; the default is 5
- violations.
-
- netioalert
- Sets the number of network data transfer (I/O) errors that can occur
- within the time period specified by the alertsched entry. The range is
- 0-65535; the default is 5 errors.
-
-
- Changing Alert Conditions
-
- Alert conditions can be temporarily modified when you start the server
- either by using the Config menu's Control services command or by using the
- net start server command. For information about changing the server's
- configuration options when you start the Server service, see the
- "Controlling LAN Manager Services" section in Chapter 2, "Getting Started."
-
- Command Line To change alert conditions:
-
-
- 1. Stop the Server service by typing
-
- net stop server
-
- 2. Change alert conditions by typing
-
- net start server [/accessalert:n] [/alertnames:name]
- [/alertsched:time] [/diskalert:n] [/erroralert:n] [/logonalert:n]
- [/netioalert:n]
-
-
- The same options are available with the net config server command, which
- allows you to reconfigure the server without stopping the Server service.
- See Net Config Server and Net Start Server, Microsoft LAN Manager
- Administrator's Reference.
-
-
- Modifying the Alertnames List
-
- To change the list of usernames to receive alerts, you don't need to stop
- the Alerter or Server service. Any changes you make take effect immediately.
-
- To change the alertnames list:
-
-
- 1. From the Config menu, choose Server options.
-
- The "Set Configuration for Server \\server" dialog box (Figure 16.1)
- appears.
-
- 2. In the "Send alerts to" text box, type the username(s) to receive
- alerts.
-
- Use a comma to separate multiple usernames.
-
- 3. Choose <OK>.
-
-
-
- The Statistics Display
-
- LAN Manager maintains a record of statistics about server performance. These
- statistics can be used to evaluate how often the server is used, and how
- well it is performing. Statistics are cleared each time the server is turned
- off, and can't be saved. They can also be cleared using the Config menu's
- Server statistics command.
-
- Statistics are kept for both workstations and servers. Workstation
- statistics record network activity, network errors, volumes of information
- sent and received, sessions from the workstation to the server, connections
- to shared resources, and use of network buffers.
-
- Server statistics record information about how the server is being accessed.
- The following statistics are kept for LAN Manager servers:
-
- Statistics since
- Tells when this set of statistics began (either at the last server startup
- or the last time the statistics were cleared).
-
- Bytes received
- Tells how many bytes of data the server received.
-
- Bytes sent
- Tells how many bytes of data the server transmitted.
-
- Mean response time (msec)
- Tells the average response time for processing remote server requests.
-
- Sessions accepted
- Tells how many times users connected to the server.
-
- Sessions timed out
- Tells how many user sessions were closed because of inactivity.
-
- Sessions erroredout
- Tells how many sessions ended because of error.
-
- Files and pipes accessed
- Tells how many files and pipes were used.
-
- Comm devices accessed
- Tells how many communication devices were used.
-
- Print jobs spooled
- Tells how many print jobs were spooled to printer queues on the server.
-
- Network errors
- Tells the number of data transmission errors.
-
- System errors
- Tells the number of errors from MS OS/2 system calls.
-
- Times buffers exhausted
- Tells the number of shortages of big buffers and request buffers.
-
- Password violations
- Tells how many incorrect passwords were tried.
-
- Permission violations
- Tells when a user attempts to access resources without the required
- permissions.
-
-
- Viewing and Clearing Statistics
-
- To view and optionally clear server statistics:
-
-
- 1. To view the statistics for the server, from the Status menu, choose
- Server statistics.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. To clear the statistics for the server, choose <Clear statistics>.
-
- 3. When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
- Command Line
-
- To view and optionally clear server statistics:
-
-
-
- 1. View the statistics for the server by typing
-
- net statistics server
-
- 2. Clear the statistics for the server by typing
-
- net statistics server /clear
-
-
- See Net Statistics, Microsoft LAN Manager Administrator's Reference.
-
-
- The Error Log
-
- LAN Manager keeps records of workstation and server errors in a file called
- the error log. The error log is stored in the file NET.ERR in the
- LANMAN\LOGS directory. If the Messenger and Netpopup services are started on
- the computer, some errors also appear as alert messages on the screen.
-
- If you are searching for the cause of a problem and cannot find any relevant
- messages, you might look for evidence in the audit trail (see the "Auditing
- a Server on the Network" section, earlier in this chapter). For example, an
- incorrect password attempt is recorded in the audit trail rather than the
- error log.
-
-
- Viewing the Error Log
-
- The error log that is displayed on the LAN Manager Screen lists error
- entries from oldest to newest. When you view error information using the net
- error command, you have a choice of viewing in this order, or in the reverse
- order.
-
- The error log displays the following information:
-
-
- ■ The service error
-
- ■ The error number
-
- ■ The date and time when the error occurred
-
-
- To view the error log:
-
-
-
- 1. From the Status menu, choose Error log.
-
- The dialog box shown in Figure 16.4 appears.
-
- (This figure may be found in the printed book).
-
- 2. To get more information about an error, in the list box, select the
- error, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Choose <Done>.
-
- 4. Choose <Done>.
-
-
- Command Line To view the error log, type
-
- net error [/count:number] [/reverse]
-
- See Net Error, Microsoft LAN Manager Administrator's Reference.
-
-
- Saving and Clearing the Error Log
-
- The error log can be saved and cleared using the Status menu's Error log
- command. The error log can be cleared with the net error command. You can
- save the error log to the file ERROR.SAV at any time. This does not clear
- the log. ERROR.SAV is overwritten each time the log is saved. To keep a
- permanent record, copy ERROR.SAV to another file.
-
- When you clear the error log, the information is moved to the file
- ERROR.BAK. This file is overwritten each time the error log is cleared.
-
- To save and clear the error log:
-
-
- 1. From the Status menu, choose Error log.
-
- The "Network Error Log" dialog box (Figure 16.4) appears.
-
- 2. To save the contents of the error log in a file, choose >.
-
- When prompted for confirmation, choose <OK>.
-
- 3. To clear the error log, choose <Clear>.
-
- When prompted for confirmation, choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To clear the error log, type
-
- net error /delete
-
- See Net Error, Microsoft LAN Manager Administrator's Reference.
-
-
- Using Session Information
-
- Each time that a workstation communicates with a server, a session is
- established with the server. A session starts when a user on a workstation
- successfully makes a connection to a server, such as with the net use
- command. For a server with user-level security, a session is established
- when the server's user accounts database validates the user's password and
- username. For a server with share-level security, a session is established
- when the user makes a connection to a resource on a server.
-
- An administrator can view and control these sessions and can close files
- opened through one of these sessions. Knowing information about sessions is
- useful for gauging the server's work load.
-
- The Status menu's Session status command is used to view information about
- all sessions with a server and to force a session or file closed.
-
- LAN Manager has an autodisconnect feature that lets you set a time limit for
- inactive sessions. If you find that connections to a resource are not being
- used for long periods, you can set the autodisconnect entry in the [server]
- section of LANMAN.INI to end these sessions after a specified interval to
- enable more server processing power. The session is automatically activated
- the next time that the user uses the server.
-
- The number of sessions that can be established at a server, and how long an
- inactive session stays connected, are determined by entries in the [server]
- section of LANMAN.INI. These entries are listed in Table 16.2. Some of these
- settings are dependent on the values set for other settings in the list. For
- more information about the LANMAN.INI file, see the Microsoft LAN Manager
- Administrator's Reference.
-
- Table 16.2 LANMAN.INI Session Entries
-
- ────────────────────────────────────────────────────────────────────────────
- autodisconnect
- Sets the number of minutes that the server waits before disconnecting an
- inactive session. The range is -1-65535; the default is -1 (never).
-
- maxchdevjob
- Sets the maximum number of simultaneous requests that the server accepts
- for all communication-device queues. The range is 0-65535; the default is
- 6 requests.
-
- maxconnections
- Sets the maximum number of simultaneous connections workstations can have
- with the server. The range is maxusers to 2000; the default is 128
- connections.
-
- maxopens
- Sets the maximum number of files, named pipes, and devices that can be
- open on the server at one time. The range is 1-8000; the default is 64
- opens.
-
- Table 16.2 LANMAN.INI Session Entries (continued)
-
- maxsessopens
- Sets the maximum number of files, named pipes, and devices one workstation
- can have open on the server. The range is 1 to maxopens; the default is 50
- opens.
-
- maxsessreqs
- Sets the number of resource requests that one workstation can have pending
- on the server. The range is 1-65535; the default is 50 requests.
-
- maxsessvcs
- Sets the maximum number of virtual circuits the server can accept from a
- workstation. This value must be set to 1.
-
- maxusers
- Sets the maximum number of users who can use the server simultaneously.
- This is actually the number of sessions with the server. The range is
- 1-1000; the default is 32 sessions. The total number of users should
- include the number allowed by Additional User Paks plus the number of
- users accessing the server through IPC connections (named pipes, which are
- used by network application programs such as the net run command or
- Microsoft SQL Server).
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Changing maxusers affects the maxconnections, numbigbuf, and numreqbuf
- entries. Use the Setup program to change the value of maxusers and
- automatically adjust these other entries. For information about using the
- Setup program, see the Microsoft LAN Manager Installation Guide.
-
-
- ────────────────────────────────────────────────────────────────────────────
- ────────────────────────────────────────────────────────────────────────────
-
-
- Modifying Session Entries
-
- The values for the session entries in LANMAN.INI can be temporarily modified
- when you start the server either by using the Config menu's Control services
- command, or by using the net start server command. For information about
- changing the server's configuration options when you start the Server
- service, see the "Controlling LAN Manager Services" section in Chapter 2,
- "Getting Started."
-
- Command Line To change session values:
-
-
- 1. Stop the Server service by typing
-
- net stop server
-
- 2. Change session values by typing
-
- net start server [/autodisconnect:time] [/maxchdevjob:n]
- [/maxconnections:n] [/maxopens:n] [/maxsessopens:n] [/maxsessreqs:n]
- [/maxsessvcs:n] [/maxusers:n]
-
-
- See Net Start Server, Microsoft LAN Manager Administrator's Reference.
-
-
- Viewing Session Information
-
- You can view the following types of information about a session with a
- server:
-
-
- ■ The computername and username for each user with an established
- session
-
- ■ The type of networking software (such as LAN Manager) making the
- connection (the "Client Type")
-
- ■ Whether or not the user is logged on as guest
-
- ■ How many open files a user has
-
- ■ How long the session has been inactive
-
-
- To view session information:
-
-
- 1. From the Status menu, choose Session status.
-
- The dialog box shown in Figure 16.5 appears.
-
- (This figure may be found in the printed book).
-
- 2. To get more information about a session, in the list box, select the
- session, then choose <Zoom>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Choose <Done>.
-
- 4. Choose <Done>.
-
-
- Command Line To view session information, type
-
- net session [\\computername]
-
- See Net Session, Microsoft LAN Manager Administrator's Reference.
-
-
- Closing Sessions
-
- If you need to do something at a server that requires you to disconnect one
- or more sessions─for example, you need to restore data in a directory─you
- can close sessions from the server. If the Alerter service is running, the
- workstation with the session is automatically notified that the session is
- to be disconnected.
-
- Closing a user's session does not prevent the user from connecting to a
- resource. In fact, LAN Manager automatically starts a new session the next
- time the person uses a resource. If a session is inactive when it's forced
- closed, the user can start a new session without knowing the first session
- was closed. To prevent new sessions from being connected, pause the Server
- service.
-
- To end individual sessions, use the LAN Manager Screen. To end all sessions
- at once, use the command line.
-
- To close a session:
-
-
- 1. From the Status menu, choose Session status.
-
- The "Sessions to This Server" dialog box (Figure 16.5) appears.
-
- 2. In the list box, select the session that you want to end.
-
- 3. Choose <Disconnect>.
-
- 4. When prompted for confirmation, choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To close a session, type
-
- net session [\\computername] /delete
-
- See Net Session, Microsoft LAN Manager Administrator's Reference.
-
-
- Closing Files
-
- Turning off the server without using the Presentation Manager Shutdown
- procedure, as well as some types of program errors, sometimes leaves a file
- open─perhaps even locked. You can close these files to make them available
- again.
-
- To close a file:
-
-
- 1. From the Status menu, choose Opened files.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the list box, select the file that you want to close.
-
- 3. Choose <Close>.
-
- 4. When prompted for confirmation, choose <OK>.
-
- 5. Choose <Done>.
-
-
- Command Line To close a file:
-
-
- 1. Find the identification number by typing
-
- net file
-
- 2. Close the file by typing
-
- net file id /close
-
-
- See Net File, Microsoft LAN Manager Administrator's Reference.
-
-
- Synchronizing Network Clocks
-
- Using the Timesource service, you can designate a LAN Manager server as the
- network time server, with which other computers on the network synchronize.
- The Timesource service runs only on the time server.
-
- The Timesource service does not keep time; it only provides the means for
- other computers on the network to identify a reliable clock. The clock must
- be maintained by some other mechanism, typically special hardware and/or
- software.
-
- The Timesource service is useful for synchronizing network events on all
- computers. For example, if you have a batch program to be run at the same
- time every day on all computers on the network, use the Timesource service
- to designate a time server so that the computers are synchronized and run
- the command at the same time.
-
- If you will be routinely using the Timesource service, you can add it to the
- srvservices list in the [server] section of the LANMAN.INI file in order to
- start the Timesource service each time the Server service is started.
-
- To start the Timesource service on the time server:
-
-
- 1. From the Config menu, choose Control services.
-
- The "LAN Manager Services" dialog box (Figure 16.2) appears.
-
- 2. In the list box, select Timesource, then choose <Start>.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- There are no options or values to set for the Timesource service.
-
- 3. Choose <OK>.
-
- 4. Choose <Done>.
-
-
- Command Line To start the Timesource service on the time server, type
-
- net start timesource
-
- See Net Start Timesource, Microsoft LAN Manager Administrator's Reference.
-
-
- Synchronizing with the Time Server
-
- After starting the Timesource service, you can synchronize other computers
- with the time server.
-
- Command Line To synchronize a computer with the time server, type
-
- net time \\computername /set
-
- See Net Time, Microsoft LAN Manager User's Guide.
-
-
-
-
-
-
- Appendix A The LANMAN.INI File
- ────────────────────────────────────────────────────────────────────────────
-
-
- Summary Tables
-
- These tables provide the range and default values for entries in the
- LANMAN.INI file. A value of 65535 for an entry means "forever," or "no
- limit." For more information, see the Microsoft LAN Manager Administrator's
- Reference and the Microsoft LAN Manager Installation Guide.
-
-
- Workstation
-
- ╓┌─────────────────┌────────────────────┌────────────────────┌───────────────
- Entry Units Range/Value Default
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- charcount bytes 0-65535 16
-
- chartime milliseconds 0-65535000 250
-
- charwait seconds 0-65535 3600 {128}
-
- computername characters 1-15 ─
-
- domain characters 1-15 DOMAIN
-
- himem string yes/no/optional NO
-
- keepapis string yes/no YES
-
- keepconn seconds 1-65535 600
-
- keepsearch seconds 1-65535 600
-
- lanroot pathname ─ C:\LANMAN.DOS
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- lanroot pathname ─ C:\LANMAN.DOS
-
- lim string yes/no YES
-
- mailslots ─ yes/no YES
-
- maxcmds integer 5-255 16 {11}
- minimum = (5 * # of
- wrknets)
-
- maxerrorlog kilobytes 2 to total disk 100
- size
-
- maxthreads integer 10-254 10
-
- maxwrkcache kilobytes 0-640 64
-
- numalerts integer 3-200 12
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- numbigbuf integer 0-255 0
-
- numcharbuf integer 0-15 10 {2}
-
- numdgrambuf integer 8-112 {3-112} 14 {3}
-
- nummailslots integer 0-255 2
-
- numresources integer 1-255 9
-
- numservers integer 1-255 9
-
- numservices integer 4-256 {1-255} 8 {5}
-
- numviewedservers integer 0-255 50
-
- numworkbuf integer 3-50 15 {5}
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- othdomains domain names as many as 4 ─
- other domains
-
- printbuftime seconds 0-65535 90
-
- sesstimeout seconds 10-65535 45
-
- sizbigbuf bytes 0-65535 4096
-
- sizcharbuf bytes 64-4096 512 {128}
-
- sizerror bytes 256-4096 1024
-
- sizworkbuf bytes 1024-16384 4096 {1024}
- {64-4096}
-
- wrkheuristics ─
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- wrknets names from net1 to list from [ NET1 {0}
- [networks] networks]
- {LANA numbers} {0-254}
-
- wrkservices service names no value to list MESSENGER, NETPOP
- from [services]
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Braces ({ }) indicate defaults or ranges that are different for MS-DOS.
-
- The entry is only for an MS-DOS LANMAN.INI file.
-
- The entry is only for an MS OS/2 LANMAN.INI file.
-
- See the Microsoft LAN Manager Administrator's Reference.
-
-
- Messenger
-
- ╓┌─────────────┌─────────┌────────────┌──────────────────────────────────────╖
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- logfile pathname ─ MESSAGES.LOG
-
- nummsgnames integer 1-10 2
-
- sizmessbuf bytes 512-62000 4096 {256}
- {128-62000}
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Braces ({ }) indicate defaults or ranges that are different for MS-DOS.
-
- The entry is only for an MS-DOS LANMAN.INI file.
-
-
- Netshell
-
- ╓┌─────────┌─────────────┌────────────┌──────────────────────────────────────╖
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- refresh seconds 0-65535 15
-
- remote computername ─ ─
-
- username characters 1-20 USER
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- The entry is only for an MS OS/2 LANMAN.INI file.
-
-
- Server
-
- ╓┌───────────────┌─────────────────────┌─────────────────────┌───────────────
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- accessalert integer 0-65535 5
-
- alertnames usernames no value to name ─
- list
-
- alertsched minutes 0-65535 5
-
- auditing string yes/no/event NO
-
- autodisconnect minutes -1-65535 -1
-
- autopath pathname ─ SRVAUTO.PRO
-
- autoprofile string LOAD
-
- diskalert kilobytes 0-65535 300
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- erroralert integer 0-65535 5
-
- guestacct name as many as 20 GUEST
- characters
-
- logonalert integer 0-65535 5
-
- maxauditlog kilobytes 0-65535 100
-
- maxchdevjob integer 0-65535 6
-
- maxchdevq integer 0-65535 2
-
- maxchdevs integer 0-16 2
-
- maxconnections integer maxusers to 2000 128
-
- maxlocks integer 1-8000 64
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- maxlocks integer 1-8000 64
-
- maxopens integer 1-8000 64
-
- maxsearches integer 0-1927 50
-
- maxsessopens integer 1 to maxopens 50
-
- maxsessreqs integer 1-65535 50
-
- maxsessvcs integer 1 1
-
- maxshares integer 2-500 16
-
- maxusers integer 1-1000 32
-
- netioalert integer 0-65535 5
-
- noauditing string ─
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- noauditing string ─
-
- numadmin integer 0-65535 2
-
- numbigbuf integer 0-80 3
-
- numfiletasks integer 1-8 1
-
- numreqbuf integer 5-300 15
-
- security string share/user USER
-
- sizreqbuf bytes 1024-32768 4096
-
- srvanndelta milliseconds 0-65535 3000
-
- srvannounce seconds 0-65535 60
-
- srvcomment characters no value to 48 ─
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- srvcomment characters no value to 48 ─
-
- srvheuristics ─
-
- srvhidden string yes/no NO
-
- srvnets names from net1 to list from [ NET1
- [networks] networks]
-
- srvservices service names no value to list ALERTER
- from [services]
-
- userpath pathname ─ ACCOUNTS\USERDIRS
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- See the Microsoft LAN Manager Administrator's Reference.
-
-
- Alerter
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- sizalertbuf bytes 512-16384 3072
-
- ────────────────────────────────────────────────────────────────────────────
-
- Netrun
-
- ╓┌────────┌─────────┌────────────┌───────────────────────────────────────────╖
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- maxruns integer 1-10 3
-
- runpath pathname ─ ─
-
- ────────────────────────────────────────────────────────────────────────────
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- Replicator
-
- ╓┌───────────┌────────────┌───────────────────────────────────────┌──────────
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- exportlist names 0-32 0
-
- exportpath pathname ─ REPL\EXPORT
-
- guardtime minutes 0 to (interval/2) 2
-
- importlist servernames 0-32 0
-
- importpath pathname ─ REPL\IMPORT
-
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- interval minutes 1-60 5
-
- logon username ─ ─
-
- password password ─ ─
-
- pulse integer 1-10 3
-
- random seconds 1-120 60
-
- replicate ─ import/export/both IMPORT
-
- tryuser ─ yes/no YES
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
- UPS
-
- ╓┌────────────┌─────────┌────────────┌───────────────────────────────────────╖
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- batterytime seconds 0-28800 60
-
- cmdfile pathname ─ ─
-
- messdelay seconds 0-120 5
-
- messtime seconds 30-300 120
-
- recharge minutes 5-250 100
-
- signals ─ 100
-
- voltlevels ─ 100
-
- ────────────────────────────────────────────────────────────────────────────
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- See the Microsoft LAN Manager Administrator's Reference.
-
-
- Netlogon
-
- ╓┌──────────┌─────────┌────────────┌─────────────────────────────────────────
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- pulse seconds 60-3600 300
-
- randomize seconds 5-120 30
-
- scripts pathname ─ REPL\IMPORT\SCRIPTS
-
- update ─ yes/no YES
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- update ─ yes/no YES
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
- Remoteboot
-
- ╓┌───────────┌─────────────────────────────────────────┌────────────┌────────
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- configfile filename or pathname ─ DOSBB.CNF
-
- maxthreads integer 10
-
- rpldir pathname ─ RPL
-
- rpln RPL1-RPL12 ─
- Entry Units Range/Value Default
- ────────────────────────────────────────────────────────────────────────────
- rpln RPL1-RPL12 ─
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
- See the Microsoft LAN Manager Administrator's Reference.
-
-
-
-
-
-
- Appendix B Menu Commands
- ────────────────────────────────────────────────────────────────────────────
-
- This appendix gives a brief tour of the LAN Manager Screen. It describes
- information displayed on the screen and explains what you can do with each
- menu command.
-
-
- The LAN Manager Screen for Administrators
-
- After you log on to the network as an administrator, the LAN Manager Screen
- for administrators appears, as shown in Figure B.1.
-
- (This figure may be found in the printed book).
-
- The fields of the LAN Manager Screen provide the following information:
-
- Menu bar
- Displays the names of menus from which you can choose menu commands.
-
- Current focus
- Shows the computername of your workstation or of the server that is the
- focus of activity when using LAN Manager Screen commands.
-
- Workstation information
- Provides the following information about your workstation:
-
- Your username
- The username specified when you logged on to the network.
-
- Your computername
- The computername specified when the workstation was started.
-
- Your domain
- The name of your logon domain. This is the domain name specified when
- you logged on to the network. If you didn't specify a domain name, you
- automatically logged on in the workstation domain, which is specified
- in the LANMAN.INI file. Note that the workstation domain and the logon
- domain are the same if you logged on in the workstation domain.
-
- Servers visible at the workstation
- Lists the servers in the logon and workstation domains.
-
- Scroll bar
- Lets you use a mouse to scroll through servers in the list box.
-
- Message line
- Provides a brief statement about the current menu, command, or task.
-
-
- View Menu
-
- The View menu commands let you view and control resources for local and
- remote servers, view usernames logged on to the network, and exit the LAN
- Manager Screen.
-
- (This figure may be found in the printed book).
-
- The following list describes the View menu commands:
-
- Available resources
- Displays the different types of resources available on the server of
- current focus. These resources include shared directories, printers,
- communication devices, and reserved administrative resources.
-
- Printer queues
- Displays the printer queues on the server of current focus and the print
- jobs in each queue. You can control the printer queues and the print jobs
- in each printer queue, and modify the queue settings.
-
- Comm-device queues
- Displays the communication-device queues (comm queues) on the server of
- current focus and the number of jobs waiting in each queue. You can
- control the jobs and modify the queue settings.
-
- Shared resources
- Displays the shared resources on the server of current focus. You can stop
- and start sharing administrative resources, directories, printer queues,
- and comm queues.
-
- Used resources
- Displays the resources your workstation is using on the server of current
- focus. You can connect your workstation to resources shared on servers
- other than the server of current focus and on non-LAN Manager servers.
-
- Users on a server
- Displays the users who are logged on at the server of current focus.
-
- Users on a domain
- Displays the users who are logged on in a domain.
-
- Exit
- Removes the LAN Manager Screen.
-
-
- Message Menu
-
- The Message menu commands let you send messages, control the message log,
- enable or disable message popups, and manage message aliases.
-
- (This figure may be found in the printed book).
-
- The following list describes the Message menu commands:
-
- Send a typed message
- Lets you send a message to one or more users on the network.
-
- Send a file as a message
- Lets you send a file as a message to one or more users on the network.
-
- Log messages to file
- Lets you select the log file that stores your messages, pause and continue
- message logging, and enable or disable message popup.
-
- Read message log file
- Displays the messages in your log file.
-
- Aliases
- Displays the message aliases on the workstation. You can add message
- aliases to your workstation, delete message aliases from your workstation,
- and forward your messages to another user's alias.
-
-
- Config Menu
-
- The Config menu commands let you log on to and off from the network, load
- and save profiles, view the workstation configuration, set the server
- configuration, and check or change the status of LAN Manager services.
-
- (This figure may be found in the printed book).
-
- The following list describes the Config menu commands:
-
- Log on to LAN
- Lets you log on to the network.
-
- Log off from LAN
- Lets you log off from the network.
-
- Load profile
- Displays the profiles you can load to automatically share resources and
- connect to shared resources.
-
- Save profile
- Lets you save the server's shared resources, and connections to shared
- resources, as a profile.
-
- Workstation options
- Displays information about your workstation's configuration, and stops and
- starts the Messenger and Netpopup services.
-
- Server options
- Displays the configuration for the server.
-
- Control services
- Displays information about LAN Manager services. You can start, stop,
- pause, and continue services.
-
- Stop LAN Manager services
- Disconnects your workstation from shared resources, logs you off from the
- network, and stops all services.
-
-
- Status Menu
-
- The Status menu commands let you check the status of shared resources, view
- workstation and server statistics, and read the audit trail and error log.
-
- (This figure may be found in the printed book).
-
- The following list describes the Status menu commands:
-
- Device status
- Displays information about shared devices on the server of current focus.
- You can cancel a print job, and pause and continue a printer or
- communication device.
-
- Session status
- Displays information about current sessions with the server of current
- focus. You can view the connections in a session and close a session.
-
- Opened files
- Displays the open files on the server of current focus. You can close a
- file.
-
- Workstation statistics
- Displays information about workstation activities on the network.
-
- Server statistics
- Displays the server statistics.
-
- Audit trail
- Displays the audit trail for the server.
-
- Error log
- Displays error messages received at the server.
-
-
- Accounts Menu
-
- The Accounts menu commands let you modify user and group accounts, view and
- set permissions for shared resources, and view or change security settings.
-
-
- (This figure may be found in the printed book).
-
- The following list describes the Accounts menu commands:
-
- Your account
- Displays information about your account.
-
- Change your password
- Lets you change your password at a server.
-
- Users
- Displays the user accounts on the server. You can create, modify, disable,
- and delete a user's account.
-
- Groups
- Displays the groups of users on a server. You can create, change the
- membership of, and remove a group.
-
- File permissions
- Displays the files and directories on the server of current focus. You can
- set permissions and auditing guidelines for these files and directories.
-
- Other permissions
- Displays the non-disk resources on the server of current focus. You can
- set permissions and auditing guidelines for these queues and named pipes.
-
- Security settings
- Displays the security settings on the server of current focus. You can
- change the settings for the server.
-
-
- Help Menu
-
- The Help menu commands let you access different types of online help.
-
- (This figure may be found in the printed book).
-
- The following list describes the Help menu commands:
-
- General help
- Describes the LAN Manager Screen and how to use it.
-
- Keyboard
- Explains how to use the LAN Manager Screen with the keyboard.
-
- Mouse
- Explains how to use the LAN Manager Screen with the mouse.
-
- Table of contents
- Displays a list of tasks you can perform with the LAN Manager Screen.
-
- Glossary of terms
- Displays an alphabetical list of terms and definitions used with LAN
- Manager.
-
- Using Help
- Explains how to use help.
-
- About LAN Manager
- Provides a brief description of LAN Manager.
-
-
- Console Version of the LAN Manager Screen
-
- The console version of the LAN Manager Screen gives users control over their
- own print jobs, while limiting access to the server (if the server has
- user-level security). It shows the status of printer and communication
- devices the server is sharing. Administrators can use this screen to monitor
- and control the status of the server's queues and to control print jobs in
- local printer queues.
-
- After you log on to the console version of the LAN Manager Screen, the
- screen in Figure B.2 appears.
-
- (This figure may be found in the printed book).
-
-
- View Menu
-
- The View menu commands let you view and control shared printer and comm
- queues on the server of current focus, and exit the LAN Manager Screen.
-
- (This figure may be found in the printed book).
-
- The following list describes the View menu commands in the console version
- of the LAN Manager Screen:
-
- Printer queues
- Displays the printer queues on the server of current focus and the print
- jobs in each queue. With user-level security, users can control their own
- print jobs. Administrators can reconfigure and control the queue, and can
- control jobs in a queue.
-
- Comm-device queues
- Displays the comm queues on the server of current focus and the number of
- jobs waiting in each queue.
-
- Exit
- Removes the console screen.
-
-
- Message Menu
-
- The Message menu command lets you send messages.
-
- (This figure may be found in the printed book).
-
- The following describes the Message menu command in the console version of
- the LAN Manager Screen:
-
- Send a typed message
- Lets you send a message to one or more users on the network.
-
-
- Status Menu
-
- The Status menu command lets you view and change the status of a printer or
- communication device.
-
- (This figure may be found in the printed book).
-
- The following describes the Status menu command in the console version of
- the LAN Manager Screen:
-
- Device status
- Displays information about shared devices on the server of current focus.
- Administrators can change the status of a device.
-
-
- Accounts Menu
-
- The Accounts menu command lets users change their passwords.
-
- (This figure may be found in the printed book).
-
- The following describes the Accounts menu command in the console version of
- the LAN Manager Screen:
-
- Change your password
- If the server has user-level security, lets users change their passwords.
-
-
- Help Menu
-
- The Help menu commands let you access different types of online help.
-
- (This figure may be found in the printed book).
-
- The following list describes the Help menu commands in the console version
- of the LAN Manager Screen:
-
- General help
- Describes the LAN Manager Screen and how to use it.
-
- Keyboard
- Explains how to use the LAN Manager Screen with the keyboard.
-
- Mouse
- Explains how to use the LAN Manager Screen with the mouse.
-
- Table of contents
- Displays a list of tasks you can perform with the LAN Manager Screen.
-
- Glossary of terms
- Displays an alphabetical list of the terms and definitions used with LAN
- Manager.
-
- Using Help
- Explains how to use help.
-
- About LAN Manager
- Provides a brief description of LAN Manager.
-
-
-
-
-
-
-
-
- Appendix C Country Codes
- ────────────────────────────────────────────────────────────────────────────
-
- A country code in a user account defines the language in which messages are
- sent from a server to a user. Messages such as print notifications and
- alerts are sent from a server to a user's workstation. The country code does
- not affect the language of error messages and explanation messages generated
- by the workstation itself.
-
- The following table lists available country codes. The default value for the
- country code is 0. If the default value is specified, messages are sent in
- the language used in the LANMAN\NETPROG\NET.MSG file.
-
- ╓┌──────────┌─────┌───────────────┌──────────────────────────────────────────╖
- Country Code Country Code
- ────────────────────────────────────────────────────────────────────────────
- Asia 099 Latin America 003
-
- Australia 061 Netherlands 031
-
- Belgium 032 Norway 047
- Country Code Country Code
- ────────────────────────────────────────────────────────────────────────────
- Belgium 032 Norway 047
-
- Canada 002 Portugal 351
-
- Denmark 045 Spain 034
-
- Finland 358 Sweden 046
-
- France 033 Switzerland 041
-
- Germany 049 United Kingdom 044
-
- Italy 039 United States 001
-
- Japan 081
-
- ────────────────────────────────────────────────────────────────────────────
-
-
-
-
-
-
-
- Appendix D Using the MS OS/2 Print Manager with LAN Manager
- ────────────────────────────────────────────────────────────────────────────
-
- With LAN Manager installed on your computer, several features designed for
- use with the local-area network are added to the MS OS/2 Print Manager.
- These features do not appear if LAN Manager is not installed.If LAN Manager
- is installed on IBM OS/2 1.2, LAN Manager may replace the OS/2 Print Manager
- with the MS OS/2 1.2 Print Manager described in this appendix.
-
- When the Workstation service is running and you are logged on to the
- network, Print Manager lets you view and work with printers and queues on
- the network as well as on your computer. Print Manager is used the same in
- both cases, but with LAN Manager, you can also
-
-
- ■ Remotely set up and change printers and queues.
-
- ■ View and control print jobs in shared printer queues connected to your
- workstation.
-
- ■ Browse shared printers and queues in your workstation domain and other
- domains.
-
- ■ Specify whether information for network queues is refreshed in the
- Print Manager window and specify a time interval for refreshing.
-
-
- If you have admin privilege or print operator privilege at a server, you can
- remotely control shared queues and printers, and jobs in shared queues, with
- Print Manager.
-
- This appendix explains the Print Manager features that are available when
- LAN Manager is installed on your computer. For information about using Print
- Manager, see your MS OS/2 manual(s).
-
-
- The MS OS/2 Print Manager Window
-
- With LAN Manager installed, the Print Manager window looks almost the same
- as it does on a computer without LAN Manager.
-
- (This figure may be found in the printed book).
-
- The Print Manager window shows information about all shared printer queues
- to which your workstation is connected, as well as any local queues and
- printers. A shared queue is represented by its network path rather than a
- printer name. Note that if you connect to a shared queue without assigning a
- devicename to the connection, the queue is still displayed in the Print
- Manager window.
-
- When you print a file, you can select a shared queue for printing just as
- you select a local queue or printer. You can also control a shared queue in
- the same way you control a local queue, provided you have the necessary
- privilege at the server sharing the queue.
-
- With LAN Manager installed, some of the Print Manager menus are slightly
- different from those on a computer without LAN Manager.The following list
- shows the menus and commands for the Print Manager with LAN Manager
- installed.
-
- Queue menu
-
- Hold queue
- Suspends printing of all jobs from the queue(s) selected in the Print
- Manager window.
-
- Release queue
- Reactivates printing for the selected held queue(s).
-
- Cancel all jobs
- Removes all jobs currently in the selected queue(s).
-
- Job menu
-
- Job details
- Shows information, such as job name and priority, for the selected
- job(s).
-
- Cancel job
- Removes the selected job(s) from the queue.
-
- Print job next
- Puts the selected job(s) first in the queue.
-
- Start job again
- Stops the selected job(s) and repeats printing from the beginning.
-
- Hold job
- Changes the status of the selected job(s) so that printing is delayed
- until the job is released.
-
- Release job
- Releases the selected held job(s).
-
- Setup menu
-
- Spooler Path
- Changes the directory in which spooled print jobs are stored.
-
- Printers
- Adds, changes, or deletes a printer. You can also select a port, or
- one or more printer drivers, and you can set the options for the
- printer. You must be logged on at the workstation to use this command.
-
- Queues
- Adds, changes, or deletes a queue. You can also enter other settings
- that the printer driver will use, choose a queue driver, choose one or
- more printers, and choose a printer driver for the queue. You must be
- logged on at the workstation to use this command.
-
- Application defaults
- Identifies a default queue and a default printer for your
- applications.
-
- Refresh menu
-
- Refresh now F5
- Immediately updates the list of queues and jobs.
-
- Refresh interval
- Determines how often information for network queues in the Print
- Manager window is refreshed.
-
- Help menu
-
- Help for help
- Tells how to display help information and how to use the help window.
-
- Extended help
- Displays general help information.
-
- Keys help
- Tells how to use the keyboard with Print Manager.
-
- Help index
- Displays an index of topics for which online help is available.
-
- About
- Displays the version number of Print Manager.
-
-
- Using MS OS/2 Print Manager with Network Printers
-
- The following sections describe how to view, set up, and change settings for
- printers and queues using Print Manager.
-
-
- Viewing Printers
-
- Print Manager lets you see which printers are currently set up on your
- computer or on a remote server. It also lets you add a printer to the list,
- or change settings for a printer.
-
- To view printers:
-
-
- 1. From the Setup menu, choose Printers.
-
- The dialog box shown in Figure D.1 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box shows the names and descriptions of printers set up on
- your computer. The computername of your workstation is displayed in
- the "On Server" field.
-
- 2. To view printers on remote servers, choose Browse.
-
- NOTE The Browse command button is active only when a user is logged
- on at the workstation.
-
- The dialog box shown in Figure D.2 appears.
-
- (This figure may be found in the printed book).
-
- The computername displayed in the "On Server" text box is from the
- "Printers" dialog box. The servers in the workstation domain and the
- workstation's other domains are displayed in the list box.
-
- 3. In the "On Server" text box, type the server's computername or, in the
- list box, select the server.
-
- 4. Choose OK.
-
- You may need to supply a password to gain access to the server if your
- logon password is different from the password in your account at the
- server, or if the server is running share-level security. If a new
- password is needed, the dialog box shown in Figure D.3 appears.
-
- (This figure may be found in the printed book).
-
- If a new password is needed, in the "Enter Password" text box, type
- the password for the server you selected, then choose OK.
-
- The "Printers" dialog box (Figure D.1) appears, displaying printer
- information about the server you selected. From here, you can add,
- change, or delete printers at the server (provided you have the
- appropriate privilege), or browse other servers.
-
- 5. Choose OK.
-
-
-
- Setting Up a Printer
-
- Print Manager lets you set up printers to which you can send print jobs.
- Once you set up a printer, you create a printer queue for it. The queue can
- then be shared using LAN Manager.
-
- The next two sections show how to set up a new printer and change existing
- printer settings.
-
- To set up a new printer:
-
-
- 1. From the Setup menu, choose Printers.
-
- The "Printers" dialog box (Figure D.1) appears. It lists the printers
- that are currently set up on the server.
-
- 2. Choose Add.
-
- NOTE The Add and Delete command buttons are shaded (unavailable) if
- you have neither print operator privilege nor admin privilege.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. In the "Name" text box, type a name for the printer.
-
- The name can have as many as 255 characters.
-
- When users send jobs to the queue, the server sends a message telling
- when the job has printed. LAN Manager includes the printer's name in
- the message.
-
- 4. In the "Description" text box, type a descriptive comment.
-
- The comment can have as many as 48 characters.
-
- 5. In the "Device" text box, type the name of the port, or select it from
- the drop-down list.
-
- To display the drop-down list, click on the arrow to the right of this
- text box, or press ALT+DOWN (the down direction key).
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- If you want to use a COM port, be sure you first set up the port via the
- Options menu of the MS OS/2 Control Panel. (From the Options menu, choose
- Communications port to display the "Communications Port" dialog box. From
- there, select the COM port and its options, then choose
- Set.)────────────────────────────────────────────────────────────────────────
-
-
- 6. From the printer drivers list box, select one or more printer drivers
- that can be used with the printer, then choose Add.
-
- The last driver you select becomes the default driver (shown in the
- display field below the list box).
-
- 7. Choose OK.
-
-
- For more information about adding printers, see your MS OS/2 manual(s).
-
-
- Changing the Settings for a Printer
-
- The procedure for changing a printer's settings is similar to adding a new
- printer to your computer. If you want to change a printer's settings, such
- as its description or printer driver, use the following procedure.
-
- To change settings for a printer:
-
-
- 1. From the Setup menu, choose Printers.
-
- The "Printers" dialog box (Figure D.1) appears.
-
- 2. From the list box, select the printer, then choose Change.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Follow steps 3-6 from the preceding procedure.
-
- 4. Choose Change.
-
- 5. Choose OK.
-
-
-
- Viewing Queues
-
- Print Manager lets you see which printer queues are currently set up on your
- computer or on a remote server. It also lets you add a queue and update
- queue settings. However, you cannot share a printer queue from Print
- Manager─use the LAN Manager Screen or the net share command to share a
- queue.
-
- To view printer queues:
-
-
- 1. From the Setup menu, choose Queues.
-
- The dialog box shown in Figure D.4 appears.
-
- (This figure may be found in the printed book).
-
- This dialog box shows the names and descriptions of queues set up on
- your computer. The computername of your workstation is displayed in
- the "On Server" field.
-
- 2. To view queues on remote servers, choose Browse.
-
- NOTE The Browse command button is active only when a user is logged
- on at the workstation.
-
- The "Browsing Servers" dialog box (Figure D.2) appears.
-
- The computername displayed in the "On Server" text box is from the
- "Queues" dialog box. The servers in the workstation domain and the
- workstation's other domains are displayed in the list box.
-
- 3. In the "On Server" text box, type the server's computername or, in the
- list box, select the server.
-
- 4. Choose OK.
-
- You may need to supply a password to gain access to the server if your
- logon password is different from the password in your account at the
- server, or if the server is running share-level security. If a new
- password is needed, the "Administrating Server" dialog box (Figure
- D.3) appears.
-
- If a new password is needed, in the "Enter Password" text box, type
- the password for the server you selected, then choose OK.
-
- The "Queues" dialog box (Figure D.4) appears, displaying information
- about queues on the server you selected. From here, you can add,
- change, or delete queues on the server (provided you have the
- appropriate privilege), or browse other servers.
-
- 5. Choose OK.
-
-
-
- Adding a Queue
-
- To create a printer queue, you can use either the LAN Manager Screen (or
- command-line equivalent) or Print Manager. Using Print Manager gives you
- more control over the queue─you can use the Job Properties command button to
- define more details about how the queue prints, specifying options such as
- font and paper size.
-
- After you create a printer queue with Print Manager, you can share the queue
- with the network using the LAN Manager Screen or the net share command. The
- shared queue retains all the options and properties you defined for it with
- Print Manager.
-
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- Be sure to set up printers for your computer before creating the
- corresponding queues.
- ────────────────────────────────────────────────────────────────────────────
-
- To create a new printer queue:
-
-
- 1. From the Setup menu, choose Queues.
-
- The "Queues" dialog box (Figure D.4) appears.
-
- 2. Choose Add.
-
- NOTE The Add and Delete command buttons are shaded (unavailable) if
- you have neither print operator privilege nor admin privilege.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
- ────────────────────────────────────────────────────────────────────────────
- NOTE
-
- The Setup command button is shaded (unavailable) if the queue is on a remote
- server (accessed via the Browse command
- button).─────────────────────────────────────────────────────────────────────
-
-
- 3. In the "Name" text box, type a name for the queue.
-
- The name for the queue can have as many as 8 characters with an
- optional 3-character extension. If the computer is using the
- high-performance file system (HPFS), the name can have as many as 255
- characters. However, if you want to share the queue, you should limit
- this name to 8 characters with an optional 3-character extension.
-
- 4. In the "Description" text box, type a descriptive comment.
-
- The comment can have as many as 48 characters.
-
- 5. In the "Queue driver" text box, type the name of the driver, or select
- it from the drop-down list. ("Queue driver" is another name for print
- processor.)
-
- To display the drop-down list, click on the arrow to the right of this
- text box, or press ALT+DOWN (the down direction key).
-
- For more information about installing new queue drivers through the MS
- OS/2 Control Panel, see your MS OS/2 manual(s).
-
- 6. In the "Separator" text box, type the name of the separator page file,
- if any.
-
- You can type DEFAULT.SEP to use LAN Manager's default separator page.
- Unless you specify a different path, LAN Manager assumes the separator
- file is in the C:\SPOOL directory.
-
- 7. In the "Priority" text box, type the priority for the queue.
-
- The range is 1-9; the default is 5. To set the highest priority for
- the queue, use 1.
-
- 8. In the "Scheduling" text boxes, if appropriate, type the hours during
- which jobs in the queue will be printed.
-
- By default, the text boxes are empty and jobs are printed on a 24-hour
- basis. If you want to limit the hours that print jobs are printed,
- type the times in the "from" and "to" boxes. The time format depends
- on the country setting for your computer.
-
- 9. In the list box, select one or more printers that can be used with the
- new queue.
-
- 10. In the "Printer Driver" text box, specify the default printer driver.
-
- Print Manager offers a default name. This is the first printer driver
- supporting the first printer for the queue.
-
- Select from the drop-down list if you want another default driver. To
- display the drop-down list, click on the arrow to the right of this
- text box, or press ALT+DOWN (the down direction key). If the selected
- printers have no drivers in common, the drop-down list is empty.
-
- 11. Choose Job Properties if you want to customize settings for the
- default print driver.
-
- A dialog box specific to your default print driver appears.
-
- 12. Choose Setup if you want to customize settings for the default queue
- driver.
-
- Another dialog box appears, allowing you to choose from among options,
- if any, for that specific driver.
-
- 13. Choose Add.
-
- 14. Choose OK.
-
-
-
- Changing Options for a Queue
-
- You can use Print Manager to change an existing queue's options, such as the
- name of a driver or separator page used with the queue.
-
- To change options for a printer queue:
-
-
- 1. From the Setup menu, choose Queues.
-
- The "Queues" dialog box (Figure D.4) appears.
-
- 2. From the list box, select a queue, then choose Change.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 3. Follow steps 3-12 from the preceding procedure.
-
- 4. Choose Change.
-
- 5. Choose OK.
-
-
-
- Updating Information in the MS OS/2 Print Manager Window
-
- The Print Manager window shows activity on local and network printers and
- queues. You can choose whether to refresh information about network queues
- and, if so, how often. Information on local queues is refreshed regardless
- of network queues.
-
- To set how often information is updated:
-
-
- 1. From the Refresh menu, choose Refresh interval.
-
- The following dialog box appears:
-
- (This figure may be found in the printed book).
-
- 2. In the "Refresh interval" text box, type the number of seconds.
-
- 3. Choose Set.
-
-
- To update network information:
-
-
- 1. From the Refresh menu, choose Refresh interval.
-
- 2. Mark the "Refresh for network queues" check box.
-
- 3. Choose Set.
-
-
- Entries for network queues and jobs are updated each time the list is
- refreshed.
-
-
-
-
-
-
-
- Glossary
- ────────────────────────────────────────────────────────────────────────────
-
- 10 User Pak
- See Additional User Pak.
-
- Absolute path
- A pathname whose reference to a file or directory does not depend on the
- current drive or directory. An absolute path must start with a drive letter,
- a colon, and a backslash ( \ ). Use the format
- n:\directory[[\subdirectory][\filename]...]. See also Network path, Path,
- Pathname, and Relative path.
-
- Access permissions
- See Permissions.
-
- Account
- See User account.
-
- Accounts database
- See User accounts database.
-
- Accounts operator
- An operator privilege that allows a user (with user privilege) to create,
- remove, and modify user accounts (except those with admin privilege) and
- groups. See also Admin privilege, Comm operator, Operator privilege, Print
- operator, and Server operator.
-
- Additional User Pak
- An optional server modification that expands the number of users that can
- connect to a server. A server without Additional User Paks has a limit of
- five users. A 10 User Pak adds 10 users to the server's capacity. An
- Unlimited User Pak allows an unlimited number of users to access the server.
- Six 10 User Paks are equivalent to an Unlimited User Pak.
-
- ADMIN$
- An administrative resource that enables remote administration on servers. A
- server's ADMIN$ must be shared for the server to be remotely administered.
- See also IPC$.
-
- Admin alert
- A message from LAN Manager about server and resource use. See also Alerts.
-
- Admin privilege
- The privilege level that allows a user at a server to issue all types of
- administrative commands and use all the resources shared by that server,
- regardless of the access permissions for the user. User accounts with admin
- privilege are part of the special user group admins. See also Administrator,
- Permissions, and Privilege level.
-
- Administrative privilege
- See Admin privilege.
-
- Administrative resources
- The resources used when network users and administrators perform certain
- tasks on the server, including viewing the resources the server is sharing,
- administering the server remotely, using the Netrun service, and running
- distributed applications. Administrative resources include ADMIN$, IPC$, and
- the disk administrative resources. How these resources are shared determines
- how users can perform tasks. See also ADMIN$, Disk administrative resources,
- and IPC$.
-
- Administrator
- The individual responsible for managing the local-area network. This person
- typically configures the network, maintains the network's shared resources
- and security, assigns passwords and privileges, and helps users. See also
- Operator privilege.
-
- Alerter service
- A LAN Manager service that enables a server to send error messages and
- special alert messages to a designated list of users.
-
- Alerts
- Messages that LAN Manager sends under certain conditions. The three classes
- of alerts are admin alerts, error alerts, and printer alerts. A computer
- must be running the Messenger service to receive alerts. See also Admin
- alert, Error alert, and Printer alert.
-
- Alias
- A username, computername, or other name that can receive messages. Each
- workstation's computername is automatically added to its list of aliases.
- Other aliases can be added with the net name command. An alias is not the
- same as a username, although a username can be added as an alias.
-
- Audit
- The process in which LAN Manager records an entry in the audit trail
- whenever a user accesses a resource in a certain way or logs on to the
- network. See also Audit trail.
-
- Audit trail
- A file that contains audit entries. See also Audit and Log.
-
- Backup domain controller
- A server in a domain that keeps and uses a copy of the domain's user
- accounts database to validate logon requests. See also Member server,
- Netlogon service, and Primary domain controller.
-
- Batch file
- See Batch program.
-
- Batch program
- A file containing commands that are carried out when the file runs. MS OS/2
- batch programs have the filename extension .CMD. MS-DOS batch programs have
- the filename extension .BAT.
-
- Broadcast message
- A message you can send to all users on the local-area network. You can also
- send a message to all users within a domain. See also Messenger service.
-
- Check box
- A field in a LAN Manager Screen dialog box that lets you enable or disable
- one or more options.
-
- Click
- To position the mouse pointer on a character, and then press and release the
- left mouse button. See also Double-click and Drag.
-
- Clone
- To use an existing user account or group as a template for a new user
- account or group.
-
- Comm device
- See Communication device.
-
- Comm operator
- An operator privilege that allows a user (with user privilege) to create,
- share, and modify communication-device queues and requests. See also
- Accounts operator, Operator privilege, Print operator, and Server operator.
-
- Comm queue
- See Communication-device queue.
-
- Command button
- A command name, enclosed in angle brackets, at the bottom of a LAN Manager
- Screen dialog box (for example, <Zoom>>). Choosing a command button carries
- out a task or leads to another dialog box.
-
- Comm-device queue
- See Communication-device queue.
-
- Communication device
- A piece of hardware attached to one of the serial ports of a computer.
- Communication devices include modems, image scanners, and serial printers.
-
- Communication-device queue
- A queue that stores communication-device requests, and then sends them one
- by one to one or more communication devices. See also Pool and Unspooled.
-
- Communication-device request
- A request to use a shared communication device. To use a shared
- communication device, a user sends a communication-device request to the
- appropriate communication-device queue.
-
- Computername
- The name by which the local-area network identifies a server or a
- workstation. Each computername must be unique on the network.
-
- Connection
- The software link between a workstation and a shared resource on a server. A
- connection can be made by assigning a local devicename on the workstation to
- a resource shared on a server. A connection also can be made when the
- resource is accessed by using a network pathname with a command-line command
- or from an application. See also Devicename, Network path, and Session.
-
- Console version of the LAN Manager Screen
- A version of the LAN Manager Screen that allows users to monitor and
- control printers and other devices at a server, and prevents other uses of
- the server.
-
- Continue
- To restart a LAN Manager service that was paused. See also Pause.
-
- Country code
- A code in the user's account that specifies the language in which the server
- sends messages.
-
- Cracked mirror
- A mirrored or duplexed drive for which the primary and secondary partitions
- contain dissimilar information. See also Drive duplexing, Drive mirroring,
- Primary partition, and Secondary partition.
-
- CTRL key
- The key used in combination with other keys to control the running of LAN
- Manager and MS OS/2 commands. For example, CTRL+C tells MS OS/2 to stop the
- current command.
-
- Current focus
- The server or workstation that is the focus of activity when using the LAN
- Manager Screen or the ftadmin screen.
-
- Default
- A value coded into the LAN Manager software. For LANMAN.INI entries, the
- default value of an entry is assumed when the entry is missing from
- LANMAN.INI.
-
- Default permissions
- The permissions assigned to the parent directory or drive if no permissions
- are assigned for a directory or file. If no permissions are assigned for a
- communication-device queue, named pipe, or printer queue, the default
- permissions are the permissions assigned to the \COMM, \PIPE, or \PRINT
- resource.
-
- Device
- A piece of hardware that is attached to a computer, for example, a disk
- drive, printer, or communication device.
-
- Devicename
- The name by which a computer identifies a printer, disk, or other device.
- Disk devices are identified by a drive letter followed by a colon (for
- example, C:). Printers, modems, and other devices are identified by the port
- to which they are attached (for example, LPT1 or COM2).
-
- Dialog box
- A box that appears on the LAN Manager Screen when you choose a menu command
- (except Exit). Dialog boxes typically present a number of options from which
- to choose. Sometimes selecting an option or choosing a command button in
- one dialog box causes another dialog box to appear.
-
- Disk administrative resources
- Administrative resources that represent each of a server's disk drives.
- Administrative resources have names such as A$ and C$. An administrator
- performing remote administration can use each of these resources to access
- all the files on the corresponding disk drive of the server. Only
- administrators can connect to disk administrative resources. See also
- ADMIN$, Administrative resources, and IPC$.
-
- Disk resource
- A shared disk device. With LAN Manager, a drive, a partition, a directory
- tree, or a single directory can be shared as a disk resource. See also
- Devicename.
-
- Distributed application
- A program that is designed to run on a local-area network. Different
- computers run different parts of the program, which fit together to make the
- entire program. LAN Manager does not control a distributed application.
-
- Domain
- A combination of servers and workstations that are grouped to create an
- administrative unit. See also Logon security.
-
- Domain controller
- See Backup domain controller and Primary domain controller.
-
- Double-click
- To position the mouse pointer on a field or character, and then press and
- release the left mouse button twice with a quick motion. See also Click and
- Drag.
-
- Drag
- To select text with a mouse. Position the mouse pointer on the character
- that will begin or end the selection; press and hold down the left mouse
- button while moving the pointer to the other end of the desired selection;
- release the left mouse button. See also Click and Double-click.
-
- Drive duplexing
- A fault-tolerance feature that sets up a primary partition and a secondary
- partition with identical data using separate disk controllers. Drive
- duplexing provides protection against errors caused by a faulty controller.
- Drive duplexing is available only for computers with the high-performance
- file system (HPFS). See also Drive mirroring, Drive verification, Primary
- partition, and Secondary partition.
-
- Drive mirroring
- A fault-tolerance feature that sets up a primary partition and a secondary
- partition on two disks using the same disk controller. The operating system
- treats these partitions as a single logical drive. Data lost from one
- partition is recovered from the other. Drive mirroring is available only for
- computers with the high-performance file system (HPFS). See also Drive
- duplexing, Drive verification, Primary partition, and Secondary partition.
-
- Drive verification
- In drive mirroring and duplexing, the process of ensuring that data on a
- primary partition and a secondary partition is identical. See also Drive
- duplexing, Drive mirroring, Primary partition, and Secondary partition.
-
- Entry
- An item in the LANMAN.INI file. See also Option.
-
- Error alert
- A message from LAN Manager about local-area network or system errors. These
- messages are stored in the error log. See also Alerts and Log.
-
- Error log
- A file that stores error messages. See also Log.
-
- Error message
- A message that appears on the computer screen after LAN Manager or the
- operating system detects a problem while trying to process an operation or
- command.
-
- Escape code
- An instruction sent from a computer to a printer. In LAN Manager, escape
- codes are used to define separator page formats. Each escape code begins
- with an escape character.
-
- FAT file system
- See File allocation table (FAT).
-
- Fault monitoring
- A fault-tolerance feature that detects disk errors, logs them, and alerts
- administrators when errors occur.
-
- Fault-tolerance system
- A LAN Manager system that uses drive duplication and monitoring to prevent
- the corruption or loss of a computer's data. See also Drive duplexing, Drive
- mirroring, and Fault monitoring.
-
- Field
- One of five types of areas within a LAN Manager Screen dialog box. See also
- Check box, Command button, Dialog box, List box, Option button, and Text
- box.
-
- File allocation table (FAT)
- An MS OS/2 and MS-DOS file system that tracks the location of files in
- directories. The file allocation table also allocates free space on disks to
- ensure space is available for new files. MS OS/2 1.2 can replace the FAT
- file system with an installable file system (IFS), such as the
- high-performance file system (HPFS).
-
- Filename
- A unique name for a file. Under the FAT file system, a filename can have as
- many as eight characters, followed by a filename extension. The filename
- extension consists of a period (.) and as many as three characters. Under MS
- OS/2 1.2 high-performance file system (HPFS), a filename can have as many as
- 254 characters. See also Filename extension.
-
- Filename extension
- A unit of as many as three characters, preceded by a period, that sometimes
- is appended to a filename by an application or other program, and is at
- other times required. For example, MS OS/2 batch programs must always have
- the filename extension .CMD. In LAN Manager, profiles are assumed to have
- the .PRO extension. See also Filename.
-
- Ftadmin
- A LAN Manager utility that starts the fault-tolerance system. See also
- Fault-tolerance system.
-
- Ftmonit
- A LAN Manager utility that controls the fault-tolerance system's
- error-monitoring feature. See also Fault monitoring and Fault-tolerance
- system.
-
- Ftsetup
- A LAN Manager utility that installs the fault-tolerance system and
- configures drive mirroring and drive duplexing. See also Drive duplexing,
- Drive mirroring, Fault monitoring, and Fault-tolerance system.
-
- Group
- With user-level security, a set of users (with user accounts) who share
- common permissions for one or more resources. A group is used like a
- username when assigning permissions for resources. Individually assigned
- user permissions take precedence over those assigned through groups.
-
- Guest account
- An account on a server with user-level security that allows users with no
- account of their own to access the server's resources.
-
- Guest privilege
- A privilege level that allows a user to use local-area network resources,
- view information about a server's shared resources and the status of printer
- and communication-device queues, and send and receive messages. See also
- Permissions and Privilege level.
-
- Hidden server
- A server that is part of a domain, but does not appear in the list of
- servers.
-
- High-performance file system (HPFS)
- An MS OS/2 file system that has faster input/output (I/O) than the FAT file
- system, does not restrict file naming to eight characters with a
- three-character extension, and is compatible with the file allocation table
- (FAT) file system. When you install LAN Manager server software on an HPFS
- partition, it becomes an HPFS386 partition. See also File allocation table
- (FAT).
-
- High-performance file system 386 (HPFS386)
- An enhanced version of the high-performance file system designed to work
- with a 386 computer. HPFS386 includes an enhanced disk cache for servers and
- provides local security. See also High-performance file system (HPFS).
-
- Home directory
- A directory assigned to a user on a server with user-level security.
-
- Hotfixing
- An MS OS/2 high-performance file system (HPFS) feature that detects bad
- sectors on a hard disk and reroutes data to a good sector in a reserved
- area. Hotfixing is available only for computers using HPFS.
-
- HPFS
- See High-performance file system (HPFS).
-
- HPFS386
- See High-performance file system 386 (HPFS386).
-
- Inherited permissions
- Permissions that can be assigned to an entire directory tree within a shared
- disk resource. To use inherited permissions, you set permissions for a
- directory, and then specify those permissions to be copied down through the
- directory tree to all subdirectories and files that exist at that time. See
- also Permissions.
-
- Interprocess communication (IPC)
- The communication between different processes of a program, between
- different computers running parts of a single program, or between two
- programs working together.
-
- IPC$
- An administrative resource that controls how interprocess communication
- works on servers. A server's IPC$ must be shared before the resources shared
- by the server can be viewed on the network, before the server can be
- administered remotely, and before users can use the Netrun service or
- distributed applications on the server. See also ADMIN$ and Named pipe.
-
- LAN
- See Local-area network (LAN).
-
- LAN Manager
- A software program from Microsoft that expands the features of MS OS/2 and
- MS-DOS to enable computers to become part of a local-area network.
-
- LAN Manager Screen
- LAN Manager's menu-oriented interface. Three screens are provided: the LAN
- Manager Screen for users, the LAN Manager Screen for administrators, and the
- console version of the LAN Manager Screen.
-
- LAN Manager service
- See Services.
-
- LANMAN.INI
- The LAN Manager initialization file. The values in this file determine the
- option settings for computers on the local-area network, although the net
- start and net config command options can temporarily override LANMAN.INI
- values. These values can be modified to suit the network requirements. See
- also Default.
-
- List box
- A box within a LAN Manager Screen dialog box that contains a list of items
- from which you can select.
-
- Local
- A workstation or server at which the user or administrator is currently
- working, or a device or resource located at that workstation or server. See
- also Remote.
-
- Local computer
- The workstation or server at which the user or administrator is currently
- working. See also Remote computer.
-
- Local file security
- See Local security.
-
- Local security
- A security method available for 386 servers running the high-performance
- file system (HPFS386). This method extends LAN Manager security measures to
- protect the files on a server by restricting access for the users working at
- the server. With local security, a user must be assigned permissions to
- access any file or directory in an HPFS386 volume, whether or not the
- resource is shared as part of a LAN Manager resource.
-
- Local user
- The user or administrator working at that computer's keyboard.
-
- Local-area network (LAN)
- A group of computers, linked by cable or other physical media, that lets
- users share information and equipment.
-
- Log
- A history file. LAN Manager, by default, maintains an error log, a message
- log, and an audit trail. See also Audit trail, Error log, and Message log.
-
- Log off
- To remove the username and password from a workstation, breaking connections
- to local-area network resources, but not stopping LAN Manager services.
-
- Log on
- To provide a username and password to gain access to the local-area network.
- When connecting to resources, LAN Manager validates the username and
- password before granting access. If a domain has logon security, the
- username and password must match a valid user account on the primary domain
- controller. See also Primary domain controller.
-
- Logical drive
- Anything given a drive designation (for example, D:). This can be a disk
- partition; a workstation's redirected drive, which makes a connection to a
- remote disk resource; or a primary and secondary partition pair for a
- mirrored or duplexed drive.
-
- Logon domain
- The domain specified when logging on to the local-area network.
-
- Logon hours
- The days and times during which a user can access and use a server's
- resources.
-
- Logon restrictions
- The logon hours during which a user can access a server's resources, and the
- workstations from which the user can access a server's resources. See also
- Logon hours.
-
- Logon script
- A batch program containing LAN Manager and operating system commands used to
- configure workstations. Logon scripts can be written for one or more users.
- When the user logs on, the logon script runs at the user's workstation.
-
- Logon security
- A means of verifying the identities of users when they log on to the
- local-area network, and of unifying the user accounts database for a domain
- into one user accounts database, copies of which are kept on servers
- throughout the domain. See also Netlogon service.
-
- Logon server
- For a domain, the primary domain controller and the backup domain
- controllers. For a user, the server that processes the user's logon request.
- See also Netlogon service.
-
- Member server
- A server in a domain that keeps and uses a copy of the domain's user
- accounts database but does not validate logon requests. See also Backup
- domain controller and Primary domain controller.
-
- Menu
- A set of related LAN Manager commands accessible from the LAN Manager
- Screen.
-
- Menu bar
- The horizontal bar across the top of the LAN Manager Screen that contains
- menus. See also Menu.
-
- Menu command
- A command you can choose from a menu on the LAN Manager Screen. See also LAN
- Manager Screen, Menu, and Menu bar.
-
- Message alias
- See Alias.
-
- Message box
- A box that LAN Manager displays, in certain cases, providing information to
- the user and sometimes requesting the user to make a choice.
-
- Message forwarding
- To use aliases to reroute messages from one workstation or server to
- another.
-
- Message line
- A line that appears at the bottom of the LAN Manager Screen, providing
- information about the current menu, command, dialog box, or task. See also
- LAN Manager Screen.
-
- Message log
- A file that stores messages. See also Log.
-
- Message logging
- To save messages received by a workstation in a file or to print them on a
- local device.
-
- Message popup
- A box that displays messages received from other network users, when the
- Messenger and Netpopup services are running. See also Messenger service and
- Netpopup service.
-
- Messenger service
- A LAN Manager service that enables a workstation or server to receive
- messages from other local-area network users. This service can also store
- messages in a log file.
-
- Mirrored drive
- A hard disk drive partition whose data has been copied to another hard disk
- through the fault-tolerance system. A mirrored drive consists of a pair of
- partitions (a primary and secondary partition) that appear as a single
- logical drive to the operating system. See also Drive duplexing and Drive
- mirroring.
-
- MS OS/2
- Microsoft Operating System/2. The operating system that supports LAN Manager
- servers and some LAN Manager workstations. See also Operating system.
-
- MS-DOS
- Microsoft Disk Operating System. The operating system that supports some LAN
- Manager workstations. See also Operating system.
-
- Named pipe
- A connection used to transfer data between separate processes, usually on
- separate computers. Named pipes are the foundation of interprocess
- communication (IPC). An administrator can set permissions on named pipes,
- but only LAN Manager and network applications can create them. See also
- Interprocess communication (IPC) and IPC$.
-
- Netlogon service
- A LAN Manager service that implements logon security. When a server in a
- domain runs the Netlogon service, the username and password supplied by each
- user who attempts to log on in the domain are checked. All servers
- participating in logon security run the Netlogon service; the Netlogon
- service replicates the user accounts database to these servers. See also
- Backup domain controller, Logon security, Member server, Primary domain
- controller, and Standalone server.
-
- Netpopup service
- A LAN Manager service that displays messages on the computer screen when
- they arrive from other local-area network users or from LAN Manager.
-
- Netrun service
- A LAN Manager service that lets users, from their own workstations, run
- programs on a server.
-
- Network path
- The computername of a server followed by the sharename of a shared resource.
- A server's computername is preceded by two backslashes (\\) and a sharename
- is preceded by one backslash (for example, \\SALES\REPORT). See also
- Computername, Resource, and Sharename.
-
- Network resource
- See Resource and Shared resource.
-
- Network security
- See Security.
-
- Operating system
- A program that coordinates all parts of a computer system. Network software
- extends the operating system, coordinating the interactions of workstations
- and servers. LAN Manager server software works with MS OS/2. LAN Manager
- workstations work with either MS OS/2 or MS-DOS.
-
- Operator privilege
- A privilege granted to a user that allows the user to perform certain
- administrative tasks. See also Accounts operator, Comm operator, Print
- operator, and Server operator.
-
- Operator rights
- See Operator privilege.
-
- Option
- Part of a command that determines how the command or service works; it is
- not required. See also Entry.
-
- Option button
- One of a set of options in a LAN Manager Screen dialog box. You can select
- only one option from the set.
-
- Orphaned drive
- In a mirrored or duplexed pair, a secondary partition for which the primary
- partition is missing. See also Drive duplexing, Drive mirroring, Primary
- partition, and Secondary partition.
-
- Password
- A word used to access the network or one or more shared resources. See also
- Logon security, Share-level security, User password, and User-level
- security.
-
- Path
- A set of directory names that defines a directory's location. A backslash
- (\) precedes each directory name except the top-level one. (For example, the
- path REPORTS\ACCT\NORTH indicates that the NORTH directory is in the ACCT
- subdirectory of the REPORTS directory.) An initial backslash indicates that
- the path begins at the drive's root directory. When the path begins with a
- drive letter, it is an absolute path. See also Absolute path, Network path,
- Pathname, and Relative path.
-
- Pathname
- A path that ends in a filename. A path specifies a directory; a pathname
- specifies a file. A pathname, like a path, can be absolute (containing a
- drive letter), or relative to the current drive and directory. See also
- Absolute path, Network path, Path, and Relative path.
-
- Pause
- To suspend a LAN Manager service. When a service is paused, current requests
- are not stopped, but new requests are not allowed. See also Continue.
-
- Peer service
- A LAN Manager service that enables an MS OS/2 workstation to share
- directories, one printer queue, and one communication-device queue with one
- other user at a time. The Peer service performs most of the same services as
- the Server service, but on a smaller scale. See also Server service.
-
- Permissions
- Settings that define the type(s) of action a user can take with a shared
- resource. With user-level security, each user is assigned permissions for
- each resource. With share-level security, each resource is assigned
- permissions, and all users who access the resource have these permissions.
-
- Pool
- A group of printers or communication devices that receive requests from the
- same queue.
-
- Primary domain controller
- The server at which the master copy of a domain's user accounts database is
- maintained. The primary domain controller also validates logon requests. See
- also Backup domain controller and Member server.
-
- Primary partition
- In drive mirroring or drive duplexing, the main partition in a mirrored or
- duplexed pair. Only the primary partition is visible to the operating
- system. See also Drive duplexing, Drive mirroring, and Secondary partition.
-
- Print job
- A document waiting in a printer queue.
-
- Print operator
- An operator privilege that allows a user to create, share, and modify
- printer queues and control print jobs. See also Accounts operator, Comm
- operator, Operator privilege, and Server operator.
-
- Print processor
- A program that readies a document for printing.
-
- Print request
- See Print job.
-
- Printer alert
- A message sent from LAN Manager about printer events. See also Alerts.
-
- Printer driver
- A program that controls printing and sets options such as print quality and
- paper size for a particular printer. In LAN Manager, each printer queue has
- a single printer driver associated with it.
-
- Printer queue
- A queue that stores print jobs, and then sends them one by one to a printer
- or pool. See also Pool and Spooled.
-
- Priority level
- A level assigned to each communication-device queue and printer queue that
- determines which job is processed first when several queues are trying to
- access the same communication device or printer at the same time.
-
- Privilege
- See Privilege level.
-
- Privilege level
- With user-level security, one of three settings─user, admin, or
- guest─assigned for each user account. The privilege level defines the range
- of actions a user can perform on the network. See also Admin privilege,
- Guest account, Guest privilege, Operator privilege, Permissions, and User
- privilege.
-
- Profile
- A file containing LAN Manager commands that share resources, establish
- connections to shared resources, and set printer queue and
- communication-device queue options.
-
- Queue
- See Communication-device queue and Printer queue.
-
- Redirect
- To change the default path of data traffic.
-
- Relative path
- A path relative to the current drive and directory. For example, from the
- C:\LANMAN directory, a relative path to the directory C:\LANMAN\ACCOUNTS is
- simply ACCOUNTS. See also Absolute path, Network path, Path, and Pathname.
-
- Remote
- Any server, workstation, or shared resource that is not located where the
- user or administrator is currently working. See also Local.
-
- Remote administration
- To perform administrative tasks on a server that is not located where the
- administrator is currently working.
-
- Remote computer
- A server or workstation that is not located where the user or administrator
- is currently working. See also Local computer.
-
- Remoteboot service
- A LAN Manager service that provides software support for starting MS OS/2
- and MS-DOS workstations over the local-area network.
-
- Replicator service
- A LAN Manager service that maintains identical sets of files and directories
- on different servers and on MS OS/2 workstations running the Peer service.
-
- Resource
- Any disk drive or directory, printer, modem, image scanner, or other
- equipment that a server can share over a local-area network. LAN Manager
- also has administrative resources, which govern how certain processes work
- on each server. See also Administrative resources, Communication-device
- queue, Disk resource, Printer queue, Shared resource, and Sharing.
-
- Run path
- The list of directories containing programs available for use with the
- Netrun service on a particular server. For a program to be used with the
- Netrun service, it must be in a directory in the server's run path. See also
- Netrun service.
-
- Script
- See Logon script.
-
- Scroll bar
- The shaded bar that appears at the right of some LAN Manager list boxes. Use
- the scroll bar and the mouse to scroll through a list box that contains more
- information than can be shown in one screen. See also Scroll box.
-
- Scroll box
- The small box superimposed on a scroll bar in a LAN Manager list box. The
- scroll box reflects the position of the information within the list box in
- relation to the total contents of the list. See also Scroll bar.
-
- Secondary partition
- In drive mirroring or drive duplexing, the drive that duplicates data on the
- primary partition. The secondary partition is invisible to the operating
- system, which sees the primary and secondary partitions as a single logical
- drive. See also Drive duplexing, Drive mirroring, Drive verification,
- Fault-tolerance system, and Primary partition.
-
- Security
- A variety of methods that enables an administrator to control access to
- network resources. See also Local security, Logon security, Share-level
- security, and User-level security.
-
- Security settings
- Settings that determine how user account passwords can be changed and what
- action occurs when users violate their logon hours. There are five security
- settings: minimum password length, minimum password age, maximum password
- age, password uniqueness, and force logoff. See also Logon hours and Logon
- restrictions.
-
- Separator page
- One or more cover sheets that are printed before a print job. LAN Manager
- provides a default separator page, DEFAULT.SEP, for use with shared printer
- queues. Custom separator pages can also be used.
-
- Serial printer
- A printer attached to a computer's COM port. See also Communication device,
- Communication-device queue, Devicename, and Unspooled.
-
- Server
- A computer that manages and shares the data and equipment on a local-area
- network.
-
- Server operator
- An operator privilege that allows a user (with user privilege) to start and
- stop services, share resources, use the server's error log, and close users'
- sessions. See also Accounts operator, Comm operator, Operator privilege, and
- Print operator.
-
- Server service
- A LAN Manager service that enables a computer to share resources on the
- network and provides administrators with tools for controlling and
- monitoring resource use. See also Peer service.
-
- Services
- The main components of the LAN Manager software. The basic service is the
- Workstation service, which lets a computer use local-area network resources.
- The Server service enables a computer to share resources over the network.
- Other services include the Alerter, Messenger, Netlogon, Netpopup, Netrun,
- Peer, Remoteboot, Replicator, Timesource, and UPS services.
-
- Session
- A link between a workstation and a server. A session consists of one or more
- connections to shared resources. See also Connection.
-
- Setup program
- The program that installs LAN Manager software on a workstation or server.
- During installation, the Setup program is copied to the computer's hard disk
- for later use in managing the computer's configuration.
-
- Shared resource
- A resource on a server that has been made available to network users. See
- also Resource.
-
- Share-level security
- A type of security that limits access to each shared resource by requiring a
- password. Permissions are assigned to the resource (rather than to the
- user). All users who know the password can use the resource within the
- bounds of the permissions assigned for the resource. See also Password,
- Permissions, and User-level security.
-
- Sharename
- The name given to a resource when it is shared on the local-area network.
- Each shared resource is identified by its sharename. No two resources on a
- server can have the same sharename. See also Computername and Network path.
-
- Sharing
- The act of making a server's resources available to local-area network
- users. The procedure for sharing a resource differs depending on the type of
- resource and whether user-level or share-level security is used. See also
- Resource.
-
- Spooled
- The type of queue used with printers configured with a parallel interface.
- See also Devicename and Printer queue.
-
- Spooled queue
- See Spooled.
-
- Standalone logon
- A logon request that is not validated by a logon server. In domains without
- logon security, each logon request is granted as standalone logon. In
- domains with logon security, a logon request with a username not found in
- the domain's user accounts database is granted standalone logon. See also
- Logon security and Logon server.
-
- Standalone server
- A server with user-level security that has its own user accounts database
- and does not participate in logon security.
-
- Statistics
- A record of server and workstation performance, kept by LAN Manager.
- Statistics are cleared each time the server or workstation is turned off;
- they cannot be saved. Server statistics provide information about how the
- server is being accessed. Workstation statistics provide information about
- how the workstation is being used.
-
- Statistics report
- A detailed list of server access and workstation use provided by the net
- statistics command. See also Statistics.
-
- Text box
- An area in which information can be typed in a LAN Manager Screen dialog
- box. The text box may or may not contain text.
-
- Time server
- With the Timesource service, the server designated as the local-area network
- time source. The time server is the computer with which other computers on
- the network synchronize. See also Timesource service.
-
- Timesource service
- A LAN Manager service that identifies a server as the time source for a
- domain. Other computers can synchronize their clocks with the time source.
-
- Uninterruptible power supply (UPS)
- A battery, attached to a server's serial port, that provides backup power
- for conducting an orderly shutdown if the server's normal power supply
- fails. See also UPS service.
-
- Unlimited User Pak
- See Additional User Pak.
-
- Unspooled
- A queue used with communication devices and printers configured with a
- serial interface. See also Communication-device queue and Devicename.
-
- UPS service
- A LAN Manager service that enables a server to use an uninterruptible power
- supply (UPS). The UPS service protects the server from data loss during a
- power failure. See also Uninterruptible power supply (UPS).
-
- User
- Someone who uses the local-area network.
-
- User account
- A record on a server or in a domain that contains information about the user
- and identifies the user to LAN Manager.
-
- User accounts database
- The NET.ACC file stored in the LANMAN\ACCOUNTS directory. This file contains
- the user accounts and groups that have been established. See also Group and
- User account.
-
- User group
- See Group.
-
- User Pak
- See Additional User Pak.
-
- User password
- A special word used with user-level security to gain access to the
- local-area network. See also Password and User-level security.
-
- User privilege
- A privilege that allows a person to use local-area network resources, view
- information about a server's shared resources and the status of printer and
- communication-device queues, and send and receive messages. See also
- Permissions and Privilege level.
-
- User-level security
- A type of security in which a user account is set up for each user.
- Permissions are granted to each user for specific resources, defining
- exactly what actions each user can take with each resource. See also Logon
- security, Password, and Share-level security.
-
- Username
- With user-level security, the name by which the local-area network
- identifies a user. The name is part of a user account; the user supplies a
- password for the user account. The username and password are required to
- access resources shared on a server. With logon security, the username and
- password are required for the user to gain access to the network.
-
- Workstation
- A computer from which a person uses word processing, spreadsheet, database,
- and other types of applications to accomplish work, taking advantage of
- resources shared on the local-area network.
-
- Workstation domain
- The domain in which a workstation is a member, specified when the
- Workstation service is started. See also Logon domain.
-
- Workstation service
- A LAN Manager service that enables a computer to use local-area network
- resources and services. The Workstation service must be running for any
- other service to run.
-
-
-
-
-
- INDEX
- ──────────────────────────────────────────────────────────────────────────
-
-
-
- ? icon
- see also Ftadmin utility
- 286 computers
- adding a device driver
- 386 servers
- and local security
-
- A
- A (Change Attributes) permission
- Accessalert entry (LANMAN.INI)
- Accounts menu (console screen)
- Change your password command
- Accounts menu
- Change your password command
- File permissions command
- setting auditing
- setting permissions
- Groups command
- changing group membership
- cloning a group
- creating a group
- deleting a group
- Other permissions command
- setting auditing
- setting permissions for a named pipe
- setting permissions
- Security settings command
- changing security settings
- changing server role
- Users command
- adding an account
- changing account information
- cloning an account
- deleting an account
- disabling an account
- viewing account information
- Your account command
- Accounts operator privilege
- Accounts, user
- account expiration
- assigning a user a logon server
- assigning a user's home directory
- assigning groups through
- changing settings
- changing your password
- cloning
- contents
- creating
- defined
- deleting
- disabling
- for Replicator service
- guest
- home directories
- logon restrictions
- assigning a logon server
- limiting logon hours
- restricting workstation access
- Admin account
- see Administrative account
- Admin alerts
- Admin privilege
- and console screen
- and Netrun service
- defined
- ADMIN$ resource
- see Administrative resources
- Administration, remote
- see Remote administration
- Administrative account
- Administrative resources
- ADMIN$
- fault tolerance, use with
- remote administration, use with
- share-level security, use with
- sharing
- disk administrative resources
- ADMIN$ requirement
- sharing
- displaying
- effect of profiles
- IPC$
- distributed applications, use with
- fault tolerance, use with
- Netrun service, use with
- printer queues, use with
- share-level security, use with
- sharing
- sharing
- stop sharing of
- use in remote administration
- Administrative resourcesNetrun service
- see also Remote administration
- Admins group
- Alerter service
- see also Alerts
- adjusting buffer size
- at startup
- through LANMAN.INI
- configuring
- LANMAN.INI values
- modifying alert conditions
- modifying who gets alerts
- starting
- Alertnames entry (LANMAN.INI)
- Alerts
- see also Alerter service
- classes of alerts
- defined
- disk
- home directories
- modifying
- UPS requirements
- Alertsched entry (LANMAN.INI)
- Application Program Interfaces (API)
- Audit trail
- see also Auditing the server
- contents
- defined
- disk resource entries
- files involved
- in user-level security
- viewing, saving, and clearing
- AUDIT.BAK file
- AUDIT.SAV file
- Auditing entry (LANMAN.INI)
- Auditing the server
- network activity
- network events
- effects of security choice
- events that can be audited
- modifying audited events
- resource use
- auditing a disk resource
- auditing a file or directory
- auditing a named pipe
- auditing a queue or named pipe
- auditing communication-device queues
- communication-device queue defaults
- explained
- in share-level security
- Auditing
- see Auditing the server
- Autodisconnect entry (LANMAN.INI)
- Autodisconnect feature
- AUTOEXEC.BAT file
- for remoteboot
- Automatic profiles
- see Profiles
- Autopath entry (LANMAN.INI)
- Autoprofile entry (LANMAN.INI)
-
- B
- Background processes
- Backup domain controller
- see also Logon security, server roles
- Basic for MS-DOS
- see Workstations
- Batterytime entry (LANMAN.INI)
- Boot image files
- creating
- customizing
- adding device drivers
-
- C
- C (Create) permission
- Clocks, computer
- synchronizing
- .CMD files
- use with UPS service
- Cmdfile entry (LANMAN.INI)
- .COM files
- use in batch files with remoteboot
- Comm operator privilege
- Comm queues
- see Communication-device queues
- \COMM resource
- see also Communication-device queues
- Communication devices
- changing their status
- limiting open devices on the server
- setting up
- using shared devices
- viewing their status (console screen)
- Communication requests
- Communication-device queues
- advantages
- changing queue options
- limiting communication requests on the server
- options
- changing the priority level and route
- described
- priority levels
- routing communication requests
- setting
- pooling devices
- priority levels
- purging queue requests
- setting audited events
- setting permissions
- setting up
- sharing
- stop sharing of
- viewing (console screen)
- viewing
- Communication-device requests
- limiting
- purging
- viewing
- Config menu
- Control services command
- adjusting service performance
- continuing a service
- pausing a service
- starting a service
- stopping a service
- description
- Load profile command
- loading a profile
- Log off from LAN command
- logging off
- Log on to LAN command
- Save profile command
- saving a profile
- Server options command
- changing audited events
- changing the alertnames list
- controlling administrative services
- starting the Netrun service
- stopping the Netrun service
- Stop LAN Manager services command
- stopping services
- Workstation options command
- controlling Messenger service
- controlling Netpopup service
- CONFIG.SYS file
- for Remoteboot
- adding device drivers
- swappath entry
- ftmonit changes
- Connections
- connecting to a resource
- limiting connections to the server
- logon script
- Console screen
- Accounts menu
- Change your password command
- administrative password
- and user passwords
- description
- exit password
- exiting the screen
- Help menu
- instructions for users
- Message menu
- Send a typed message command
- print jobs
- changing position
- changing status
- viewing
- printer queues
- changing status
- viewing their options
- removing
- sending messages
- starting
- Status menu
- Device status command
- View menu
- Comm-device queues command
- Printer queues command
- viewing and changing device status
- viewing communication-device queues
- viewing printer queues
- Contents of manual
- Control Panel
- see MS OS/2
- Country codes
- Cracked mirror
- see also Fault-tolerance system
- correcting
- defined
- Critical Error alert (ftadmin)
- Current focus
- and profiles
- of ftadmin screen
- CUSTOM directory (for remoteboot)
- CUSTOM.DEF file (for remoteboot)
- CUSTOM.IMG file (for remoteboot)
- CUSTOM.SYS file (for remoteboot)
-
- D
- D (Delete) permission
- Data loss
- guarding against
- .DEF file
- remoteboot adjustments
- for alternate MS-DOS versions
- DEFAULT.FIT file
- DEFAULT.SEP
- Default
- administrative account
- logon scripts
- permissions
- for a communication-device queue
- for a directory or file
- for a named pipe
- for a printer queue
- for Netrun pipe
- print processor
- printer driver
- profile
- for a server
- for a workstation
- REPL.INI file
- replication group
- security type
- separator page (printer queues)
- Deleting
- partitions
- Device drivers
- adding drivers to a remoteboot workstation
- under MS OS/2
- under MS-DOS
- Dialog boxes
- see LAN Manager Screen
- Directories, shared
- see Disk resources
- Disk administrative resources
- see Administrative resources
- Disk controllers
- role in drive mirroring and duplexing
- Disk errors (ftadmin)
- classes of alerts
- correcting
- cracked mirrors
- self-correcting
- four types
- repeated failures
- viewing
- adjusting the display
- Disk resources
- in share-level security
- sharing
- stopping sharing of
- in user-level security
- auditing a file or directory
- permissions
- setting permissions
- sharing
- Diskalert entry (LANMAN.INI)
- Distributed applications
- and IPC$
- communication mode
- defined
- use of named pipes
- Domains
- and Replicator service
- exporting to a domain
- assigning users logon servers
- broadcasting messages to (console screen)
- defined
- logon domain
- planning
- user accounts
- users' roles
- setting up
- single-server domains
- workstation domain
- DOS directory
- for Remoteboot
- for remoteboot
- DOSxxx directory
- for remoteboot
- DOS401.DEF file (for remoteboot)
- Drive duplexing
- see Fault-tolerance system
- Drive mirroring
- see Fault-tolerance system
- Drive statistics (ftadmin)
- viewing and clearing
- Drive verification
- see also Fault-tolerance system
- and ftadmin Verify menu
- defined
- verifying one or all drives
- Duplexing a drive
- see Fault-tolerance system
-
- E
- Enhanced for MS-DOS
- see Workstations
- Error alerts (ftadmin)
- Error alerts
- Error correction (ftadmin)
- see also Fault-tolerance system
- and drive verification
- defined
- Error log
- defined
- error alerts
- server
- viewing, saving, and clearing
- Error messages
- see Error log
- ERROR.BAK file
- ERROR.SAV file
- Erroralert entry (LANMAN.INI)
- Errors
- see Disk errors
- Escape characters and codes for separator pages
- Events, network
- defined
- .EXE file
- use in batch files under remoteboot
- .EXE files, Netrun compatibility
- .EXE files
- and Netrun service
- Exit passwords
- see also Console screen
- Exiting the LAN Manager Screen
- Export directories
- see Replicator service
- Export server
- see Replicator service
- Exportlist entry (LANMAN.INI)
- Exportpath entry (LANMAN.INI)
- Extent entry (REPL.INI)
-
- F
- F1 key
- FAT file system
- default permissions
- Fault monitoring
- see Fault-tolerance system
- Fault-tolerance system
- drive fault monitoring
- drive mirroring and duplexing
- canceling drive mirroring or duplexing
- defined
- exposing an orphaned drive
- freeing disk space
- error correction
- complete disk failure
- correcting cracked mirrors
- correcting disk-errors
- repeated disk failures
- verifying drives
- hotfixing
- defined
- utilities
- Faults
- viewing statistics
- Fdisk utility (MS OS/2)
- File extent
- see REPL.INI files
- File flags
- and A permission
- File handling
- in replication
- File integrity
- REPL.INI file
- File locks
- Files
- forcing a file closed
- limiting open files on the server
- .FIT files
- for Remoteboot
- for remoteboot
- FITS directory, for Remoteboot
- FITS directory
- for remoteboot
- Ftadmin utility
- see also Fault-tolerance system
- using the screen
- getting help
- menus and menu commands
- screen elements
- setting the focus
- Ftmonit utility
- see also Fault-tolerance system
- turning alerts on and off
- Ftsetup utility
- see also Fault-tolerance system
- defined
- deleting a drive
- exposing an orphaned drive
- mirroring or duplexing a drive
- unmirroring a drive
-
- G
- Groupnames
- requirements
- restrictions
- Groups
- Groups, standard
- rpl
- Groups
- adding and removing members
- admins group
- assigning permissions for
- assigning through a user's account
- cloning
- creating
- deleting
- effect of permissions
- guests group
- local group
- servers group
- special groups
- admins
- guests
- local
- rep (Replicator service)
- servers
- users
- users group
- Guardtime entry (LANMAN.INI)
- Guest account
- monitoring its use
- Guest privilege
- Guestacct entry (LANMAN.INI)
- Guests group
-
- H
- Hard disks
- enabling a workstation's for Remoteboot
- Help menu (console screen)
- Help menu
- About LAN Manager command
- description
- General help command
- Glossary of terms command
- Keyboard command
- Mouse command
- Table of contents command
- Using Help command
- Help system
- command line, using
- error messages
- F1 key
- for the ftadmin screen
- for the LAN Manager Screen
- console version
- message boxes
- removing
- Hidden servers
- security advantages
- Hidden shares
- see Administrative resources
- Hiding servers
- see Servers
- Home directory
- assigning a user's
- automation of
- limiting their size
- Hotfixing
- see Fault-tolerance system
- HPFS386
- and local security
- HPFS
- and A permission
- and fault tolerance
-
- I
- IBM4201 printer driver
- Icons
- and mouse use (ftadmin)
- drive icons for ftadmin screen
- Image scanners
- see Communication-device queues, sharing
- Import directories
- see Replicator service
- Import server
- see Replicator service
- Importlist entry (LANMAN.INI)
- Importpath entry (LANMAN.INI)
- Integrity entry (REPL.INI)
- Interprocess communication (IPC)
- Interval entry (LANMAN.INI)
- IPC$
- see Administrative resources
- IPC
- see Interprocess communication
-
- K
- Keyboard movements with the LAN Manager Screen
- see LAN Manager Screen
-
- L
- \laGroups\ra button
- \laLogon\ra button
- LAN Manager Screen
- see also Ftadmin utility
- console version. See Console screen
- current focus
- in share-level security
- dialog boxes
- check boxes
- command buttons
- list boxes
- option buttons
- removing
- text boxes
- elements
- exiting
- getting help
- keyboard movements
- menus
- Accounts menu
- Config menu
- Help menu
- Message menu
- Status menu
- using
- View menu
- mouse movements
- Print Manager changes
- using drop-down lists
- using the mouse
- help
- using the screen
- screen elements
- LAN Manager
- quitting
- starting
- Langroup entry (LANMAN.INI)
- LANMAN directory
- ACCOUNTS subdirectory
- FITS subdirectory
- LOGS subdirectory
- PROFILES subdirectory
- PROFILES subdirectory. See also Profiles
- LANMAN.INI FILE
- profile settings
- LANMAN.INI file
- {alerter} section
- {messenger} section
- {netlogon} section
- {netrun} section
- {netshell} section
- {remoteboot} section
- {replicator} section
- {server} section
- {ups} section
- {workstation} section
- \laPaths\ra button
- Licensing
- and Netrun service
- Local group
- see also Local security
- Local security
- and background processes
- and CONFIG.SYS
- and privileged processes
- and SECURESH.EXE
- definition and requirements
- local group
- on 386 servers
- permissions
- setting up the server
- Locks, file
- Logging off from the network
- Logging on
- at the first server on the network
- to an existing network
- using the default administrative account
- without accessing the network
- Logical drives
- and fault tolerance
- viewing information about
- viewing statistics
- Logoff
- forced logoff and account expiration
- Logon command
- Logon domain
- see Domains
- Logon entry (LANMAN.INI)
- Logon scripts
- and Replicator service
- assigning
- defined
- filename extensions
- for 1.x workstations
- for 2.0 workstations
- NETLOGON resource
- permissions
- planning
- SCRIPTS directory
- USERDIRS directory
- Logon security
- advantages
- and share-level servers
- server roles
- changing a role
- promoting a member or backup
- setting up the primary
- Logon servers
- assigning one for a user
- Logon
- restrictions
- standalone
- validation
- expediting processing
- under logon security
- Logonalert entry (LANMAN.INI)
- LOGS directory
-
- M
- MACHINES directory
- for Remoteboot
- Makeimg utility
- Manuals
- contents of this manual
- notational conventions
- other manuals in this set
- Maxauditlog entry (LANMAN.INI)
- Maxchdevjob entry (LANMAN.INI)
- Maxconnections entry (LANMAN.INI)
- Maxopens entry (LANMAN.INI)
- Maxruns entry (LANMAN.INI)
- Maxsessopens entry (LANMAN.INI)
- Maxsessreqs entry (LANMAN.INI)
- Maxsessvcs entry (LANMAN.INI)
- Maxusers entry (LANMAN.INI)
- Member server
- see also Logon security, server roles
- Memory swapping
- on remoteboot workstations
- using the local hard disk
- using the server
- Menus
- see also Console screen
- LAN Manager Screen
- using
- Message log file
- designating
- Message menu (console screen)
- Send a typed message command
- Message menu
- Aliases command
- description
- Log messages to file command
- Read message log file command
- Send a file as a message command
- Send a typed message command
- Messages
- adding and deleting aliases
- broadcasting (console screen)
- logging
- network
- assigning a language for a user
- reading
- sending (console screen)
- sending
- the Message menu
- Messdelay entry (LANMAN.INI)
- Messenger service
- and UPS
- effect on alerts
- effect on error logging
- LANMAN.INI entries
- pausing
- starting and stopping
- Messtime entry (LANMAN.INI)
- Mirroring a drive
- see Fault-tolerance system
- Modems
- see Communication-device queues
- Monitoring performance
- see Auditing the server
- Mouse movements with the LAN Manager Screen
- see LAN Manager Screen
- MS OS/2
- and Presentation Manager
- Control Panel
- Print Manager
- changes
- setting up printers
-
- N
- N (No) permission
- Named pipes
- limiting open named pipes on the server
- setting permissions for
- sharing
- use by Netrun and distributed applications
- Names
- groupname
- printer names
- requirements
- sharename
- requirements (disk)
- username
- Net comm
- and profiles
- Net print
- and profiles
- Net share
- and profiles
- Net stop server
- and UPS service
- Net stop workstation
- and UPS service
- Net use
- and profiles
- NET.ACC file
- see User accounts database
- NET.AUD file
- see also Audit trail
- NET.ERR file
- see also Error log
- Netioalert entry (LANMAN.INI)
- NETLOGON resource
- Netlogon service
- and domains
- compatibility with earlier versions
- in single-server domains
- LANMAN.INI values
- NETLOGON resource
- NETLOGON.BAT
- see also Logon scripts
- NETLOGON.CMD
- see also Logon scripts
- NETLOGON.PRO file
- Netpopup service
- and UPS
- effect on alerts
- effect on error logging
- pausing
- starting and stopping
- Netrun service
- advantages
- and IPC$
- checking whether it's in use
- controlling access to programs
- defined
- LANMAN.INI values
- making programs available
- program requirements
- setting up
- starting automatically
- starting
- stopping
- the runpath
- Noaudit entry (LANMAN.INI)
- Non-disk resource
- auditing
- setting permissions
- Notational conventions
- NO_MASTR.RP$
- NO_SYNC.RP$
-
- O
- OK.RP$
- Operator privileges
- accounts operator privilege
- assigning
- comm operator privilege
- print operator privilege
- server operator privilege
- Orphaned drive
- see also Fault-tolerance system
- defined
- OS2 directory
- entry (LANMAN.INI) for Remoteboot
-
- P
- P permission
- Admin only
- Change Permissions
- in share-level security
- Parent directory
- Partitions
- see also Fault-tolerance system
- deleting with ftsetup
- fault-tolerance limit
- Password entry (LANMAN.INI)
- Passwords
- changing
- from the console screen
- console screen
- exit password
- default administrative password
- for remote administration (share-level security)
- guest accounts
- in share-level security
- ADMIN$
- for communication-device queues
- for disk resources
- for printer queues
- IPC$
- requirements
- in user-level security
- assigning a user's
- placing requirements on
- requirements
- Peer service
- and profiles
- user limit
- Permissions
- for home directories
- for logon scripts
- for Replicator service
- in local security
- in share-level security
- defined
- for communication-device queues
- for disk resources
- for queues
- recommended uses
- in user-level security
- assigning queue permissions with net access
- default communication-device queue permissions
- default file and directory permissions
- defined
- for communication-device queues
- for files or directories
- for named pipes
- for Netrun pipe
- for printer queues
- for queues or named pipes
- inherited disk resource permissions
- securing programs run with the Netrun service
- user and group interactions
- preventing a user's access to a resource
- protecting Netrun programs
- Pipes, named
- see Named pipes
- PIPE\LANMAN\NETRUN
- setting permissions
- PMPRINT print processor
- Pools
- of communication devices. See Communication-device queues
- of printers. See Printer queues
- Postscript printers
- Presentation Manager
- and the Netrun service
- assigning printer names
- shutdown procedure
- cracked mirrors, preventing
- using the ftadmin screen
- Primary domain controller
- see also Logon security, server roles
- setting up
- Primary partition
- see also Fault-tolerance system
- defined
- drive verification
- viewing information about
- Print alerts
- Print jobs
- canceling
- deleting a queued job
- killing the current job
- controlling
- from the console screen
- holding and releasing
- managing
- priority
- through LAN Manager queues
- purging a queue
- repositioning
- from the console screen
- restarting
- viewing
- a queue's
- from the console screen
- the server's
- Print Manager
- cloning a printer queue
- creating a printer queue
- menus and commands with LAN Manager
- Refresh menu
- Refresh interval command
- Setup menu
- Printers command
- Queues command
- Print operator privilege
- Print processor
- see also Printer queues
- use with printer queues
- Printer driver
- see also Printer queues
- Printer queues
- advantages
- and non-ASCII files
- audited events
- setting
- cloning
- with Print Manager
- controlling
- from the console screen
- purging
- releasing
- creating
- with Print Manager
- including local and remote printers
- limiting printing hours
- options
- changing
- customizing separator pages
- holding
- print processors
- printer drivers
- priority levels
- scheduling printing times
- setting
- permissions
- setting
- pooling printers
- Print Manager
- print processors
- printer driver
- defined
- priority levels
- queue setups
- resharing a queue
- routing jobs
- scheduling printing times
- security
- separator pages
- setting up printers
- sharing
- remote printers
- serial printers
- stop sharing of
- viewing
- a queue
- the server's
- Printer
- setting up
- Printers
- see also Printer queues
- changing their status (console screen)
- continuing
- limiting open devices on the server
- managing
- name requirement
- pausing
- pooling
- print alerts
- serial
- sharing
- setting up
- viewing
- status (console screen)
- Priority levels
- for communication-device queues
- for printer queues
- Priority levelsCommunication-device queues
- see also Printer queues
- Privilege
- see also Operator privileges
- admin
- administering the console screen
- fault tolerance, use with
- resource access
- assigning a user's privilege
- guest
- guest account
- levels defined
- planning users' roles in domains
- user
- Privileged processes
- PRIVINIT.CMD
- .PRO files
- see also Profiles
- Process
- background
- privileged
- Processing power, shared
- see Netrun service
- PROFILES directory
- Profiles
- and administrative resources
- and LANMAN.INI
- automatic
- loading
- PUBLIC resource
- saving
- commands in
- defined
- in share-level security
- loading
- appending or replacing configurations
- procedure
- saving
- a local profile
- a profile remotely
- permissions, in share-level security
- server
- commands in
- passwords, use with
- use as logon scripts
- Workstation
- commands in
- under Peer service
- Programs
- local security permissions requirements
- Protshell entry (CONFIG.SYS)
- PUBLIC directory
- Pulse entry (LANMAN.INI)
-
- Q
- QueuesCommunication-device queues
- see Printer queues
- Quitting LAN Manager
- see LAN Manager
-
- R
- R (Read) permission
- Random entry (LANMAN.INI)
- Recharge entry (LANMAN.INI)
- Remote administration
- ADMIN$'s role
- as a security feature
- MS-DOS workstation limitations
- of fault tolerance
- of share-level servers
- preventing
- profile
- loading one remotely
- saving one remotely
- running several remote sessions
- starting a session
- Remote servers
- see Remote administration
- Remoteboot service
- customizing
- adding device drivers
- booting more than one MS-DOS version
- work directories, not on remoteboot server
- LANMAN.INI values
- preparing a workstation
- accounts and permissions (user-level security)
- adding it to the network
- creating configuration files (MS OS/2)
- disabling Remoteboot
- disabling the local hard disk
- RPLUSER directory tree
- setting up memory swapping on a remoteboot workstation
- REPL.INI files
- see also Replicator service
- creating
- default file
- extent entry
- integrity entry
- Replicate entry (LANMAN.INI)
- Replicating directories
- see Replicator service
- Replicating logon scripts
- Replicator service
- and logon scripts
- defined
- export server
- creating the export directory
- export directory
- setting up
- import server
- creating the import directory
- import directory
- importlist
- required permissions
- setting up
- signal files
- use of export directory
- LANMAN.INI values
- starting automatically
- suspending replication of a file or directory
- Reserved administrative resources
- see Administrative resources
- Resource, non-disk
- auditing
- setting permissions
- Rpl group
- RPL ROM chip
- RPL.MAP file
- workstation record
- enabling a new record
- workstation records
- adapting for alternate MS-DOS versions
- Rpldsabl utility
- Rplenabl utility
- RPLUSER directory (Remoteboot service)
- creating work directories
- Run path
- adding programs
- removing programs
- Runpath entry (LANMAN.INI)
-
- S
- Scanners
- see Communication-device queues
- Screen sessions
- preventing users from switching (console screen)
- SCRIPTS directory
- Scripts entry (LANMAN.INI)
- Scripts
- see Logon scripts
- Secondary partition
- see also Fault-tolerance system
- defined
- drive verification
- exposing
- free disk space for them
- viewing information about
- SECURESH.EXE
- Security settings
- Security settings@adjusting
- Security, local
- see Local security, on 386 servers
- Security
- changing the server's security
- default type
- other means of protection
- planning
- domain worksheet
- SecurityShare-level security
- see also User-level security
- Separator pages
- Serial printers
- see Printers
- Server operator privilege
- Server service
- LANMAN.INI values
- modifying use limits at startup
- pausing
- server profiles
- starting
- Server
- auditing
- network events
- configuration values
- error log
- saving and clearing
- viewing
- forcing files closed
- hiding a server
- replicating a server's directories
- roles in logon security
- sessions
- forcing sessions closed
- placing limits on
- viewing session information
- setting up alerts
- setting up for Netrun
- viewing and clearing statistics
- viewing its configuration
- viewing, saving, and clearing the audit trail
- Servers group
- Services
- see also the listing for the service
- adjusting
- controlling
- continuing
- pausing
- starting
- stopping
- defined
- descriptions
- Alerter
- Messenger
- Netlogon
- Netpopup
- Netrun
- Peer
- Remoteboot
- Replicator
- Server
- Timesource
- UPS
- Sessions
- automatically disconnecting inactive sessions
- closing
- defined
- forcing a session closed
- viewing
- one session
- the server's
- Share-level security
- and ADMIN$
- and IPC$
- and Netrun service
- available auditing
- defined
- effect on sessions
- gaining administrator status
- remote administration
- Sharename
- and permission in share-level security
- defined
- requirements (disk)
- Sharing server's memory
- see Netrun service
- Sharing
- in share-level security
- SharingAdministrative resources Communication-device queues Disk resources
- see also Printer queues
- Signal files (Replicator service)
- Signals entry (LANMAN.INI)
- Sizalertbuf entry (LANMAN.INI)
- Size limits
- home directory
- \SPOOL directory
- Spooled printer queues
- see Printer queues
- Spooler, LAN Manager
- Spooling
- SQL Server
- SRVAUTO.PRO file
- SRVAUTO.PRO
- see also Profiles
- Srvservices entry (LANMAN.INI)
- Standalone logon
- Standalone server
- see also Logon security, server roles
- Statistics
- drive
- server
- contents of the display
- monitoring sessions
- using
- viewing and clearing
- workstation
- viewing and clearing
- Status menu (console screen)
- Device status command
- changing a device's status
- viewing device status
- Status menu
- Audit trail command
- viewing the audit trail
- description
- Device status command
- deleting a print job
- printers, continuing
- printers, pausing
- Error log command
- saving and clearing the error log
- viewing and clearing the error log
- Opened files command
- checking Netrun use
- forcing a file closed
- Server statistics command
- clearing statistics
- viewing statistics
- Session status command
- forcing a session closed
- viewing sessions
- Workstation statistics command
- Swappath entry (CONFIG.SYS)
- see CONFIG.SYS
- Synchronizing
- computer clocks
- drives under fault tolerance
-
- T
- 286 computers
- adding a device driver
- 386 servers
- and local security
- Tasks
- getting help with
- Terms
- getting help with
- Time server
- Timesource service
- designating the time server
- starting
- synchronizing with the time server
- Tree extent
- see REPL.INI files
- Tree integrity
- see REPL.INI files
- Tryuser entry (LANMAN.INI)
- Typographic conventions
-
- U
- Unattended server
- see Console screen
- Uninterruptible power supply (UPS)
- defined
- UPS service
- and drive verification
- configuring
- LANMAN.INI values
- setting up
- starting
- User accounts database
- and logon security
- for member or backup servers
- for standalone servers
- in single-server domains
- planning
- User privilege
- and operator privileges
- defined
- User-level security
- advantages
- and ADMIN$
- and IPC$
- and local security
- and logon security
- and Netrun service
- available auditing
- defined
- effect on sessions
- password requirements
- advantages
- permissions
- for Netrun pipe
- security settings
- defined
- User-level securityLocal security
- see also Logon security
- USERDIRS directory
- USERLOCK files
- Replicator service
- Username
- defined
- requirements
- Users group
- Users
- limiting number of users using a server
- viewing users logged on
- Using resources
-
- V
- Validation of logon requests
- see Logon
- View menu (console screen)
- Comm-device queues command
- viewing queues
- Printer queues command
- changing a job's status
- changing queue status
- repositioning a queued job
- viewing a queue
- viewing job information
- View menu
- Available resources command
- Comm-device queues command
- changing a queue's priority
- purging requests
- viewing queues
- description
- Exit command
- Printer queues command
- changing queue options
- deleting a queue
- deleting a queued job
- holding and releasing a job
- holding and releasing a queue
- purging a queue
- repositioning a queued job
- restarting a printing
- viewing queues
- Shared resources command
- changing administrative resource options
- changing queue options
- sharing a directory
- sharing a queue
- sharing an administrative resource
- stop sharing a communication-device queue
- stop sharing a directory
- stop sharing a printer queue
- stop sharing an administrative resource
- viewing queues
- Used resources command
- Users on a domain command
- Users on a server command
- Viewing
- communication-device queues
- drive information
- drive statistics
- error information
- error log
- partition information
- printer queues
- on a server
- viewing one queue
- server configuration
- server statistics
- session information
- workstation configuration
- Virtual circuits
- Voltlevels entry (LANMAN.INI)
-
- W
- W (Write) permission
- Warning alert (ftadmin)
- Work directories (for Remoteboot)
- creating
- Work directories (for remoteboot)
- locating, not on remoteboot server
- Workstation domain
- see Domains
- Workstation service
- LANMAN.INI entries
- pausing
- starting
- Workstation
- remoteboot workstation
- adjusting memory swapping
- creating configuration files for MS OS/2
- disabling the local hard disk
- returning to local boot
- Workstations
- adjusting configuration options
- and Netrun service
- limiting connections to the server
- MS OS/2
- default logon script
- MS-DOS
- Basic
- default logon script
- Enhanced
- Enhanced, and remote administration
- remote administration limits
- remoteboot workstations
- adding device drivers
- alternate MS-DOS versions
- viewing and clearing statistics
- WRKFILES resource (Remoteboot service)
-
- X
- X (Execute) permission
-
- Y
- Y (Yes) permission
- Y+P (Yes+Change Permissions) permission
-
-