Microsoft Programmer's Library 1.3

home *** CD-ROM | disk | FTP | other *** search

/ Microsoft Programmer's Library 1.3 / Microsoft_Programmers_Library.7z / MPL / net / lanadmg.txt < prev next >

Wrap

Text File | 2013-11-08 | 628.8 KB | 17,666 lines

Microsoft LAN Manager - Administrator's Guide ──────────────────────────────────────────────────────────────────────────── Microsoft(R) LAN Manager - Administrator's Guide VERSION 2.0 ──────────────────────────────────────────────────────────────────────────── for the MS(R) OS/2 Operating System Microsoft Corporation Information in this document is subject to change without notice and does not represent a commitment on the part of Microsoft Corporation. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the agreement. It is against the law to copy the software on any medium except as specifically allowed in the license or nondisclosure agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Microsoft Corporation. The LAN Manager Remoteboot service does not in any way amend nor supersede the provisions of the end user license agreements for MS-DOS or MS OS/2 ("Microsoft Software"). Those end user license agreements limit the use of a given copy of Microsoft Software to a single terminal connected to a single computer. They also prohibit the use of such Microsoft Software on a network or otherwise on more than one computer or computer terminal at the same time. Accordingly, Microsoft Software may not be remotely loaded to terminals or workstations unless you have a valid Microsoft end user license for each such remoteboot workstation. U.S. Government Restricted Rights The SOFTWARE and Documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of The Rights in Technical Data and Computer Software clause at 252.227-7013 or paragraphs (c) (1) and (2) of Commercial Computer Documentation─Restricted Rights at 48 CFR 52.227-19, as applicable. Contractor/Manufacturer is Microsoft Corporation/One Microsoft Way/Redmond, Washington 98052-6399. (C)1990 Microsoft Corporation. All rights reserved. Printed in the USA. Microsoft, MS, MS-DOS, XENIX, and the Microsoft logo are registered trademarks of Microsoft Corporation. PostScript is a registered trademark of Adobe Systems, Inc. IBM is a registered trademark of International Business Machines Corporation. 386 is a trademark of Intel Corporation. Document Number: SY10058-0590 OEM-P787-2Z Table of Contents ──────────────────────────────────────────────────────────────────────────── Before You Begin How To Use This Manual Notational Conventions Finding Further Information PART I Learning the Basics ──────────────────────────────────────────────────────────────────────────── Chapter 1 Overview How LAN Manager Works Administrator's Responsibilities Planning a LAN Manager Network Setting Up the Network LAN Manager Features Managing the Network Maintaining the Network Working with Other Network Software Chapter 2 Getting Started Starting LAN Manager Starting the Workstation and Server Services Logging On Using the LAN Manager Screen Using Menus and Menu Commands Using Dialog Boxes Getting Help with the LAN Manager Screen Getting Help from the Command Line Getting Help with Error Messages Administering Remote Servers Setting the Current Focus Controlling LAN Manager Services Pausing a Service Continuing a Service Stopping a Service Starting a Service Quitting LAN Manager Logging Off from the Network Stopping the Workstation and Server Services Exiting the LAN Manager Screen for Administrators PART II Managing Security ──────────────────────────────────────────────────────────────────────────── Chapter 3 Understanding and Planning Security Domains Basics of User-Level Security Logon Security Local Security Security in Single-Server Domains Protecting 286 Servers The Console Version of the LAN Manager Screen Physically Secure Servers Hidden Servers Planning Security Using the Domain Worksheet Using the Server Worksheet Setting Up a Server Setting Up a Domain Chapter 4 User-Level Security Administering a Server with User-Level Security The Default Administrative Account Setting Up Logon Security Setting Up the Primary Domain Controller Setting Up a Backup Domain Controller or Member Server Setting Up the Domain's Workstations Promoting a Backup or Member Changing a Server's Role Logon Scripts User Accounts Contents of User Accounts The Guest Account Creating a User Account Cloning a User Account Viewing and Changing Account Settings Disabling or Enabling a User Account Deleting a User Account Groups of Users Creating a Group Cloning a Group Changing a Group's Membership Deleting a Group Security Settings Adjusting Security Settings Resource Permissions and Auditing Types of Permissions How Resource Permissions are Applied Setting Permissions and Auditing for a Directory or File Setting Permissions and Auditing for a Non-Disk Resource Local Security on 386 Servers Starting a Server with Local Security File Access with Local Security Local Security Guidelines Background Processes SECURESH.EXE and the CONFIG.SYS File Upgrading MS OS/2 or LAN Manager Chapter 5 Share-Level Security Administering a Server with Share-Level Security Setting Resource Permissions PART III Sharing Resources ──────────────────────────────────────────────────────────────────────────── Chapter 6 Administrative Resources Using the Administrative Resources ADMIN$ IPC$ Disk Administrative Resources Sharing an Administrative Resource Sharing ADMIN$ and IPC$ Sharing a Disk Administrative Resource Changing Administrative Resource Options Stop Sharing an Administrative Resource Chapter 7 Disk Resources Directory Access with User-Level Security Assigning Inherited Permissions Assigning Default Permissions Auditing Disk Use Directory Access with Share-Level Security Auditing Disk Use Sharing a Directory with User-Level Security Sharing a Directory with Share-Level Security Stop Sharing a Directory Chapter 8 Printers How Printer Queues Work Printer Queue Setups Printer Queue Options Printer Queue Security Sharing a Printer Queue Adding a Printer Queue to a Server's Shared Resources Setting Options for a Printer Queue Setting Permissions and Audited Events Including a Remote Printer in a Printer Queue Changing Options for a Printer Queue Stop Sharing a Printer Queue Deleting a Printer Queue Managing Printers, Queues, and Print Jobs Viewing Queues and Job Information Holding and Releasing a Printer Queue Purging Print Jobs from a Printer Queue Holding and Releasing a Print Job Restarting a Print Job Moving a Print Job in a Printer Queue Deleting a Print Job Canceling a Print Job that Is Printing Pausing and Continuing a Printer Chapter 9 Communication Devices How Comm Queues Work Comm Queue Setups Priority Levels Setting Up Comm Queues Sharing a Comm Queue Setting Permissions and Audited Events Changing Options for a Comm Queue Stop Sharing a Comm Queue Managing Comm Queues and Requests Viewing Comm Queues Purging Requests from a Comm Queue Chapter 10 Profiles How Profiles Work Saving a Server Profile Loading a Server Profile Loading and Saving Profiles Automatically PART IV Advanced Features ──────────────────────────────────────────────────────────────────────────── Chapter 11 Running an Unattended Server Administering an Unattended Server Using the Console Screen Starting the Console Screen Removing the Console Screen Screen Menus and Commands Printer Queues Viewing Printer Queue Information Changing the Status of a Printer Queue Viewing Print Job Information Changing the Position of a Print Job Changing the Status of a Print Job Comm-device Queues Exit Send a Typed Message Device Status Viewing Device Status Information Changing the Status of a Device Changing Your Password Chapter 12 Sharing Processing Power Using the Netrun Service Creating a Run Path Controlling Access to Netrun and Distributed Applications User-Level Security Share-Level Security Controlling the Number of Netrun Users Managing the Netrun Service Setting Up the Server for the Netrun Service Starting the Netrun Service Starting Netrun Automatically Stopping the Netrun Service Adding a Program Removing a Program Chapter 13 Replicating Files and Directories How Replication Works The REPL.INI File Preparing an Export Server Assigning Permissions for Replication Preparing an Import Server Maintaining Replication Stopping Replication Chapter 14 Using the Remoteboot Service Adding a Remoteboot Workstation to the Network Creating Remoteboot Directories Adjusting User-Level Security Adding a Workstation Record Adding a .FIT File for the Workstation Adjusting Configuration Files for an MS OS/2 Workstation Enabling the Remoteboot Process on a Workstation's Hard Disk Disabling the Remoteboot Process on a Workstation's Hard Disk Booting More than One Version of MS-DOS Adding Device Drivers Adding Device Drivers to MS-DOS Workstations Adding Device Drivers to MS OS/2 Workstations Booting from One Server and Sharing Work Directories from Another Server Chapter 15 Guarding Against Data Loss Understanding the Fault-Tolerance System The Fault-Tolerance Utilities Configuring Drive Mirroring or Duplexing Using the ftadmin Screen Focusing ftadmin on a Remote Server Viewing Drive Statistics Viewing Information about Logical Drives Changing the Error Information Display Turning Disk Alerts On and Off Verifying Drives Correcting Disk Errors Disk Error Correction Codes Using an Uninterruptible Power Supply Using the UPS Service Configuring the UPS Service Starting the UPS Service Chapter 16 Monitoring the Network Auditing a Server on the Network Establishing Audited Events in LANMAN.INI Modifying Audited Events Viewing, Saving, and Clearing the Audit Trail The Alert System Starting the Alerter Service Configuring Alerts The Statistics Display Viewing and Clearing Statistics The Error Log Viewing the Error Log Saving and Clearing the Error Log Using Session Information Modifying Session Entries Viewing Session Information Closing Sessions Closing Files Synchronizing Network Clocks Synchronizing with the Time Server Appendix A The LANMAN.INI File Summary Tables Workstation Messenger Netshell Server Alerter Netrun Replicator UPS Netlogon Remoteboot Appendix B Menu Commands The LAN Manager Screen for Administrators View Menu Message Menu Config Menu Status Menu Accounts Menu Help Menu Console Version of the LAN Manager Screen View Menu Message Menu Status Menu Accounts Menu Help Menu Appendix C Country Codes Appendix D Using the MS OS/2 Print Manager with LAN Manager The MS OS/2 Print Manager Window Using MS OS/2 Print Manager with Network Printers Viewing Printers Setting Up a Printer Changing the Settings for a Printer Viewing Queues Adding a Queue Changing Options for a Queue Updating Information in the MS OS/2 Print Manager Window Glossary Index Before You Begin ──────────────────────────────────────────────────────────────────────────── The Microsoft(R) LAN Manager Administrator's Guide is for new and experienced administrators of Microsoft LAN Manager. It explains the terminology and concepts behind administering a LAN Manager network, and describes how to perform administrative tasks. Tasks can be performed using either the LAN Manager Screen or commands and utilities typed at the operating system prompt. This manual emphasizes use of the LAN Manager Screen, noting command-line equivalents. For full explanations of how to use typed commands and utilities, see the Microsoft LAN Manager Administrator's Reference. This manual assumes that you understand Microsoft Operating System/2 (MS(R) OS/2). If you are not familiar with MS OS/2, see your MS OS/2 manual(s). For an explanation of terms and concepts specific to a local-area network and to LAN Manager, read Getting To Know Microsoft LAN Manager and the Microsoft LAN Manager User's Guide. How To Use This Manual This manual contains the following parts: Part 1, "Learning the Basics" Part 1 provides general information about administering a LAN Manager network. Additionally, it explains how to start and stop the server, how to log on to the local-area network, and how to use the LAN Manager Screen for administrators. Read this part if you are not familiar with LAN Manager and for an overview of the responsibilities of an administrator. Part 2, "Managing Security" Part 2 tells how to plan and implement security on LAN Manager servers. It introduces the basic concepts and terms of LAN Manager security. There are two types of security─user-level and share-level. Read this part to learn how to plan and implement security on the LAN Manager network. Part 3, "Sharing Resources" Part 3 tells how to share the server's special administrative resources, disk resources, printers, and communication devices with network users. Additionally, it explains how to use profiles to automate sharing of the server's resources. Read this part to find out how to share resources on the LAN Manager network. Part 4, "Advanced Features" Part 4 goes beyond the basics to advanced features that enhance the LAN Manager network. This part describes how to use the console version of the LAN Manager Screen and the Netrun, Replicator, and Remoteboot services. Additionally, it explains how to use the LAN Manager fault-tolerance features and the UPS service. Information about auditing network activity and auditing shared resources on a server with share-level security is also included. Read this part to learn how to use the advanced services and features available with the LAN Manager network. Notational Conventions This manual uses different type styles and special characters for different purposes: ╓┌─────────────────────────────────┌───────────────────────────────────────── Convention Use ──────────────────────────────────────────────────────────────────────────── Bold Represents commands, command options, and file entries. Type the words exactly as they appear, for example, net use. Italic Introduces new terms and represents variables. For example, the variable computername indicates that you supply the name of a workstation or server. Monospace Represents examples, screen displays, program code, and error messages. FULL CAPS Represent filenames and pathnames in text. You can, however, type entries in Convention Use ──────────────────────────────────────────────────────────────────────────── You can, however, type entries in uppercase or lowercase letters. SMALL CAPS Represent key names (such as CTRL or F2). KEY+KEY Indicates that you must press two keys at the same time. For example, "Press CTRL+Z" means to hold down CTRL and press Z. {braces} Enclose required items in syntax statements. For example, {yes | no} indicates that you must specify yes or no when using the command. Type only the information within the braces, not the braces themselves. [brackets] Enclose optional items in syntax statements. For example, [password] indicates a password may be needed with Convention Use ──────────────────────────────────────────────────────────────────────────── indicates a password may be needed with the command. Type only the information within the brackets, not the brackets themselves. | (vertical bar) Separates items within braces or brackets. For example, {/hold | /release | /delete} indicates that only one of the three options can be used. ... (ellipsis) In syntax statements, indicates that you can repeat the previous item(s). For example, /route:devicename[,...] indicates that you can specify more than one device, putting a comma between the devicenames. <Command> Indicates a command button to be chosen within a dialog box. Convention Use ──────────────────────────────────────────────────────────────────────────── Indicates the procedure for performing a task using the LAN Manager Screen. Command Line Indicates the procedure for performing a LAN Manager task using commands at the operating system prompt. Finding Further Information In addition to this manual, the LAN Manager manual set includes the following: Getting To Know Microsoft LAN Manager Gives first-time network users an introduction to local-area networks and to LAN Manager. Microsoft LAN Manager User's Guide for MS OS/2 Provides guide and reference information about using LAN Manager on MS OS/2 workstations. Microsoft LAN Manager User's Guide for MS-DOS(R) Provides guide and reference information about using LAN Manager Enhanced and Basic on MS-DOS workstations. Microsoft LAN Manager Installation Guide Provides information about installing LAN Manager software and using the Setup program to configure workstations and servers. Microsoft LAN Manager Administrator's Reference Provides reference information about LAN Manager commands and utilities for MS OS/2 computers, and about the LAN Manager program directory and initialization file. Microsoft LAN Manager Network Device Driver Guide Provides information about network device drivers that can be used with LAN Manager. Microsoft LAN Manager Programmer's Reference Provides information about LAN Manager application program interfaces (APIs). (This manual is optionally available.) Quick references are also available for users and administrators. PART I Learning the Basics ──────────────────────────────────────────────────────────────────────────── Microsoft LAN Manager offers a flexible system for administering a local-area network. This part introduces you to the basics of LAN Manager─how it works, how to plan a network, how to manage a network, and how to stop and start LAN Manager. Chapter 1 outlines the tasks involved in administering the server's resources and introduces some LAN Manager features that can simplify your job as an administrator. Chapter 2 introduces the LAN Manager Screen for administrators, and shows how to start and stop LAN Manager, how to log on to the network, and how to perform tasks using the screen's menus and dialog boxes. Chapter 1 Overview ──────────────────────────────────────────────────────────────────────────── This chapter describes Microsoft LAN Manager. It explains the features of LAN Manager and the tasks you'll perform as administrator to plan, set up, and maintain the local-area network. How LAN Manager Works LAN Manager expands the features of MS OS/2 to transform it into a powerful, easy-to-use network operating system. When you install the appropriate hardware and software on your company's computers, then connect those computers with cable, you create a local-area network that lets computer users share applications, files, and directories, plus printers, modems, and other devices, in an organized, efficient way. A LAN Manager network is made up of servers and workstations. Servers are computers that control equipment and information that people on the network can use. Workstations are computers that enable people to use the network resources provided by servers. A LAN Manager server runs MS OS/2. A workstation can run either MS OS/2 or MS-DOS. An MS OS/2 computer can be used as both a server and a workstation. The process of making equipment and information available to users is called sharing. The servers on a LAN Manager network share resources─applications, disk drives, directories, printers, modems, scanners, and so on─with users. One server might share all types of resources, or just one resource. A server can use a variety of security features to control access to the resources it shares. A user gains access to a shared resource by connecting his or her workstation to the server that is sharing the resource. The user then uses the resource as though it were physically attached to his or her workstation. Sharing resources is at the core of your work as an administrator. You'll define which resources to share, which users can connect to them, and the extent of each user's access. The rest of this chapter explains more about what your job as an administrator involves. Administrator's Responsibilities As an administrator, you'll set up workstations and servers, share resources on servers, and control access to those resources by managing security on the network. Once the network is operating, you'll maintain it, making changes to add new users and new resources as they become available. One network can have several administrators. An administrator can give another person the full privileges of an administrator or give users partial administrative privileges. These operator privileges let others control specific areas of LAN Manager administration (such as the sharing of printers). Your job requires you to be an experienced user of MS OS/2 and MS-DOS. You should be able to use a text-editing program, such as Microsoft Word or the MS OS/2 System Editor. And you should be a proficient user of Microsoft LAN Manager. For information about using a LAN Manager workstation, see the Microsoft LAN Manager User's Guide for MS OS/2 and the Microsoft LAN Manager User's Guide for MS-DOS. Planning a LAN Manager Network The first step in setting up LAN Manager is to decide how you want the network organized. Once the hardware and software are installed on the computers on the network, you'll share resources on servers and determine how security will be arranged to control access. After that, you'll maintain the network and help users. Organize the Network Think about the hardware the network will accommodate, the needs of the people who will use it, and the best approaches to securing network resources while enabling people to use them with maximum flexibility. Make the following decisions: ■ How many servers and workstations will the network have? There's no optimal ratio of servers to workstations; the best ratio depends on the demands the users make on the network. Be sure to allow for future growth of the network. ■ Which files, printers, modems, or other resources do you and your coworkers need on a regular basis? How should these resources be distributed? Estimate the demand for these resources, and then think about how to spread them around the network to distribute the work load among servers. ■ How secure do the network resources need to be? Can everyone be allowed to use everything? Should some resources, such as confidential files, be restricted, while other resources, such as printers, be available to all? As administrator, you control who has access to every resource on the network, specifying what each user can do with each resource. Draw Up a Plan When you have decided how to organize the network, draw up a plan. If the network is large, group servers into domains (separate groups of servers, workstations, and users). Domains are explained later in this chapter. You can set up one domain for everything, or set up many domains. In general, separate the network into domains if users or computers fall into separate groups (for example, if your company has different divisions or work groups). Be sure to decide which servers will share resources, and which type of security will be used at each server. Chapter 3, "Understanding and Planning Security," includes two worksheets to help you plan domains and set up servers. Figure 1.1 shows a sample layout of a network with three domains. (This figure may be found in the printed book). Setting Up the Network Part of your job as administrator is to ensure that the correct hardware and the LAN Manager software are installed on all servers and workstations on the network. For information about installing LAN Manager software, see the Microsoft LAN Manager Installation Guide. For hardware installation instructions, see the manual that accompanies your network hardware. You may also need to install MS OS/2 or MS-DOS on some computers before installing LAN Manager. For information about installing MS OS/2 or MS-DOS, see your operating system manual(s). LAN Manager Features As you plan and set up the network, LAN Manager provides many features that make your job easier and let you efficiently control access to shared resources. This section introduces some of these features. LAN Manager Screen for Administrators The LAN Manager Screen for administrators is a menu-oriented screen that allows you to perform administrative tasks without memorizing command syntax. It is similar to the LAN Manager Screen for users, but it includes features that let you share and control resources as well as use the workstation. For information about how to use the LAN Manager Screen for administrators, see Chapter 2, "Getting Started." Command-Line Commands In addition to using the LAN Manager Screen for administrators to perform administrative tasks, you can also type LAN Manager commands at the MS OS/2 or MS-DOS prompt. On an MS OS/2 computer, this can be done from another MS OS/2 session or by exiting the LAN Manager Screen. In this manual, procedures for performing administrative tasks are shown with the LAN Manager Screen for administrators, followed by the equivalent command-line command. When there is no LAN Manager Screen equivalent for a task, the command-line command is discussed in more detail. For detailed information about each LAN Manager command, see the Microsoft LAN Manager Administrator's Reference. Flexible Security LAN Manager provides security features that let you control access to shared resources. Servers can use either of two security modes: user-level security or share-level security. For information about each type of server security, see Chapter 3, "Understanding and Planning Security." User-Level Security - User-level security gives you precise control over each of a server's shared resources. Before sharing a resource on a server with user-level security, you set up a user account for each user who can have access to the server. Then you set permissions for each resource you plan to share. ■ A user account contains a username and password that identify a user. It can also include information about how the person can use the server. For example, you can limit the hours during which the user can access the server's resources and the workstations from which the user can connect to the server. A country code specifies the language in which the server sends error and alert messages to the user. ■ Permissions define the extent to which each user can use a resource. For shared directories, you can define separate permissions for individual subdirectories and files. With user-level security, you can also take advantage of the following security features: ■ Logon security, in which only specified users can log on to the network. The username and password that a user supplies when logging on at a workstation are checked on a server to verify that they match those in a user account, and that the user is allowed access to the network. You can also create a logon script that automatically runs a program or makes network connections at the user's workstation when the user logs on. Logon security is used to maintain domains within a network. ■ Local security, which extends the controls of user-level security to apply to local users (users working at the server itself), in addition to users working at separate, or remote, workstations. With local security, not even a user at the server's keyboard can access the server's files without proper permissions, regardless of whether LAN Manager is running. Local security runs on 386(tm) servers and uses the high-performance file system 386 (HPFS386). For more information about user-level security, see Chapter 4, "User-Level Security." Share-Level Security - Share-level security uses a single password to limit access to a shared resource, which has only one set of permissions. Any user who can supply the password can use the resource. For more information about share-level security, see Chapter 5, "Share-Level Security." Domains To easily manage a large or diverse network, LAN Manager lets you create separate groups of servers, workstations, and users, called domains. Domains provide a simple way to control user access to the network, and they allow each user to work primarily with a specific group of servers and other users. You can set up one or more domains, and include servers with user-level security as well as servers with share-level security within them. If the domain has a server with user-level security, then logon security can run in the domain. A user can have accounts in multiple domains but can log on in only one domain at a time. Being logged on in one domain, however, doesn't preclude using resources in other domains. For more information about domains, see Chapter 3, "Understanding and Planning Security." Remote Administration You don't need to be sitting at a server to perform administrative tasks. You can manage a server from any LAN Manager for MS OS/2 or LAN Manager Enhanced for MS-DOS workstation, provided you have administrative privileges at the server. Using the LAN Manager Screen for administrators at an MS OS/2 workstation, you can administer a remote server simply by setting the focus on the server's computername. For information about remote administration, see Chapter 2, "Getting Started." Services A service is a program that performs one of the major functions of LAN Manager. Services are started, paused, continued, and stopped using the LAN Manager Screen or command-line commands. The Workstation service lets a user log on to the network and use a workstation. The Server service lets an administrator share resources with other users. The Peer service gives an MS OS/2 workstation many of the features of a server, including the ability to share a queue and directories with another user. Services also control the following LAN Manager features: ■ File replication. The Replicator service lets you maintain an identical, up-to-date set of directories and files on selected servers and workstations. Replication saves you the time of updating files on many servers, spreads out the demand for heavily used files, and decreases the processing load on individual servers. For more information, see Chapter 13, "Replicating Files and Directories." ■ Remote booting. Your network can include workstations without hard disk drives. These workstations can operate on software provided by servers. Using the Remoteboot service, a server can send boot software to enable a workstation without a hard disk to run MS OS/2 or MS-DOS. For more information, see Chapter 14, "Using the Remoteboot Service." For more information about services, see Chapter 2, "Getting Started." Fault Tolerance If a disk drive fails or the power goes out, the LAN Manager fault-tolerance system can protect against data loss. The fault-tolerance system includes utilities to ensure that there are always two copies of data available for hard-disk read and write operations. For more information about fault tolerance, see Chapter 15, "Guarding Against Data Loss." Uninterruptible Power Supply (UPS) Service The UPS service lets you attach a battery to the server to protect data should a power failure occur. The UPS service provides for orderly shutdowns when the power fails. For more information about the UPS service, see Chapter 15, "Guarding Against Data Loss." Queues To manage printers, modems, and other devices, servers can share queues to handle tasks for many users. ■ A printer queue stores print jobs, which are spooled from users' workstations. Printer queues send print jobs (usually in the order received) to printers as they become available. For information about how to share and control printer queues, see Chapter 8, "Printers." ■ A communication-device queue stores requests for the use of modems, scanners, or printers that use serial processing. Users wanting to connect to the device send a request to the queue. When the device becomes available, the queue connects the user's workstation to the device. For information about how to share and control communication-device queues, see Chapter 9, "Communication Devices." Console Screen To maintain security at an unattended server while allowing users to view the contents of queues, LAN Manager features a console screen. The console version of the LAN Manager Screen displays the contents of a server's printer queues or communication-device queues. Users cannot use the server in any way except to monitor and modify their own requests. A password must be supplied to exit the screen. For more information about the console screen, see Chapter 11, "Running an Unattended Server." Profiles LAN Manager allows you to share resources and set permissions for them at a server, and then save a record of those shares in a profile. Also, the workstation's connections to shared resources can be recorded in the profile. The profile can be loaded at any time to restore shares and connections. Shares and connections specified in a profile can replace existing ones or be added to them. For information about creating and using profiles, see Chapter 10, "Profiles." LANMAN.INI File Many aspects of a workstation's or a server's performance are predefined, and are set automatically at startup. For example, when the LAN Manager Screen is started, a username for logging on is suggested. Likewise, a workstation or server is started by default with a unique name, called the computername, which identifies it on the network. Such settings are determined by a file called LANMAN.INI, which resides in the LANMAN directory. (For LAN Manager for MS-DOS, the LAN Manager software is stored in the LANMAN.DOS directory.) LANMAN.INI is an initialization file that contains a separate entry with a default value for each setting (such as the computername). You can temporarily change settings by using the net start or net config command, or by using the LAN Manager Screen to start a service. You can permanently change settings by using the Setup program or by editing the LANMAN.INI file with a text editor. The default values and ranges of LANMAN.INI settings are shown in Appendix A, "The LANMAN.INI File." They are defined in the Microsoft LAN Manager Administrator's Reference. Online Help Help is available both from the LAN Manager Screen for administrators and from the MS OS/2 command line. The LAN Manager Screen for administrators provides context-sensitive help for most tasks, as well as a glossary of terms. For information about getting online help, see Chapter 2, "Getting Started." Other Features and Utilities To let you expand the power of your network, LAN Manager offers these features and utilities: ■ Monitoring features. LAN Manager maintains records of events that occur on the network and lets you audit a variety of activities. For more information, see Chapter 16, "Monitoring the Network." ■ Utilities. LAN Manager features utilities that let you schedule programs to run on a server at a specified time (the at utility), detect errors as they occur (the errpopup utility), and check the storage space on a server sharing users' home directories (the chkstor utility). For more information, see the Microsoft LAN Manager Administrator's Reference. ■ HPFS386. To take advantage of the 80386 microprocessor, LAN Manager features HPFS386, which provides extremely fast access to a very large shared disk or partition. The backacc, cache, logoff, logon, priv, restacc, and SECURESH.EXE utilities help you use HPFS386. For more information, see the Microsoft LAN Manager Administrator's Reference. Managing the Network An important part of your job as administrator is to manage user accounts and resource permissions, and to share resources. Managing User Accounts It's your job as administrator to create user accounts, which let users log on in a domain and gain access to resources on a server with user-level security. You can simplify the job of managing security on the network by creating groups of users, and then setting permissions for each group. With groups, you can assign one set of permissions for many users. You can also set up a guest account to allow access for users who do not have an account. For information about how to work with user accounts and groups, see Chapter 4, "User-Level Security." Managing Resource Permissions After you set up accounts, you assign permissions for individual resources. For a given resource, such as a directory, you define who can use it and what the user can do with it (read, write, delete, and other actions). For information about permissions and how to set them, see Part 3, "Sharing Resources." To properly protect the resources, you should set permissions before sharing. Think through the security needs of each resource, adjust the permission settings, and then share the resource. The permissions can be adjusted at the time that you share the resource, or even while the resource is being shared. On a server with user-level security, setting permissions is separate from actually sharing a resource; the permissions exist whether the resource is currently shared or not. On a 386 server with local security, permissions are set for all directories and files─including those that you don't intend to share. These permissions apply to users working at the server's keyboard as well as to users at remote workstations with connections to the server. Although MS-DOS workstations using LAN Manager Basic, MS-Net, or PC-LAN software have no allowance for usernames, you can include these workstations on your network by setting up accounts with the workstations' computernames. The MS-DOS user interacts with the LAN Manager server as if the server were an MS-Net or PC-LAN server, but the user is subject to LAN Manager security. Sharing Resources Having established security for resources on the servers, you share the resources so that people can use them. For more information about how to share and control each type of resource, see Part 3, "Sharing Resources." In addition to sharing devices, you can share a server's processor and memory, letting users run programs on the server while doing other work at their workstations. You decide which programs can be run, who can run them, and how many can run at one time. For information about how to share the server's processing and memory capabilities using the LAN Manager Netrun service, see Chapter 12, "Sharing Processing Power." Maintaining the Network Your job as administrator is not over once the network is set up and all of the user accounts and groups are in place. Maintaining the network and monitoring its activities is an ongoing role. For information about how to use LAN Manager server statistics to diagnose problems, see Chapter 16, "Monitoring the Network." Chapter 16 also describes how to synchronize the clocks in all of the computers on the network. Over time, network needs change. You'll need to add and remove computers, resources, and user accounts. As changes occur, you'll need to tune the LAN Manager server software. For information about improving the way a server functions, see the Microsoft LAN Manager Administrator's Reference; it explains how you can improve the way a server functions by modifying entries in the LANMAN.INI file (the configuration file for LAN Manager software). Working with Other Network Software LAN Manager works with other types of networking software to let you combine old and new software on one network. MS-DOS computers with MS-Net or PC-LAN network software can use resources shared by LAN Manager servers. Similarly, LAN Manager workstations can use the resources of MS-Net, PC-LAN, and XENIX(R) servers. Where it is needed, this manual describes special considerations for other network software that might be integrated with LAN Manager. Chapter 2 Getting Started ──────────────────────────────────────────────────────────────────────────── This chapter explains how to set up your local-area network. It describes how to start the first server on a new network and how to start a server on an existing network. It also provides procedures for starting the Workstation and Server services, and for logging on to the network. The LAN Manager Screen for administrators is described, with instructions for moving around in it using the keyboard and the mouse. Information is also provided about getting online help, administering remote servers, controlling services, and quitting LAN Manager. The procedures in this chapter use the LAN Manager Screen. For more information about each LAN Manager command, see the Microsoft LAN Manager Administrator's Reference. For information about the LAN Manager features discussed in this chapter, see Chapter 1, "Overview." Starting LAN Manager Starting LAN Manager to perform administrative tasks involves two separate procedures: ■ Starting the Workstation and Server services ■ Logging on to the network Starting the Workstation service loads software into your computer's memory that lets you use the workstation. Starting the Server service lets you share, control, and monitor your computer's resources. When you start LAN Manager for the first time at the first server on the network, the procedures you follow for logging on are unique. This section explains how to start the first server on the network and how to start servers on an existing network. Logging on establishes you as the user of the workstation and server. When you log on, you supply your username and password. If you are logging on at the first server on the network, you must supply a special username and password. If you are logging on at a server on an existing network running logon security─in which servers share a common database of user accounts to verify logons─your username and password identify you as a member of a domain. You don't need to include a domain name to log on in the workstation domain, which is specified in the workstation's LAN Manager software. ──────────────────────────────────────────────────────────────────────────── NOTE If you are using a 386 computer with HPFS386 and local security, you will see the following message when you turn on your computer: ──────────────────────────────────────────────────────────────────────────── LAN Manager local security has started. Press ESC to log on now, or press ENTER to start the computer with no one logged on. If you plan to log on when you start the computer, press ESC. For information about local security and situations in which you would want to press ENTER instead of ESC, see Chapter 4, "User-Level Security." Starting the Workstation and Server Services Command Line To start both the Workstation and Server services, type net start server This command starts both the Workstation service and the Server service. Separate messages appear, telling you that each service is starting. The Workstation and Server services can be started individually using command-line commands or the LAN Manager Screen for administrators. Once the Workstation and Server services are started, you must log on. You can log on using the LAN Manager Screen for administrators or by typing LAN Manager commands from the command line. Logging On You use different procedures for logging on for the first time at the first server on the network and for logging on at a server on an existing network. Logging On at the First Server on the Network Use the following procedure for logging on for the first time at the first server on the network. To log on using the LAN Manager Screen for administrators: 1. From the command line, start the LAN Manager Screen for administrators by typing net admin ──────────────────────────────────────────────────────────────────────────── NOTE Typing net admin /mono improves the LAN Manager Screen display for some computer screens. Try the command with and without /mono to determine which display you The following message box appears: (This figure may be found in the printed book). A username appears in the "Username" text box. (This is from the username entry in the [netshell] section of the LANMAN.INI file, or, if that entry is blank, it is the workstation's computername.) 2. In the "Username" text box, type admin 3. Press TAB to move to the "Password" text box. 4. In the "Password" text box, type password 5. Press TAB to move to <OK>. 6. Press ENTER. The following message box appears: (This figure may be found in the printed book). 7. Press ESC or ENTER. The following message box appears: (This figure may be found in the printed book). This message box should tell you that you have administrative privileges at your server. If not, log off and try this procedure again (see "Quitting LAN Manager," later in this chapter). 8. Press ESC or ENTER. If you are not using the LAN Manager Screen for administrators, you can type commands from the command line to perform administrative tasks. Command Line To log on using command-line commands, type net logon admin password See Net Logon, Microsoft LAN Manager Administrator's Reference. First Server Account - If you logged on at the first server on the network with the username admin and the password password, you are using the default administrative account. This account is created by the Setup program when LAN Manager is installed, and it is the only user account on the server when you start. This account gives you administrative privileges. It cannot be deleted unless you create another account with administrative privileges. You can change the password. To keep this account secure, you might want to change the password before setting up other servers and workstations. You also might want to add a new account with administrative privileges for yourself. For more information about accounts and changing passwords, see Chapter 4, "User-Level Security." For information about setting up the network, read the rest of this chapter, and then Chapter 3, "Understanding and Planning Security." Logging On to an Existing Network Use the following procedure for logging on at a server on an existing network. To log on using the LAN Manager Screen for administrators: 1. From the command line, start the LAN Manager Screen for administrators by typing net admin ──────────────────────────────────────────────────────────────────────────── NOTE Typing net admin /mono improves the LAN Manager Screen display for some computer screens. Try the command with and without /mono to determine which display you The following message box appears: (This figure may be found in the printed book). A username appears in the "Username" text box. (This is from the username entry in the [netshell] section of the LANMAN.INI file, or, if that entry is blank, it is the workstation's computername.) 2. In the "Username" text box, supply a username. You can type a different username, or log on with the username displayed by leaving the text box alone. Pressing any key removes the name displayed in the text box. 3. Press TAB to move to the "Password" text box. 4. Type a password. The password is not displayed as you type it. 5. Press TAB to move to the "Domain" text box. Leave this text box blank to log on in the workstation domain, or type a domain name to specify a different logon domain. 6. Press TAB to move to <OK>. 7. Press ENTER. The following message box appears: (This figure may be found in the printed book). This message box displays the computername of the server that verified your logon, the date and time you last logged on in the domain, and the time by which you must log off. 8. Press ESC or ENTER. The following message box appears: (This figure may be found in the printed book). This message box should tell you that you have administrative privileges at your server. If not, log off and try this procedure again (see "Quitting LAN Manager," later in this chapter). Be sure to type the correct password. 9. Press ESC or ENTER. If you are not using the LAN Manager Screen for administrators, you can type commands from the command line to perform administrative tasks. Command Line To log on using command-line commands, type net logon username password [/domain:name] See Net Logon, Microsoft LAN Manager Administrator's Reference. Existing Network Accounts - When you log on to an existing network, you may receive messages that you are logged on standalone. If the domain into which you log on is not running logon security, you are logged on standalone. If the domain is running logon security, being logged on standalone probably means that you specified an incorrect username and password. It could also indicate that the server that verifies logons is not running. Try logging on again. If you are still unsuccessful, check to ensure that the server verifying logons is running properly, and that it has an account for you. For information about logon security, see Chapter 4, "User-Level Security." Using the LAN Manager Screen The LAN Manager Screen for administrators lets you perform administrative and other network tasks without having to memorize commands or syntax. Figure 2.1 shows the LAN Manager Screen. (This figure may be found in the printed book). The LAN Manager Screen for administrators contains these elements: Menu bar Displays the names of menus from which you can choose commands. Current focus Shows the computername of your workstation or the server that is the focus of activity when using LAN Manager Screen commands. Workstation information Provides the following information about your workstation: Your username The username specified when you logged on to the network. Your computername The computername specified when the workstation was started. Your domain The name of your logon domain. This is the domain name specified when you logged on to the network. If you didn't specify a domain name, you automatically logged on in the workstation domain, which is specified in the LANMAN.INI file. Note that the workstation domain and the logon domain are the same if you logged on in the workstation domain. Servers visible at the workstation Lists the servers in the logon and workstation domains, and in the other domains listed in the othdomains entry of the LANMAN.INI file. Scroll bar Lets you scroll through the servers using the mouse. Message line Provides a brief statement about the current menu, command, or task. To use the LAN Manager Screen for administrators, you select a menu, which displays a list of commands, and then you choose a command. A dialog box then appears, in which you enter information to perform a task. The following sections explain menus and dialog boxes and tell you how to use the keyboard and the mouse to move through them and perform tasks. Using Menus and Menu Commands Menus are the starting point for any LAN Manager Screen operation. The names of all six menus appear in the menu bar across the top of the LAN Manager Screen. When you select a menu, a list of commands appears. You can then choose a command to tell LAN Manager the type of task you want to perform. Except for Exit on the View menu, each command leads to a dialog box. If a menu command does not contain a highlighted letter, that command is not available (for example, commands requiring administrative privileges are not available to users with user privileges). From menus on the LAN Manager Screen, you can perform the following tasks: View menu View, control, and connect to resources shared by servers, view the connections of the workstation or server of current focus, view information about users on the network, and exit the LAN Manager Screen. Message menu Send, log, and read messages, and manage aliases (names used to receive messages). Config menu Log on, log off, use profiles, view the workstation configuration, set the server configuration, and control services. Status menu View the status of shared resources, view workstation and server statistics and errors, and read the audit trail and error log. Accounts menu Change user accounts and groups, view and set permissions and security settings for shared resources, and change the options and password for your account at a server. Help menu Access different types of online help. When viewing or selecting menus, and choosing menu commands, use these keys: ╓┌───────────────────┌───────────────────────────────────────────────────────╖ Key Action ──────────────────────────────────────────────────────────────────────────── ALT Activates menu names on the menu bar. Highlighted letter When menu names are activated or menu commands are displayed,selects the menu or chooses the menu command that contains the highlighted letter. When a menu is displayed,moves from one menu to another. When a menu is displayed,moves from one command to another. ENTER Selects a menu or chooses a menu command. ESC Removes a menu from the screen. Key Action ──────────────────────────────────────────────────────────────────────────── ──────────────────────────────────────────────────────────────────────────── To select a menu with the mouse, click the menu name (position the mouse pointer on the menu name, and then press and release the left mouse button). The menu appears; you can then choose a menu command by clicking it. Using Dialog Boxes Dialog boxes request information needed to perform a task. Dialog boxes contain as many as five areas, or fields. Each dialog box has a name displayed at the top. Dialog Box Fields Dialog boxes contain one or more of the following fields: ■ Text boxes, which receive typed information ■ List boxes, which present a list of items to select from ■ Check boxes, which let you mark or unmark an option ■ Option buttons, which let you select one of multiple options ■ Command buttons, which perform an action Figure 2.2 shows four dialog box fields and the dialog box title. (This figure may be found in the printed book). Use the following keys to move around in dialog boxes: ╓┌─────────────────────────────────┌───────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── Highlighted letter Moves the cursor to the highlighted letter's field. If the cursor is in a list box or a text box,you must hold down the ALT key while you press the highlighted letter. Pressing the highlighted letter in a command button chooses that command button. TAB Moves the cursor to the next field. SHIFT+TAB Moves the cursor to the previous field. ENTER Carries out the actions you specified. ESC Cancels any actions and removes the dialog box from the screen. ──────────────────────────────────────────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── The five dialog box fields are described in the following sections. Text Boxes - You type information in a text box. A text box is surrounded by brackets and contains a series of dots that are replaced with characters as you type. It can sometimes hold more characters than appear between the brackets by scrolling characters to the left. A text box may appear with information provided, such as your username. If so, pressing any character removes the information. Use the following keys to move around in a text box: ╓┌─────────────────────────────────┌───────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── Moves the cursor one space to the left. Key Action ──────────────────────────────────────────────────────────────────────────── Moves the cursor one space to the right. HOME Moves the cursor to the first character in the text box. END Moves the cursor to the last character in the text box. DEL Deletes the character that the cursor is on. BACKSPACE Deletes the character to the left of the cursor. ──────────────────────────────────────────────────────────────────────────── If you are using the mouse, you can scroll the characters in the text box by clicking a bracket (position the mouse pointer on the bracket, and then press and release the left mouse button). List Boxes - In a list box, you view items by scrolling through a list. For example, there can be lists of resources available on a server or lists of print jobs waiting to be printed. Use the following keys to move around in a list box: ╓┌─────────────────────────────────┌───────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── Moves the cursor up one line. Moves the cursor down one line. PG UP Moves the cursor up one page. (A page is the portion of the list that appears on the screen.) Key Action ──────────────────────────────────────────────────────────────────────────── PG DN Moves the cursor down one page. HOME Moves the cursor to the top of the list. END Moves the cursor to the bottom of the list. F5 Refreshes a list of items. ──────────────────────────────────────────────────────────────────────────── Pressing a letter while the cursor is in a list box moves the cursor to the next item that begins with that letter. This includes the list box of server computernames on the LAN Manager Screen. A scroll bar and a scroll box appear at the right of the list box. The scroll bar lets you use the mouse to move through a list with more than one screen of information. Click the up or down arrow (position the mouse pointer on the arrow, and then press and release the left mouse button) to move the view up or down one line. The position of the scroll box on the scroll bar reflects the position of the information in the window relative to the total contents of the list. You can move through the list by positioning the mouse pointer on the scroll box, holding the left mouse button down, then dragging the scroll box. To select an item in a list box with the mouse, click the item. If the dialog box has a <Zoom> command button, double-clicking an item zooms in on it. Otherwise, double-clicking performs the action that corresponds to the first command button listed. To double-click, position the mouse pointer, and then press and release the left mouse button twice with a quick motion. Check Boxes - With a check box, you turn an option on or off. When a check box is marked with an X, the option is turned on. Use the SPACEBAR as a toggle switch to mark or unmark a check box. To mark or unmark a check box with the mouse, click the check box (position the mouse pointer within the brackets, and then press and release the left mouse button). Option Buttons - An option button lets you select one option from a group of options. One option button is always preselected, and only one option button can be selected at a time. To select an option button, use the following keys: ╓┌─────────────────────────────────┌───────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── Changes the selected option to the previous option. Changes the selected option to the next option. ──────────────────────────────────────────────────────────────────────────── Key Action ──────────────────────────────────────────────────────────────────────────── To select an option button with the mouse, click it (position the mouse pointer within the parentheses, and then press and release the left mouse button). Command Buttons - A command button lets you perform a specific action. A command button that does not contain a highlighted letter is not active. To choose a command button, press the TAB key to move to the button, and then press ENTER. You can also press the letter highlighted in the command button to choose a command button. (If the cursor is in a list box or text field, you must hold down the ALT key while pressing the highlighted letter.) To choose a command button with the mouse, click it (position the mouse pointer on any character within the command button, and then press and release the left mouse button). Getting Help with the LAN Manager Screen There are two ways to get help while using the LAN Manager Screen for administrators: by selecting the Help menu or by pressing F1. The Help menu provides access to help topics. To get more information about a particular menu, command, or dialog box: 1. Press F1 while that item is displayed. For example, if you press F1 while the LAN Manager Screen for administrators is displayed, the following message box appears: (This figure may be found in the printed book). 2. Choose <Done> or press ESC. This removes help boxes from the screen. Getting Help from the Command Line You can also get several types of help from the command line. Command Line To get help from the command line: ■ Display a list of commands and topics for which help is available by typing net help ■ Display help for a particular command by typing net help command ■ Display only the options of a command by typing net help command /options ■ Display a command's syntax by typing net command /? For more information about getting help from the command line, see the Microsoft LAN Manager Administrator's Reference. Getting Help with Error Messages You can get help with errors that occur while you are using the LAN Manager Screen for administrators. To get help with an error message: Press F1 when the message box is displayed. Command Line To get help with an error message, type net helpmsg message# See Net Helpmsg, Microsoft LAN Manager Administrator's Reference. Administering Remote Servers If you have administrative privilege on a server, you can perform administrative tasks at that server from any LAN Manager workstation or server on the network. To administer a remote server, log on at a server or workstation with your username and password. Use the net admin command to start a command processor that lets you type command-line commands at the server or to start the LAN Manager Screen for administrators (MS OS/2 workstations only). If you are administering a remote server with the LAN Manager Screen for administrators, you must set the current focus on the remote server. For information about remote administration, see the net admin command in the Microsoft LAN Manager Administrator's Reference. The server you are administering must be sharing the ADMIN$ and IPC$ resources. These resources let you establish a session with the server. Servers with user-level security share these resources automatically; servers with share-level security must explicitly share these resources. For more information about sharing ADMIN$ and IPC$, see Chapter 6, "Administrative Resources." To administer a remote server with the LAN Manager Screen for administrators, you must set the current focus on the server (see the following section, "Setting the Current Focus"). Remote administration cannot be done at a LAN Manager Basic for MS-DOS workstation. Setting the Current Focus When you start the LAN Manager Screen for administrators, the "Current focus" line and the "Set current focus on" text box display the server's computername. This means the server is the focus of activity when you use menus and dialog boxes. Using the LAN Manager Screen for administrators, you can administer servers remotely, manage their shared resources, and connect them to other resources. The first step in performing such tasks is to set the current focus on the server you want to administer remotely or whose resources you want to view or use. This makes the server the focus of activity. To set the current focus on a server: 1. Select the computername of a server. Scroll through the list box or press the first letter of the server's computername until the name appears in the "Set current focus on" text box. Or you can type the server's computername in the "Set current focus on" text box. The server does not need to be listed to set the focus on it. 2. Press ENTER. 3. If a dialog box appears prompting you for a password, in the "Password" text box, type the password needed to gain access to the server. The server's computername is then displayed on the "Current focus" line, and a message box that shows your privileges at that server appears. ──────────────────────────────────────────────────────────────────────────── NOTE You can monitor several servers simultaneously by establishing different MS OS/2 Controlling LAN Manager Services Along with the Workstation and Server services, LAN Manager, by default, starts these other services at a server: ■ The Messenger service, which lets you send, receive, and log messages. ■ The Netpopup service, which displays a message box on your computer's screen when a message is received from another user or a server on the network. Unlike the message boxes that are displayed during logon, the Netpopup service message boxes are not part of the LAN Manager Screen; they appear regardless of what application you are using. ■ The Alerter service, which sends messages to specified users about activity at the server. The following services can also be run at a server: Netlogon Verifies the username and password supplied by each person who attempts to log on to the network or gain access to the server. See Chapter 4, "User-Level Security." Netrun Enables users at workstations to run programs on the server. See Chapter 12, "Sharing Processing Power." Remoteboot Enables a server to boot workstations with MS OS/2 or MS-DOS software. See Chapter 14, "Using the Remoteboot Service." Replicator Duplicates a master set of directories and files, or designated directories and files, on other servers and workstations. See Chapter 13, "Replicating Files and Directories." Timesource Enables an administrator to designate a server as a central time server for synchronizing computer clocks on the network. See Chapter 16, "Monitoring the Network." UPS Provides an uninterruptible power supply to keep the server operating in the event of a power failure. See Chapter 15, "Guarding Against Data Loss." An MS OS/2 workstation can run the Peer service instead of the Server service. The Peer service lets the workstation share its resources with one user at a time at a remote workstation. The Peer service is installed by the Setup program. When starting and using the Peer service, the terms "Peer" and "Server" are synonymous. Note, however, that a workstation cannot run the Peer service and the Server service at the same time. Once a LAN Manager service is running, you can pause, continue, stop, and restart it. Pausing a Service You can pause, or suspend, the Server, Workstation, and other services. Unlike stopping, pausing does not cancel resource sharing or connections, or change settings associated with the service. Pausing the Server service prevents users from making new connections to the server's shared resources. However, users who have connections to shared resources before the service is paused can continue using the resources after the service is paused. Pausing the Workstation service lets you use the computer's devicenames for local resources instead of network resources. Pausing the Workstation service also pauses the Messenger and Netpopup services. To pause a service: 1. From the Config menu, choose Control services. The dialog box shown in Figure 2.3 appears. (This figure may be found in the printed book). This dialog box displays a list of LAN Manager Services. The "Services in LANMAN.INI" column lists service names. Each service name corresponds to a section of the LANMAN.INI file that contains entries that control the service. The "Status" column displays the status of the service. If no status is displayed, the service is not running. 2. Select the service you want to pause. 3. Choose <Pause>. 4. Choose <Done>. Command Line To pause a service, type net pause service See Net Pause, Microsoft LAN Manager Administrator's Reference. Continuing a Service Continuing a service restores resource sharing, connections, and other associated services that were previously paused. To continue a service: 1. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 2.3) appears. 2. Select the service you want to continue. 3. Choose <Continue>. 4. Choose <Done>. Command Line To continue a service, type net continue service See Net Continue, Microsoft LAN Manager Administrator's Reference. Stopping a Service Stopping disables a service and removes software from your computer's memory. Depending on the service, stopping may cancel resource sharing and connections, and delete message aliases. ──────────────────────────────────────────────────────────────────────────── CAUTION Do not stop a LAN Manager server by pressing CTRL+ALT+DEL. With MS OS/2, many processes, along with LAN Manager, may be running. Stop LAN Manager services, then use the Presentation Manager Shutdown procedure before restarting or turning off your computer. ──────────────────────────────────────────────────────────────────────────── To stop services with the LAN Manager Screen, you must set the current focus on your (*Local*) workstation. Before stopping a service, LAN Manager displays a message box that lists connections to resources associated with the service and prompts you for confirmation to stop the service. ──────────────────────────────────────────────────────────────────────────── NOTE Before stopping the Server service, it's a good idea to first pause the service and send a message to users connected to the server's shared resources, warning them that the Server service will be stopped. For information about sending messages, see the Microsoft LAN Manager User's Guide. ──────────────────────────────────────────────────────────────────────────── Stopping All Services To stop all LAN Manager services: 1. From the Config menu, choose Stop LAN Manager services. The following dialog box appears: (This figure may be found in the printed book). 2. Choose <OK>. LAN Manager displays a series of message boxes telling you that your username is logged off from the network and that the workstation is stopped. Stopping an Individual Service You can stop any service to remove LAN Manager software from your computer's memory. Stopping has different effects, depending on the service: ■ Stopping the Server service cancels any shared resources and cancels other users' connections to shared resources. Only a user with admin privilege can stop the Server service. ■ Stopping the Workstation service removes all LAN Manager software and logs you off from the network. It stops all other services, cancels network connections, and deletes message aliases. ■ Stopping the Messenger service prevents your workstation from receiving messages and stops the Netpopup service. ■ Stopping the Netpopup service prevents your workstation from displaying a message box when a message is received. To stop a service: 1. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 2.3) appears. 2. Select the service you want to stop. 3. Choose <Stop>. A dialog box similar to the following one appears: (This figure may be found in the printed book). 4. Choose <OK>. Command Line To stop a service, type net stop service See Net Stop, Microsoft LAN Manager Administrator's Reference. Starting a Service To start a service: 1. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 2.3) appears. 2. Select the service you want to start. 3. Choose <Start>. If you are starting the Server service, the dialog box shown in Figure 2.4 appears. (This figure may be found in the printed book). 4. Choose <OK>. This starts the service with LAN Manager default settings. If you want to start the service with a setting other than the default value, see the following section, "Adjusting Service Performance." 5. Choose <Done>. Adjusting Service Performance The performance of a service is determined by a group of entries (or options) in the LANMAN.INI initialization file. Each entry has an assigned value that determines how a specific aspect of the service performs. For example, the computername entry in the [workstation] section specifies the server's computername, and the maxusers entry in the [server] section specifies the maximum number of users who can use a server's shared resources simultaneously. Entries are arranged in the LANMAN.INI file according to the service they control. Each entry has a default value. When you start a service, you can override the default value for an entry. The revised value remains in effect for as long as the service is running. When you stop and restart the service, the default value is restored. To permanently change a setting for a service, use the Setup program or use a text editor to edit the LANMAN.INI file. The new settings take effect after the file is edited and the service is restarted. For a summary of LANMAN.INI entries, see Appendix A, "The LANMAN.INI File." For a full description of LANMAN.INI entries, see the Microsoft LAN Manager Administrator's Reference. To override LANMAN.INI option values when starting a service: 1. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 2.3) appears. 2. Select the service you want to start. 3. Choose <Start>. The "Start a LAN Manager Service" dialog box (Figure 2.4) appears. The "Option" column displays the entries in the LANMAN.INI file that control the service. The default values are displayed in the "Value" column. 4. Scroll through the list of options to select an option or, in the "Option" text box, type the name of the option you want to change. 5. In the "Value" text box, type the value you want to assign to the option. 6. Choose <Set>. If you want to change another option, repeat steps 4, 5, and 6. To restore default settings, choose <Reset> for a selected option or <Reset all> for all options. 7. Choose <OK>. If you specify an illegal value, LAN Manager displays an error message, and the "Start a LAN Manager Service" dialog box (Figure 2.4) reappears. Command Line To override LANMAN.INI option values when starting a service, type net start service [options] See Net Start, Microsoft LAN Manager Administrator's Reference. Stopping and Starting Administrative Services Here is another way to stop and start the Server service and other administrative services. To stop and start administrative services: 1. From the Config menu, choose Server options. The following dialog box appears: (This figure may be found in the printed book). The "Start server services" check boxes control the following services: ╓┌─────────────────────────────────┌─────────────────────────────────────────╖ Check Box Service Controlled ──────────────────────────────────────────────────────────────────────────── Check Box Service Controlled ──────────────────────────────────────────────────────────────────────────── Server Server Admin alerter Alerter Netrun service Netrun Central logon Netlogon Remote boot Remoteboot File replicator Replicator SQL database SQL Database Server (optional) ──────────────────────────────────────────────────────────────────────────── If the check box is marked with an X, the service is running. If the check box is empty, the service is not running. 2. Select the appropriate check box; use the SPACEBAR to toggle between on and off. 3. Choose <OK>. NOTE If you use this procedure to start a service, LAN Manager uses default LANMAN.INI values to configure the service. Stopping and Starting the Messenger and Netpopup Services Here is another way to stop and start the Messenger and Netpopup services. To stop and start the Messenger and Netpopup services: 1. From the Config menu, choose Workstation options. The following dialog box appears: (This figure may be found in the printed book). 2. Select the Messenger or Netpopup check box; use the SPACEBAR to toggle between on and off. If the check box is marked with an X, the service is running. If the check box is empty, the service is not running. 3. Choose <OK>. Quitting LAN Manager Quitting LAN Manager involves two steps: ■ Logging off from the network ■ Stopping the Workstation and Server services Logging Off from the Network Logging off removes your username and password from the server and cancels any resource sharing or connections, but it does not stop LAN Manager services. You should log off when you won't be using the server and workstation for a while. That way, no one can use your network identity to share or use resources to which you have access. To log off from the network: 1. From the Config menu, choose Log off from LAN. If you have any connections, the following message box appears: (This figure may be found in the printed book). 2. Choose <OK>. The following message box appears: (This figure may be found in the printed book). 3. Choose <OK>. After you log off, you can't use any shared resources. However, the Workstation and Server services are still running. Command Line To log off from the network, type net logoff See Net Logoff, Microsoft LAN Manager Administrator's Reference. Stopping the Workstation and Server Services When you stop the Workstation and Server services, all network services are stopped and all connections to the network end. If you are logged on, stopping the Workstation service logs you off. You must restart the services and log on if you want to use the network and share resources again. For information about stopping services, see the "Stopping a Service" section, earlier in this chapter. ──────────────────────────────────────────────────────────────────────────── CAUTION Do not stop a LAN Manager server by pressing CTRL+ALT+DEL. With MS OS/2, many processes, along with LAN Manager, may be running. Stop LAN Manager services, then use the Presentation Manager Shutdown procedure before restarting or turning off your computer. ──────────────────────────────────────────────────────────────────────────── Exiting the LAN Manager Screen for Administrators Exiting the LAN Manager Screen returns you to the MS OS/2 prompt. If the Workstation and Server services are still running and you are logged on, exiting the LAN Manager Screen does not log you off, stop LAN Manager services, or cancel any resource sharing or connections you've established. To exit the LAN Manager Screen for administrators: 1. Press ESC to close all dialog boxes until only the LAN Manager Screen is displayed. 2. Press F3 or, from the View menu, choose Exit. The LAN Manager Screen for administrators disappears and the MS OS/2 prompt appears on your computer's screen. PART II Managing Security ──────────────────────────────────────────────────────────────────────────── Part 2 explains LAN Manager security. One of two types of security─user-level or share-level─protects each server's resources. A local-area network can include a mixed set of servers running either type of security. The default security is user-level security, discussed in Chapter 4. User-level security controls each person's access to each shared resource and provides local security on 386 servers with high-performance file system 386 (HPFS386). Using share-level security, discussed in Chapter 5, permissions are assigned for the resource, which is protected by a password. All users who know the password get the same level of permissions for the resource. Chapter 3 Understanding and Planning Security ──────────────────────────────────────────────────────────────────────────── When setting up the network, you must decide how to enforce network security to protect resources from unauthorized use. You decide which of LAN Manager's two forms of security to use on each server: ■ User-level security. With user-level security, you set permissions for each directory, file, printer queue, communication-device queue, and named pipe shared on the server, specifying exactly which users can use them and how. You can assign each user a password, which the user must type to be able to access the server. ■ Share-level security. With share-level security, you assign a password to each resource you share, instead of specifying by name who can use the resource. All users who know a resource's password can use the resource. A server runs either user-level or share-level security; it can't run both. The default is user-level security. Servers with user-level security and servers with share-level security can be on the same network. User-level security is LAN Manager's recommended security mode. User-level security lets you take advantage of other LAN Manager security features, including logon security, which checks users' names and passwords when they log on to the network, and local security, which extends access restrictions on a 386 server's files to users working at the server itself. This chapter introduces LAN Manager security. It also introduces domains, which are servers and workstations grouped together for administrative purposes. Chapter 4, "User-Level Security," and Chapter 5, "Share-Level Security," describe user-level and share-level security in detail. At the end of this chapter are instructions for filling out two worksheets that guide you through the decisions you must make when setting up security. Domains The basic administrative unit in LAN Manager is the domain. Divide your network into domains according to how people work together─for example, the servers and workstations in each department or on each floor can be grouped into one domain. Dividing large networks into domains keeps them manageable. For example, when users type the net view command to display a list of available servers, they see only servers in their domain, not those on the whole network. However, they can still access resources on servers in any domain. Domains are also involved in how logon security simplifies network administration. With logon security, each domain becomes an administrative unit; administrators can use a single command to change a user account on all of the domain's servers that participate in logon security, and users have a single password that gives them access to resources on servers throughout the domain. Logon security is implemented in domains with the Netlogon service and is explained in the "Logon Security" section, later in this chapter. Basics of User-Level Security On a server with user-level security, you create a user account for each person who will be using the server's resources. The account contains information about the user, including a username and password. The username identifies the user to LAN Manager; each user of the network must have a unique username. The password is used by LAN Manager to confirm that a user actually is who he or she claims to be. The user must type it to access any of the server's resources. Before sharing a resource, you specify which users are allowed to use the resource and what permissions they have. Permissions define the types of actions the user can perform on the resource. You can define a different set of permissions for each user. You can even define permissions differently for each file in the directories the server shares. For example, suppose you share the directory REPORTS, containing files called STATUS and PAYROLL. You could give the user shirleyj permission to read from and write to both files and to create and delete files in the directory; give johnv permission to read both files but not to write to, create, or delete files; give roberty permission to read only the STATUS file; and give lizp no permissions at all. To make assigning permissions simpler, you can create groups of users and assign permissions to these groups. Granting permissions to groups rather than to individual users saves administration time. The user accounts and groups you create make up the user accounts database, which is kept in the NET.ACC file in the LANMAN\ACCOUNTS directory. When a user tries to access a resource shared by a server with user-level security, the server checks the username and password. If the username matches an account in the server's user accounts database, and the supplied password matches the password of that account, and the user (or a group the user is a member of) has been given adequate permissions for the resource, then the user is granted access. By providing a way to specify exactly who is allowed to use each resource and in what way, user-level security gives you a precise form of security. Its flexibility in setting permissions differently for each user and each file makes it a good choice for servers that share files. Another benefit of user-level security is that it lets you run logon security and local security on the server. The following sections describe logon security and local security. Logon Security Logon security, implemented by LAN Manager's Netlogon service, provides two benefits: distribution of a domainwide user accounts database, and validation of logon requests. Distribution of a Domainwide User Accounts Database In a domain with logon security, the servers that participate in logon security keep and use identical copies of a domainwide user accounts database. This makes administration easier─especially if the domain has many servers. You create a master user accounts database for the domain on one server, and this database is copied automatically to the other servers in the domain that participate in logon security. You don't have to create user accounts separately on each server. When you need to make changes or additions to the domainwide database, you make them only on the server that holds the master copy of the database, and they are copied automatically to the other servers. Using LAN Manager's remote administration feature, you can make these changes to the master database from any workstation with LAN Manager for MS OS/2 or LAN Manager Enhanced for MS-DOS, further simplifying administration. ──────────────────────────────────────────────────────────────────────────── NOTE When adding user accounts or changing users' passwords during remote administration, it is better to use a workstation with MS OS/2. When you use an MS OS/2 workstation to add a user account or change a user's password, the password is encrypted before it is sent over the network; when you do so from an MS-DOS workstation, the password is not encrypted. However, when a user at an MS-DOS workstation changes his or her own password, the password is encrypted before being sent over the network. ──────────────────────────────────────────────────────────────────────────── In a domain with logon security, using the network is easier for users as well. Each user has a single password that gives him or her access to all the servers participating in logon security in the domain. Each server participating in logon security and running the Netlogon service has one of three roles: ■ Primary domain controller─Each domain with logon security must have one primary domain controller. This server has the master copy of the domain's user accounts database. Changes to the domain's user accounts database are made to the database of this server. The primary domain controller can also validate logon requests in the domain. ■ Backup domain controller─Each domain can have one or more backup domain controllers. Backup domain controllers have and use copies of the domain's user accounts database, and like the primary domain controller can validate logon requests. Having backup domain controllers improves performance and reliability: the load of logon processing can be spread among several servers instead of resting solely on the primary domain controller, and logon validation in the domain continues even if the primary domain controller is unavailable. ■ Member server─Each domain can have one or more member servers. Member servers have and use copies of the domainwide user accounts database but don't validate logon requests. Because a member server doesn't spend time processing logon requests, this role may be a good choice for servers that have heavy work loads. At each backup domain controller and member server, the Netlogon service ensures that its local copy of the domainwide user accounts database stays identical to the master copy kept at the primary domain controller. At regular intervals, the primary domain controller sends each backup and member the update information required to keep the databases of those servers up to date. If the primary goes down or is stopped, no changes to the domain's user accounts database can be made, but logon request processing continues as long as one or more backup domain controllers are running in the domain. Because the primary, backups, and members keep their own copies of the database, and because the primary and all backups can validate logon requests, there isn't a single point of failure in the domain. Not all servers in a domain with logon security have to participate in logon security and use the domainwide user accounts database. Servers that have user-level security but don't run the Netlogon service are standalone servers. Each standalone server has its own user accounts database instead of keeping a copy of the domainwide database. LAN Manager servers are installed as standalone servers. Chapter 4, "User-Level Security," explains how to change the roles of servers and set up a domain. Servers with share-level security can also be in a domain with logon security. To use a resource on one of these servers, a user must have logged on to the network and must know the password of the desired resource. Servers with share-level security don't have user accounts databases, don't check the identity of users, and don't participate in logon validation─knowledge of the resource's password is all that is necessary for a user to access a resource shared on a server with share-level security. Servers running earlier versions of LAN Manager (1.x) can be in domains with LAN Manager 2.0 servers. However, LAN Manager 2.0 logon security is not interoperable with LAN Manager 1.x logon security; if the Netlogon service is running on any LAN Manager 2.0 server in the domain, no LAN Manager 1.x server can run its version of the Netlogon service. When LAN Manager 2.0 logon security is running, each 1.x server with user-level security in the domain has its own user accounts database and is treated as a standalone server. However, if a domain is using LAN Manager 2.0 logon security, logon security can be enforced for users using the domain's 1.x workstations as well as those with 2.0 workstations. For information about how to set up LAN Manager 1.x workstations to be controlled by LAN Manager 2.0 logon security, see Chapter 4, "User-Level Security." Validation of Logon Requests Running the Netlogon service on at least one server in the domain forces users' logon requests to be validated. Each time a user logs on at a workstation in the domain, a logon request is sent to the domain's logon servers─the primary and backup domain controllers. One of these servers will process the logon request: ■ If the user's account specifies a certain logon server, then that logon server is given the first chance to process the logon request. However, if that server is unavailable, another logon server (if one exists) will process the request. ■ If the user's account does not specify a particular logon server, then the logon server with the lightest work load at the time will process the request. The logon server that processes the request checks its copy of the domainwide user accounts database for the username and password given in the logon request, and does one of the following: ■ If the username and password match an account in the database, and the account's logon restrictions allow the user to log on at this hour and at this workstation, the user is logged on. ■ If the username matches an account in the database but the password provided doesn't match the password of that account, or the account is disabled or not allowed to log on at this time or from this workstation, the user is not logged on. ■ If the username doesn't match an account in the database, the user is logged on as a standalone logon. The user is not logged on in the domain─when an administrator views the list of users logged on in the domain, the user's username will not appear. The logon is not validated by any logon server and is separate from any domain on the network. The user won't be able to access the domain's servers that participate in logon security (except by using a guest account; see Chapter 4, "User-Level Security," for details about guest accounts). However, the user is logged on to the network so that he or she can access resources at standalone servers, servers with share-level security, or servers in other domains. ──────────────────────────────────────────────────────────────────────────── NOTE In domains where logon security is not implemented, or where all of the domain controllers are unavailable, all logon requests are processed as standalone A user who has logged on to the network can then try to access shared resources. Whenever the user tries to access a resource shared by a server with user-level security, the server checks for the user's username and password in its user accounts database. Thus, the domainwide user accounts database (a copy of which is kept on the primary and each backup and member) serves a dual role: the primary and backups use their copies to check logon requests of users logging on in the domain, and each server of each type (primary, backup, and member) uses its copy of the database to check each user who tries to access a resource on that server. You can also set up the Netlogon service to run a logon script whenever a logon server allows a user to log on in the domain. A logon script can be a batch file containing LAN Manager and operating system commands, or an executable file. The script is run on the workstation at which the user is logging on and configures the workstation for the user. Different scripts can be made for each user. Typical logon scripts contain commands to make network connections and start applications. For more information about logon scripts, see Chapter 4, "User-Level Security." Local Security Normally, permissions you set for a resource apply only to remote users─users accessing the resource while working at a different computer. With LAN Manager, local security can be run on 386 servers with HPFS386 and user-level security. Local security extends user-level security to local users (users working at the server itself). When LAN Manager is installed on a 386 server, the server's high-performance file system (HPFS) is replaced with LAN Manager's HPFS386, which features better performance than HPFS and is necessary for local security. Local security protects all files on the server's HPFS386 partitions from unauthorized local access. You set permissions for all files on the server, not just those in shared directories. A user working at a server with local security can access a file on that server only if he or she has been given adequate permissions for the file. When a program running on the server tries to access a file, it is subject to the file permissions of the local user currently logged on at the server (unless an administrator started the program and gave it special privileges). Security in Single-Server Domains In a domain or network with only one server, there is no need to set up a domainwide user accounts database for use by different servers. In this case, you have three options for setting up security: ■ Set up the server to run user-level security and the Netlogon service. The server will be the primary domain controller. The Netlogon service will check usernames and passwords of users when they log on to the network in this domain (and as always, the username and password will also be checked when users try to access shared resources). The Netlogon service also lets you use a logon script for users who log on in the domain. To take advantage of the full range of features of LAN Manager, including logon validation and logon scripts, it is recommended that you choose this option. ■ Set up the server to run user-level security without the Netlogon service. The server will be a standalone server, and all logon requests in the domain will be approved as standalone logons. The usernames and passwords will be checked only when a user tries to access resources. ■ Set up the server to run share-level security. Also, if the domain's server is a 386 server with user-level security, you can run local security on it. Protecting 286 Servers Since local security is available only for 386 servers, LAN Manager provides other ways of protecting 286 servers, in addition to the security mode (user-level or share-level) and logon security: ■ Run the console version of the LAN Manager Screen on the server. ■ Physically isolate the server. ■ Configure the server as "hidden." ──────────────────────────────────────────────────────────────────────────── NOTE LAN Manager also allows you to use each of these features on a 386 server. ──────────────────────────────────────────────────────────────────────────── The Console Version of the LAN Manager Screen Some servers, such as those that share printer queues, may need to be in a public place. To protect these servers from unauthorized local access, use the console version of the LAN Manager Screen. The console version, which is especially suited for servers that share printer queues or communication-device queues, displays queue information but doesn't allow access to the server's files. When starting the console version, you create a password that must be typed to exit the screen. Users who don't know the console screen password won't be able to exit the screen and access the server's files. For more information about the console version, see Chapter 11, "Running an Unattended Server." Physically Secure Servers Another way to protect servers from unauthorized local access is to physically isolate them in a locked room. You can then use LAN Manager's remote administration feature to administer these servers from any workstation with LAN Manager for MS OS/2 or LAN Manager Enhanced for MS-DOS. Remote administration is explained in Chapter 2, "Getting Started," and in the Microsoft LAN Manager Administrator's Reference. Hidden Servers To further protect a server from unauthorized remote access, you can "hide" it. Hidden servers are not listed when users display the list of servers in the domain. Users can still access the server and its resources if they know the server's name, but they have no way of using LAN Manager to find out that the server exists. To hide a server, use the srvhidden entry in the [server] section of the LANMAN.INI file. For more information about the LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference. Planning Security At the end of this chapter you'll find two worksheets on network security. The worksheets guide you through the decisions you'll make as you plan each domain on your network. It is a good idea to take time to carefully plan how the network will be set up─the type of security that will be used on each server, the resources each server will share, and what users and groups need access to those resources. It is important that you have a full understanding of LAN Manager security before you make your decisions. It is recommended that you take the following steps: 1. Read this chapter for an introduction to LAN Manager security. 2. Look at the worksheets at the end of the chapter and read the instructions in this section for filling them out. This will let you know what kinds of decisions you will be making when you set up security on the network. 3. For a detailed explanation of how user-level security and share-level security work, read Chapter 4, "User-Level Security," and Chapter 5, "Share-Level Security." 4. Fill out the worksheets. If you have any questions about the worksheets, reread the necessary sections of Chapters 3, 4, and 5. Make as many photocopies of each worksheet as you need. The following section contains procedures to help you fill out the worksheets. The worksheets help you decide what network configuration to set up initially. Once the network is set up and running, it is easy to modify the network for performance or reliability, add new servers, change the roles of servers, or account for any other changes in the way the network is used. Once you have completed the worksheets, you may want to keep them on file for future reference. Using the Domain Worksheet The first worksheet, "Setting Up a Domain," helps you plan a domain with logon security. The numbers next to the questions on the worksheet correspond to the step numbers in the following procedure. Although the steps are numbered, they are not necessarily sequential. You can skip steps if you like. 1. Note the name of the domain. 2. Note the number of servers in the domain. 3. Note the number of workstations in the domain. 4. Decide how many servers of each type, or role, will be in the domain. There will be one primary domain controller. It is recommended that you have at least one backup domain controller. The backup helps the primary validate logon requests, so having a backup lessens the average time it takes for validation of a logon request. Also, if the primary goes down or is stopped, backup domain controllers continue the validation of logon requests. If there are no backups in the domain and the primary goes down, all logon requests in the domain will be processed as standalone logons. To ensure good performance, have at least one domain controller per 50 users in the domain (if you have enough servers available). For example, a domain with 200 users should have at least four domain controllers─one primary and three backups. Servers that have heavy work loads should be set up as member servers so that they won't have to validate logon requests. If you want a server to have user-level security and a user accounts database that is different from the domainwide database, set it up as a standalone server. Servers that won't run logon security will be either a standalone server with user-level security or a server with share-level security. 5. On another sheet of paper, list users who will need accounts in the domainwide user accounts database, and consider what groups you should create. Putting users into groups and assigning resource permissions to the groups saves administration time. Each group should be made up of users with similar resource needs. The domainwide database can have as many as 253 groups, in addition to the special groups users, admins, and guests. For more information about the special groups, see Chapter 4, "User-Level Security." You will create these user accounts and groups on the domain's primary domain controller, and they will be copied to the domain's backup domain controllers and member servers. 6. On the list of users you just made, note who will be made administrators. Administrators can perform all network actions, including creating and modifying user accounts, starting and stopping services, sharing resources, and monitoring network activity. You will give these people user accounts with admin privilege. Also, consider which users should be given operator privileges for the domain's servers. Operator privileges let a user perform certain administrative tasks. There are four types of operator privileges, and any user (with user privilege) can be given one or more of these four types: ■ server─lets the operator start and stop services, share resources, read the error log, and close users' sessions ■ accounts─lets the operator create, remove, and modify user accounts (except those with admin privilege) and groups ■ print─lets the operator create, share, and modify printer queues and control print jobs ■ comm─lets the operator create, share, and modify communication-device queues and requests 7. Decide whether to use logon scripts in the domain. If logon scripts will be used and more than one server in the domain will be validating logon requests, you will need to set up the Replicator service to maintain an identical set of scripts on each server. For information about how to set up the replication of logon scripts, see Chapter 4, "User-Level Security." For a full explanation of the Replicator service, see Chapter 13, "Replicating Files and Directories." 8. Note the computernames of the domain's primary domain controller, backup domain controllers, and member servers. Chapter 4, "User-Level Security," contains instructions on how to set up user accounts, groups, logon security, and local security. Using the Server Worksheet The second worksheet, "Setting Up a Server," helps you plan the security and resources of a server. The numbers next to the questions on the worksheet correspond to the step numbers in the following procedure. Although the steps are numbered, they are not necessarily sequential. You can skip steps if you like. Complete steps 9 and 10 only for 386 servers that will be using local security. 1. Note the server's computername. 2. Note the name of the domain the server is in. 3. If logon security will be running in the domain, note the name of the primary domain controller. 4. Note whether the server will have user-level or share-level security. 5. If the server has user-level security, specify its role in the domain: primary, backup, member, or standalone. 6. Decide whether the console version of the LAN Manager Screen will be used on the server. The console version is recommended for servers that share printer queues or communication-device queues and are physically accessible by users. 7. On another sheet of paper, list the resources the server will share and note which users and groups will need access to those resources. 8. If this is a 386 server with HPFS386, decide whether it will have local security. Local security must be installed with the Setup program. If it wasn't, you will need to use the Setup program to install local security. For information about the Setup program, see the Microsoft LAN Manager Installation Guide. 9. Decide which access permissions to set for the server's directories and files. Access permissions will apply to users working at the server itself. Permissions are set for users and groups, as well as for the special group local. Permissions for local apply to any user who is working at the server, whether or not the user has logged on. If permissions for a particular file are not granted to any users, then no users can even see that the file exists. Only administrators can see or access these files. 10. Decide which processes (programs and commands) will start automatically and be given "privileged" status when the computer starts. Privileged processes ignore file access permissions and can use any file on the server. Put the commands to start these processes in the PRIVINIT.CMD batch file. Be careful when putting commands in PRIVINIT.CMD─the only processes you should start with PRIVINIT.CMD are those that need unrestricted access to the server's files and which you can be sure won't damage any files. Chapter 4, "User-Level Security," contains instructions for setting up user accounts, groups, logon security, and local security. Setting Up a Server 1. Server name: 2. Server's domain: 3. If logon security will be running in the server's domain, which server is the primary domain controller? 4. What is the server's security mode? User-level security Share-level security 5. If the server has user-level security, what is its role? Primary domain controller Backup domain controller Member server Standalone server 6. Will the console version of the LAN Manager Screen normally be used on this server? Yes No 7. On another sheet of paper, list the resources the server will share. Also, note which users and groups will need to be given access to each resource. 8. If this is a 386 server with HPFS386 and user-level security, will it run local security? Yes No The rest of this worksheet applies only to 386 servers running local security. 1. List important files on the server and decide which access permissions need to be set on them. Note the permissions to be given to users and groups, and to the special group local. Use additional paper, if needed. 2. Which programs and commands need to be started automatically and be given privilege when the computer is started? These will be put in the PRIVINIT.CMD batch file. Setting Up a Domain 1. Domain name: 2. Number of servers in the domain: 3. Number of workstations in the domain: 4. Number of each type of server in the domain: Primary domain controller 1 Backup domain controllers Member servers Standalone servers Servers with share-level security 5. On another sheet of paper, list users and groups who will need accounts in the domain's master user accounts database, and list groups of users that will need to be created. 6. Note on the above list who will be given administrative privilege or operator privileges. 7. Will logon scripts be used in the domain? Yes No 8. List the servers that will be running logon security: Primary Backups Members Chapter 4 User-Level Security ──────────────────────────────────────────────────────────────────────────── With user-level security on a server, you can specify exactly which users can use the server's resources and in what ways. It also lets you run logon security and local security on the server. Read Chapter 3, "Understanding and Planning Security," before reading this chapter. Chapter 3 outlines LAN Manager security, gives an introduction to user-level security, logon security, and local security, and explains how these types of security interact. This chapter builds on the security concepts introduced in Chapter 3, going into more detail about each topic. It also contains procedures for setting up and administering user-level security, logon security, and local security. The chapter begins with an explanation of how to implement logon security in a domain, followed by a section on user accounts and how to create them. This is followed by a section on setting up groups of users and a discussion of resource permissions and auditing. The final section of the chapter explains local security. Administering a Server with User-Level Security For a user to run an administrative command at a server with user-level security, the user must be logged on to the network with an account in the server's user accounts database. Also, the user's account must have an adequate privilege level (either admin privilege or an appropriate operator privilege). This is true whether the command is issued locally at the server's keyboard or from another workstation during remote administration. The description of privilege levels and operator privileges in the "User Accounts" section, later in this chapter, describes the abilities given to users with each of these privilege levels. The Default Administrative Account When a LAN Manager server is installed, one user account with admin privilege is created. The username for this account is admin, and the account's password is password. To administer a new server for the first time, log on as admin by typing net logon admin password Until you change this default account, anyone will be able to log on using the account and administer the server. To prevent security breaches, once you log on as admin, do one of two things: ■ Create a new user account for yourself. Give the account admin privilege. Log off from the admin account and log on using your own account. Then delete the account named admin. ■ Use the net password command to change the password of the account named admin by typing net password admin password newpassword User accounts and how to create them are explained in the "User Accounts" section, later in this chapter. Setting Up Logon Security This section describes how to implement logon security. It describes how to set up the domain's primary domain controller, backup domain controllers and member servers, and workstations. Running logon security in a domain makes it easier to administer user accounts in the domain. The domain's servers that participate in logon security keep and use identical copies of a single, domainwide user accounts database. When you make a change to the database of the primary domain controller, the change is automatically copied to the other servers participating in logon security. Logon security also adds another level of security to the system; users who log on in the domain have their usernames and passwords checked when they log on. Chapter 3, "Understanding and Planning Security," explains the different roles each server can play in logon security (primary domain controller, backup domain controller, and member server). It explains how the domainwide user accounts database is replicated between the domain's servers, and how logon requests in the domain are processed by the domain controllers. If you don't plan to install logon security in the domain, you can skip to the "User Accounts" section, later in this chapter, and begin setting up user accounts on each server in the domain. ──────────────────────────────────────────────────────────────────────────── NOTE When the Netlogon service starts, two directories on the server are shared automatically. The LANMAN\ACCOUNTS\USERDIRS directory, containing logon scripts for LAN Manager 1.x workstations and users' home directories, is shared with the sharename USERS. The directory specified by the scripts entry in the [netlogon] section of the LANMAN.INI file (the directory containing logon scripts for LAN Manager 2.0 workstations) is shared with the sharename NETLOGON. To ensure that logon scripts work and home directories can be accessed, do not use these sharenames for any other resources on servers that run the Netlogon service. ──────────────────────────────────────────────────────────────────────────── Setting Up the Primary Domain Controller The first server to set up in the domain is the primary domain controller. The primary stores the master copy of the domain's user accounts database and, along with the backup domain controllers, validates users' logon requests. Setting up the primary domain controller includes creating user accounts for the domain's backup domain controllers and member servers, as well as for the primary itself. LAN Manager uses these accounts while sending updates on the domain's user accounts database from the primary to the backups and members. Once you have set up these accounts, do not change or delete them. (If a server is removed from logon security in the domain and no longer needs database updates, you can remove the account of that server.) To set up the domain's primary domain controller: 1. Specify the domain this server will be in by typing the domain name as the value of the domain entry in the [workstation] section of the LANMAN.INI file. For the Netlogon service to start, you must check two additional entries in the LANMAN.INI file. The scripts entry in the [netlogon] section must specify a directory path that exists on the server. The directory specified by the userpath entry in the [server] section must have a subdirectory named SCRIPTS. To change LANMAN.INI, use a text editor. For more information about the LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference. 2. Stop and restart the Workstation service by typing net stop workstation /y net start workstation 3. Log on to the network, using the default administrative account, by typing net logon admin password (If you have created a new account with admin privilege for yourself, or changed the password of the admin account, then use the new username and/or password you created instead of admin and password.) 4. Start the LAN Manager Screen for administrators by typing net admin 5. Create a group called servers. This group will contain the accounts of each server participating in logon security in this domain. To create the group: ■ From the Accounts menu, choose Groups. The "Select a User Group" dialog box (Figure 4.7) appears. ■ Choose <Add group>. The "Add a New User Group" dialog box (Figure 4.8) appears. ■ In the "Groupname" text box, type servers. ■ In the "Comment" text box, optionally type a comment for the group. Do not put any users in the group. ■ Choose <OK>. ■ Choose <Done>. 6. Create a user account for the primary domain controller: ■ From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. ■ Choose <Add user>. The "Create a New User Account" dialog box (Figure 4.4) appears. ■ In the "Account name" text box, type the computername of the primary domain controller. ■ In the "Password" text box, type a password with as many as 14 characters. Do not let other network users know the password for this account, so they can't log on using the account. Once logon security is running in the domain, LAN Manager will change this password periodically to ensure that the account remains secure. ■ From the "Privilege level" option buttons, select "User." ■ Choose <Groups>. The "Group Memberships for User (New user)" dialog box (Figure 4.5) appears. ■ In the "Not a member of" list box, select "Servers," then choose <Join>. "Servers" moves to the "Member of" list box. ■ Choose <OK>. ■ Choose <OK>. ■ Choose <Done>. 7. Each of the domain's backup domain controllers and member servers also needs accounts on the primary. If you know what the computernames of these computers will be, you can create user accounts now for each of them (the username of each server's account will be the computername of that server). Be sure to note the passwords you assign to each of these accounts, as you will need to know them when setting up the backups and members. To create each of the accounts for the domain's backup domain controllers and member servers, follow the procedures shown in step 6. Be sure to add each account to the servers group. 8. Change the server's role to primary. To do this: ■ From the Accounts menu, choose Security settings. The dialog box shown in Figure 4.1 appears. (This figure may be found in the printed book). ■ From the "Role in domain" option buttons, select "Primary." ■ Choose <OK>. 9. Exit the LAN Manager Screen. From the View menu, choose Exit, or press F3. 10. Start the Server service by typing net start server 11. Start the Netlogon service by typing net start netlogon If Netlogon starts, the primary is configured correctly. If not, check to be sure you have completed the preceding steps. Also be sure that no other server in this domain has been configured as the primary; the Netlogon service won't start if it finds that another primary domain controller is running in the domain. 12. To have the Netlogon service start automatically each time the Server service starts, edit the LANMAN.INI file to add netlogon to the list of services in the srvservices entry in the [server] section. If the srvservices entry lists the names of more than one service, use a comma to separate service names. Command Line To set up the domain's primary domain controller: 1. Edit LANMAN.INI, specifying the name of the domain as the value of the domain entry in the [workstation] section, making sure that the scripts entry in the [netlogon] section specifies a directory path that exists on the server and the userpath entry in the [server] section specifies a directory that has a subdirectory named SCRIPTS. 2. Start the Workstation service by typing net start workstation 3. Log on to the network, using the default administrative account, by typing net logon admin password 4. Create a group called servers by typing net group servers /add 5. Create a user account for the primary domain controller by typing net user computername password /add ──────────────────────────────────────────────────────────────────────────── NOTE Use the computername of the primary domain 6. Add the user account to the servers group by typing net group servers computername /add 7. If you know the computernames for the domain's backup and member servers, create user accounts for each one and add them to the servers group. 8. Change the server's role to primary by typing net accounts /role:primary 9. Start the Server service by typing net start server 10. Start the Netlogon service by typing net start netlogon 11. Edit the [server] section of the LANMAN.INI file, adding netlogon to the list of services in the srvservices entry. See Net Accounts, Net Group, Net Logon, Net Start, and Net User, Microsoft LAN Manager Administrator's Reference. Setting Up a Backup Domain Controller or Member Server Once the primary is set up and running, you can set up each backup domain controller and member server in the domain. Use the following procedure for each backup and member. To set up a backup domain controller or member server: 1. Specify the domain this server will be in by typing the domain name as the value of the domain entry in the [workstation] section of the LANMAN.INI file. For the Netlogon service to start, you must check two additional entries in the LANMAN.INI file. The scripts entry in the [netlogon] section must specify a directory path that exists on the server. The directory specified by the userpath entry in the [server] section must have a subdirectory named SCRIPTS. To change LANMAN.INI, use a text editor. For more information about the LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference. 2. Stop and restart the Workstation service by typing net stop workstation /y net start workstation 3. Log on to the network, using the default administrative account, by typing net logon admin password (If you have created a new administrative account, or changed the password of the admin account, then use the new username and/or password you created instead of admin and password.) 4. Synchronize the internal clock of the new backup or member with that of the domain's primary domain controller. The internal clocks of the primary and all backups and members in a domain must be set to within 10 minutes of each other. To synchronize the local server's clock, type net time /domain /set When prompted for confirmation, type Y. 5. Start the LAN Manager Screen by typing net admin 6. If you haven't done so already, create a user account for the new backup or member on the primary domain controller. To create the account: ■ Set the current focus on the primary domain controller. From the list box, select the servername and press ENTER. ■ From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. ■ Choose <Add user>. The "Create a New User Account" dialog box (Figure 4.4) appears. ■ In the "Account name" text box, type the computername of the new backup or member. ■ In the "Password" text box, type a password with as many as 14 characters. Do not let other network users know the password for this account so that they can't log on using the account. Once logon security is running in the domain, LAN Manager will automatically change this password periodically to ensure that the account remains secure. ■ From the "Privilege level" option buttons, select "User." ■ Choose <Groups>. The "Group Memberships for User (New user)" dialog box (Figure 4.5) appears. ■ In the "Not a member of" list box, select "Servers," then choose <Join>. "Servers" moves to the "Member of" list box. ■ Choose <OK>. ■ Choose <OK>. ■ Choose <Done>. ■ Set the current focus on the new backup or member. From the list box, select "*Local*" and press ENTER. 7. On the new backup or member, create a group called servers: ■ From the Accounts menu, choose Groups. The "Select a User Group" dialog box (Figure 4.7) appears. ■ Choose <Add group>. The "Add a New User Group" dialog box (Figure 4.8) appears. ■ In the "Groupname" text box, type servers. ■ In the "Comment" text box, optionally type a comment for the group. Do not put any users in the group. ■ Choose <OK>. ■ Choose <Done>. 8. On the new backup or member, create a user account for the backup or member. The account must be identical to the account you created on the primary domain controller in step 6 of this procedure─the username will be the computername of the backup or member, and the password will be the same as the password of this computer's account on the primary. To create the account: ■ From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. ■ Choose <Add user>. The "Create a New User Account" dialog box (Figure 4.4) appears. ■ In the "Account name" text box, type the computername of the new backup or member. ■ In the "Password" text box, type the password for the account. This password must be the same as the password in this computer's account on the primary domain controller (which you created in step 6 of this procedure). Once logon security is running in the domain, LAN Manager will change this password periodically to ensure that the account remains secure. ■ From the "Privilege level" option buttons, select "User." ■ Choose <Groups>. The "Group Memberships for User (New user)" dialog box (Figure 4.5) appears. ■ In the "Not a member of" list box, select "Servers," then choose <Join>. "Servers" moves to the "Member of" list box. ■ Choose <OK>. ■ Choose <OK>. ■ Choose <Done>. 9. Change the new server's role to backup or member: ■ From the Accounts menu, choose Security settings. The "Security Settings on \\server" dialog box (Figure 4.1) appears. ■ From the "Role in domain" option buttons, select either "Backup" or "Member." ■ Choose <OK>. 10. Exit the LAN Manager Screen. From the View menu, choose Exit, or press F3. 11. Start the Server service by typing net start server 12. Start the Netlogon service by typing net start netlogon If Netlogon starts, the server is configured correctly. If not, check to be sure you have completed the preceding steps. Also be sure that there is a primary domain controller running in the domain; the Netlogon service won't start on a backup domain controller or member server if the domain's primary domain controller isn't running. 13. To have the Netlogon service start automatically each time the Server service starts, edit the LANMAN.INI file to add netlogon to the list of services in the srvservices entry in the [server] section. If the srvservices entry lists the names of more than one service, use a comma to separate the service names. Command Line To set up a backup domain controller or member server: 1. Edit LANMAN.INI, specifying the name of the domain as the value of the domain entry in the [workstation] section, making sure that the scripts entry in the [netlogon] section specifies a directory path that exists on the server and the userpath entry in the [server] section specifies a directory that has a subdirectory named SCRIPTS. 2. Start the Workstation service by typing net start workstation 3. Log on to the network, using the default administrative account, by typing net logon admin password 4. Synchronize the internal clock of the new backup or member with that of the domain's primary domain controller by typing net time /domain /set 5. Start a remote command processor (to perform remote administration) at the primary by typing net admin \\computername /command ──────────────────────────────────────────────────────────────────────────── NOTE Use the computername of the primary domain controller. ──────────────────────────────────────────────────────────────────────────── 6. Create a user account for the new backup or member on the primary by typing net user computername password /add ──────────────────────────────────────────────────────────────────────────── NOTE Use the computername of the new backup or 7. Add the user account for the new backup or member to the servers group by typing net group servers computername /add 8. Exit the remote command processor by typing exit 9. Create a group called servers on the new backup or member by typing net group servers /add 10. Create a user account on the new backup or member for the backup or member by typing net user computername password /add 11. Add the user account to the servers group by typing net group servers computername /add 12. Change the role for the new backup or member by typing net accounts /role:{backup | member} 13. Start the Server service by typing net start server 14. Start the Netlogon service by typing net start netlogon 15. Edit the [server] section of the LANMAN.INI file, adding netlogon to the list of services in the srvservices entry. See Net Accounts, Net Admin, Net Group, Net Logon, Net Start, Net Time, Net User, Microsoft LAN Manager Administrator's Reference. Setting Up the Domain's Workstations To set up workstations running LAN Manager 2.0 to be part of a domain, just specify the domain name as the value of the domain entry in the [workstation] section of the workstation's LANMAN.INI file. On workstations with LAN Manager 1.x, specify the domain name as the value of the langroup entry in the LANMAN.INI file. Also, to have the Netlogon service validate logon requests from this workstation, specify the computername of a logon server (the primary domain controller or one of the backup domain controllers) as the value of the logonserver entry in the [workstation] section of the workstation's LANMAN.INI file. If the domain has many 1.x workstations, don't specify the same server as the logon server for each workstation─instead, spread the processing of these logon requests among the domain's logon servers. If the logon server specified in the 1.x workstation's LANMAN. INI file is unavailable when a user logs on at that workstation, no other logon server can process the logon request, and the user won't be able to log on at that workstation (unless he or she restarts the workstation, specifying another logon server). To have workstations fully participate in logon security, it is recommended that you upgrade them to LAN Manager 2.0. Promoting a Backup or Member Changes to the domain's master user accounts database can be made only to the database of the primary domain controller. All changes made to this database are then copied to the databases of the backup domain controllers and member servers. No changes can be made directly to the databases of the backups or members. If the primary is stopped for some reason (such as hardware problems), and you want to make changes to the domain's user accounts database, you can promote a backup or member to primary by using the procedure described in the following section. However, note the following before doing so: ■ Changes to the domain's user accounts database made at the primary are not instantly sent to each backup and member. Instead, at regular intervals (specified by the pulse entry in the [netlogon] section of the primary's LANMAN.INI file), each backup and member receives the updates it needs. If changes are made just before the primary is stopped, the backups and members may not receive the changes. If you promote a backup or member to primary, these changes are lost. ■ If you promote a backup or member to primary, you must then change the role of the old primary to backup or member before you restart it. This way its user accounts database will be updated by the new primary. Once you have started the old primary as a backup or member, and you are sure that its database is updated and is identical to that of the new primary, you can switch the roles of these two servers: change the new primary back to backup or member, then change the old primary back to primary again. Or, you can keep the domain as it is, leaving the old primary as a backup or member. To be sure that the old primary's database is identical to the new primary's database before switching their roles, check the pulse entry in the [netlogon] section of the new primary's LANMAN.INI file. This entry specifies (in seconds) how often the primary sends database updates to the domain's backups and members. If you know that this amount of time has passed since changes were last made to the database of the new primary, then you can be sure the domain's other servers are up to date. ■ If logon scripts are used in the domain, the primary domain controller must have a copy of them. Therefore, promoting a backup domain controller to primary requires less work than does promoting a member server. If you promote a member server, the scripts must be copied from one of the backup domain controllers to the member server that is being promoted. Backup domain controllers should already have copies of the logon scripts. For more information about how to set up the domain's logon scripts, see the "Logon Scripts" section, later in this chapter. Changing a Server's Role This section describes how to change the role (primary, backup, member, or standalone) of a server with user-level security once logon security has been running in the domain. Use this procedure to promote a backup or member to primary when the original primary becomes unavailable, or any other time you want to change a server's role. However, when changing roles keep the following in mind: ■ A domain can have only one primary domain controller. If the domain's primary domain controller is currently running, you can't change another server's role to primary without first stopping the existing primary. ■ For the Netlogon service to start for the first time on a server after the server's role has been changed to backup or member, the domain's primary domain controller must be running. ■ If you are switching the roles of the primary domain controller and another server, you must do so in three steps. First, stop the Server service on the current primary. Then switch the backup or member to be the new primary, and start the Netlogon service on it. Finally, change the old primary to its new role. To change the role of a server: 1. If the server is currently a primary, backup, or member, you must stop the Netlogon service. To do this, from the Config menu, choose Control services. The dialog box shown in Figure 4.2 appears. (This figure may be found in the printed book). This dialog box shows the status of each LAN Manager service. 2. In the list box, select "NETLOGON," then choose <Stop>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. 5. From the Accounts menu, choose Security settings. The "Security Settings on \\server" dialog box (Figure 4.1) appears. 6. In the "Role in domain" option buttons, select the new role of the server. 7. Choose <OK>. If the new role of the server is standalone, you are done. If the new role is primary, backup, or member, continue with the rest of this procedure. 8. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 4.2) appears. 9. In the list box, select "NETLOGON," then choose <Start>. The following dialog box appears: (This figure may be found in the printed book). This dialog box shows the options of the service you are starting. For more information about the options, see the Microsoft LAN Manager Administrator's Reference. 10. Choose <OK>. To start the Netlogon service after switching a server's role to backup or member, the domain's primary must be running. 11. Choose <Done>. Command Line To change the role of a server: 1. If the server is a primary, backup, or member, stop the Netlogon service by typing net stop netlogon 2. Change the role of the server by typing net accounts /role:{primary | backup | member | standalone} 3. If the server's new role is primary, or if the domain's primary is running and the server is a backup or member, start the Netlogon service by typing net start netlogon See Net Accounts, Microsoft LAN Manager Administrator's Reference. Logon Scripts In domains with logon security, you can specify that logon scripts be run for users who log on in the domain. When a user logs on, his or her logon script is run on the workstation. Scripts typically contain commands to make network connections and/or start applications. A logon script can be a batch file, executable file, or profile. For information about workstation profiles, see the Microsoft LAN Manager User's Guide. The following batch file, which makes two network connections and starts Microsoft Excel, is an example of a logon script: net use d: \\production\accountfiles net use lpt1: \\production2\laser excel You can create a single script for all users in a domain or different scripts for each user. Each user's account specifies the name of the logon script for that user, which will be run any time that user logs on in the domain. Scripts are kept on primary and backup domain controllers. When a user logs on, LAN Manager checks the user's account on the user's logon server─the server that validated the user's logon request─for the name of a script. The [netlogon] section of each server's LANMAN.INI file contains a scripts entry, which specifies the directory that contains the server's logon scripts. The value of scripts can be either a pathname relative to the LANMAN directory or an absolute pathname. The default value of scripts is repl\import\scripts. Users must have access to their logon scripts, or the scripts can't run. For a user to have access to his or her script, the directory containing the script must be shared and the user must have R (Read) permission for the script. LAN Manager does this automatically. When the Netlogon service starts, LAN Manager shares the directory specified by scripts with the sharename NETLOGON. Also, LAN Manager gives the special group users RX (Read and Execute) permissions for the directory specified by scripts. For logon scripts to run, you must not stop sharing the NETLOGON resource. ──────────────────────────────────────────────────────────────────────────── NOTE Permissions automatically assigned for the directory specified by scripts affect only scripts stored in that directory. If you keep scripts in a subdirectory of the directory specified by scripts, be sure to give the appropriate users R permission for these scripts. ──────────────────────────────────────────────────────────────────────────── For more information about permissions, see the "Resource Permissions and Auditing" section, later in this chapter. For more information about the special group users, see the "User Accounts" section, later in this chapter. ──────────────────────────────────────────────────────────────────────────── NOTE MS OS/2 and MS-DOS use different filename extensions for batch files. If you use batch files as logon scripts on a network with both MS OS/2 and MS-DOS workstations, keep each script under two filenames. Give the first filename a .CMD extension, and the second filename a .BAT extension. When specifying a batch file to be used as a user's logon script while creating or modifying that user's account, type just the first part of the filename (the part before the extension). When the user logs on, LAN Manager will add the appropriate extension (depending on whether the user logs on at an MS OS/2 or MS-DOS workstation) and run the script. For example, specifying "CLERK" as the script for a user causes CLERK.CMD to run when the user logs on at an MS OS/2 workstation, and CLERK.BAT to run when the user logs on at an MS-DOS workstation. ──────────────────────────────────────────────────────────────────────────── LAN Manager provides a simple logon script under the filename NETLOGON.CMD for workstations with MS OS/2 and NETLOGON.BAT for workstations with MS-DOS. This script simply displays the following message: Welcome to LAN Manager 2.0. You have successfully logged on to a domain. The following sections describe how to use LAN Manager's Replicator service to maintain identical sets of logon scripts on each logon server in the domain and how to set up logon scripts for users of workstations running earlier versions of LAN Manager. Replicating Logon Scripts In domains that have backup domain controllers, you need to keep identical sets of logon scripts on the primary domain controller and each backup domain controller. When a user logs on, either the primary or one of the backups validates the logon request; this will not necessarily be the same server each time the user logs on. The logon script that is run when the user logs on comes from the server validating the logon request. The Replicator service makes it easy to maintain an identical set of scripts on the logon servers. Adding or updating scripts is simplified: you make updates on just one server, and they are copied automatically to the other servers. For replication, you designate one server as the "export" server (usually the primary domain controller) for the scripts; this server is where you make changes to the scripts, and it copies the scripts to the "import" servers (usually the backup domain controllers) whenever changes have been made. Do not make changes directly to the scripts on the import servers. The following procedure is for domains where only LAN Manager 2.0 is running. In domains with computers running LAN Manager 2.0 and computers running earlier versions of LAN Manager (1.x), see the following section. To set up the replication of logon scripts (with the primary domain controller being the export server): 1. On the primary domain controller, create a directory called SCRIPTS as a subdirectory of the LANMAN\REPL\EXPORT directory. 2. Change the following entries in the primary domain controller's LANMAN.INI file: ■ In the [netlogon] section: ─Change scripts to be repl\export\scripts. If you change the value of scripts while the Netlogon service is running, stop and restart both the Server and Netlogon services for the change to take effect. ■ In the [replicator] section: ─Check that the value of exportpath is repl\export. This is the default value. ─Change the value of replicate to export or both. ─Change the value of exportlist to the name of the domain. 3. Change the values of the following entries in the LANMAN.INI files of each backup domain controller in the domain: ■ In the [netlogon] section: ─Check that the value of scripts is repl\import\scripts. ■ In the [replicator] section: ─Check that the value of importpath is repl\import. ─Change the value of replicate to import or both. ─Change the value of importlist to the computername of the primary domain controller. 4. Start the Replicator service on the primary and each backup by typing the following command at each of these servers: net start replicator To have the Replicator service start automatically when the Server service starts, add replicator to the list of services in the srvservices entry of the primary and each backup. The srvservices entry is in the [server] section of the LANMAN.INI file. 5. Create logon scripts in the LANMAN\REPL\EXPORT\SCRIPTS directory of the primary. These scripts will be replicated to the LANMAN\REPL\IMPORT\SCRIPTS directory of each backup. Whenever you update or make additions to scripts on the primary, they are also copied to the backups, as long as the Replicator service is running. The preceding procedure uses default values for exportpath, importpath, and scripts whenever possible, to simplify the process of setting up the replication of scripts. Whether or not you use the default values for these options, you must follow these rules for logon script replication to work: ■ On each primary and backup, the scripts must be kept in the directory specified by that server's scripts entry or in a subdirectory of that directory. ■ On the export server (usually the primary domain controller), the directory that holds the scripts must be a subdirectory of the directory specified by exportpath. ■ On the import servers (usually the backup domain controllers), the directory that holds the scripts must be a subdirectory of the directory specified by importpath. For more information about the Replicator service, see Chapter 13, "Replicating Files and Directories." Scripts for 1.x Workstations Workstations running LAN Manager 1.x versions ignore the value of the scripts entry (in the [netlogon] section of LANMAN.INI) on LAN Manager 2.0 servers. Workstations running 1.x always assume that the logon script specified in a user's account is relative to the LANMAN\ACCOUNTS\USERDIRS directory. Scripts for 1.x workstations must be stored in LANMAN\ACCOUNTS\USERDIRS or in a subdirectory of this directory. (LAN Manager automatically creates a SCRIPTS directory in the LANMAN\ACCOUNTS\USERDIRS directory when a server is installed.) If your domain has computers running LAN Manager 2.0 and computers running LAN Manager 1.x, you have the following options for setting up scripts for users of 1.x versions: ■ Use the procedure in the preceding section to set up logon scripts. Users with workstations running LAN Manager 2.0 will use scripts in the primary domain controller's REPL\EXPORT\SCRIPTS directory and in the backup domain controllers' REPL\IMPORT\SCRIPTS directories. In addition, put scripts for users with LAN Manager 1.x workstations in the LANMAN\ACCOUNTS\USERDIRS directory, or in a subdirectory of this directory, on each logon server. These scripts won't be replicated. ■ Specify accounts\userdirs\scripts as the value for the scripts entry in the [netlogon] section of the LANMAN.INI file on the primary and on the backups. All users who log on in the domain will use scripts in this directory. To replicate scripts between the primary and backup domain controllers, edit the [replicator] section of the LANMAN.INI file. Specify accounts\userdirs as the value of exportpath on the primary and of importpath on each backup. However, doing this means that any other directories you want to replicate from the primary must also be subdirectories of ACCOUNTS\USERDIRS, as the Replicator service replicates only subdirectories of the single directory specified by exportpath. User Accounts Each user who needs access to resources shared on a server with user-level security must have a user account on that server. The user account identifies the user to LAN Manager. If the domain has logon security, you need to create user accounts on the primary domain controller for all users in the domain. These accounts will be checked when users log on to the network in the domain. In addition, these accounts will be replicated to the domain's backup domain controllers and member servers, and each of these servers (as well as the primary) will check these accounts when users try to access resources shared on these servers. You don't create user accounts directly on any backup or member. If the domain doesn't have logon security, you'll need to create user accounts separately on each server with user-level security. On each server, you need to create accounts for users who will use resources shared on that server. The following section describes each element of user accounts. Following that section are procedures explaining how to create user accounts, change information in accounts, disable accounts, and delete accounts. ──────────────────────────────────────────────────────────────────────────── NOTE User accounts are kept in the server's NET.ACC file (in the LANMAN\ACCOUNTS directory). Because LAN Manager keeps this file open, most backup procedures can't save user account information while LAN Manager is running. Two LAN Manager utilities, backacc and restacc, allow this file to be backed up while LAN Manager is running. For more information about these utilities, see the Microsoft LAN Manager Administrator's Reference. ──────────────────────────────────────────────────────────────────────────── Contents of User Accounts Each user account must have a username and privilege level. You can also define more information for each account, including a password, operator privileges, group memberships, logon restrictions, a logon script, and a home directory. The following sections describe the elements of user accounts. Username The username identifies the user to LAN Manager and to other network users. Each user account on the server must have a unique username. Privilege Level Each user has one of three privilege levels, which determines what actions the user can take: ■ The admin privilege makes the user an administrator. Administrators can perform all types of actions on the server─starting and stopping services, creating and modifying user accounts, sharing resources, assigning resource permissions, and managing printer queues and communication-device queues (comm queues). (Administrators can also perform all actions granted by the user privilege, described next.) Users with admin privilege can use all resources shared on the server, regardless of access permissions, and can access all files on the server, regardless of access permissions enforced by local security. (For more information about local security, see the "Local Security on 386 Servers" section, later in this chapter.) The default administrative account admin has admin privilege, and you can create more accounts with admin privilege. Once you have created more accounts that have admin privilege, you can delete the account named admin. Whenever you delete an account with admin privilege, LAN Manager makes sure there is at least one other active account with admin privilege on the server. LAN Manager will prevent you from deleting the last account with admin privilege from the server, so you will never be locked out from administering the server. Do not assign a null password to an account with admin privilege. LAN Manager automatically puts all accounts with admin privilege into the special group admins. ■ The user privilege is the default privilege level and is the one you assign to most network users. User privilege allows a user to use network resources (subject to the access permissions for the resources), view information about the resources that servers share and the status of printer and comm queues, and send and receive messages. LAN Manager automatically puts all accounts with user privilege into the special group users. This group is useful when you assign access permissions; to give all users with accounts on the server (except those with guest privilege) permissions for a resource, give those permissions to the group users. You can also give a person with user privilege limited rights to perform certain types of administrative actions by giving operator privileges to the user. Operator privileges are described in the following section. ■ The guest privilege gives a user the same abilities as user privilege─the abilities to use network resources (subject to the access permissions for the resources), view information about the resources that servers share and the status of printer and comm queues, and send and receive messages. Accounts with guest privilege are automatically put into the special group guests. The main reason to give an account guest privilege instead of user privilege is to exclude temporary or occasional users from the group users, which is often used to grant resource permissions to all regular users. Accounts with guest privilege can't be given operator privileges. Operator Privileges A person with user privilege can also be given operator privileges, which allow the user to perform certain types of administrative actions. Each user can be given one or more of the four types of operator privileges. Table 4.1 explains each type of operator privilege. Table 4.1 Operator Privileges ╓┌──────────────────┌────────────────────────────────────────────────────────╖ Operator privilege Allows a user to ──────────────────────────────────────────────────────────────────────────── server Start and stop services. Share and stop sharing resources. Read and clear the error log. Close users' sessions and files that users have opened. View a list of all resources shared on the server (including "admin-only" resources). accounts Create, remove, and modify user accounts with user or guest privilege. Create, remove, and modify groups. Modify logon restrictions. Operator privilege Allows a user to Modify logon restrictions. An accounts operator can't modify an account with admin privilege except to change group memberships. Nor can an accounts operator change an account's privilege to admin. print Share and stop sharing printer queues. Create, remove, and modify printer queues. Control print jobs. View a list of all resources shared on the server (including "admin-only" resources). comm Share and stop sharing comm queues. Control comm queue requests. Operator privilege Allows a user to Control comm queue requests. View a list of all resources shared on the server (including "admin-only" resources). ──────────────────────────────────────────────────────────────────────────── Logon Hours You can define a set of logon hours for the user. The person can use the server's resources only during the days and times you specify. And if you define logon hours for an account in a domain's master user accounts database, the user will be able to log on to the network only during those hours. If the person is using a resource at the server when his or her logon hours expire, the user's connection to the server may be automatically canceled. Whether the connection is canceled is determined by the security settings on the server. Security settings are explained in the "Security Settings" section, later in this chapter. The default value for logon hours allows the user to log on at any time. Valid Workstations You can specify as many as eight workstations from which the user can access the server, or you can allow the user to access the server from any workstation. The default value allows the user to access the server from any workstation. If the account is in a domain's user accounts database, the user must log on to the network from one of the workstations you specify. Logon Server If the Netlogon service is running in the user's domain, you can specify which domain controller (the primary or one of the backups) will be the user's logon server. If you specify a logon server, that server will process the user's logon requests. However, if the user's designated logon server is down when the user logs on, another domain controller (the primary or a backup) will log the user on. You can also specify that a user's logon server be "any server." In this case, the user's logon requests will be processed by whichever server is available at the time. This is the default value for the logon server option. The Netlogon service can keep track of the last time the user logged on to the network (in the user's domain) and the number of times the user has tried but failed to log on in the domain. This information can be seen by an administrator viewing the user's account. However, the information is kept only if you designate a specific logon server (either the primary domain controller or one of the backup domain controllers) for the user. When specifying logon servers for users, be sure not to overload any of the logon servers by assigning too many users to that server. Spread the logon processing load among all the domain's logon servers. Logon Script You can specify a file to be used as the user's logon script. The logon script is run on the user's workstation and is normally used to configure the workstation for that user, performing such tasks as making connections and starting applications. Logon scripts can be batch files, profiles, or executable programs. How to set up logon scripts on servers is explained in the "Logon Scripts" section, earlier in this chapter. The default value for logon script is to have no logon script. Home Directory You can create a home directory on a server for the user. A user can use the home directory as his or her storage space on the server. If you assign a home directory to a user, you can limit the amount of disk space the home directory can use. LAN Manager's chkstor utility lets you check how much disk space is used by users' home directories. For more information about the chkstor utility, see the Microsoft LAN Manager Administrator's Reference. The default value for home directory is to have no home directory. Expiration Date You can assign an expiration date to an account. At the beginning of the assigned date, the account will be disabled, but won't be removed from the database (you can enable an expired account by removing the expiration date or defining a new expiration date). The default value for expiration date is to have no expiration date. Adding a User Account from the Command Line When you use the net user command to add or modify a user account, you can specify three types of information that you can't specify when adding an account with the LAN Manager Screen: ■ You can specify that the account not be required to have a password. ■ You can specify that the user can never change his or her own password. ■ You can specify whether the account is required to have a home directory. For more information, see Net User, Microsoft LAN Manager Administrator's Reference. The Guest Account The guestacct entry in the [server] section of the LANMAN.INI file specifies the name of the server's guest account. You can use the guest account to allow users who don't have accounts on the server to access resources on the server. The default value for guestacct is guest. LAN Manager installs a corresponding user account with the username guest and no password in the user accounts database of each server. When a user who has no account on a server tries to access a resource on that server, LAN Manager looks at the account name specified by guestacct. If guestacct specifies the name of a valid account on the server, and the password the user provided matches the password of this account, the user is given access to the server's resources according to the resource permissions you have granted to the guest account. ──────────────────────────────────────────────────────────────────────────── NOTE If the account specified by guestacct has no password, a user can gain access to the server through the guest account by supplying any password, or no password at all. ──────────────────────────────────────────────────────────────────────────── For example, suppose the guestacct entry specifies guest and the account named guest exists on the server. The user tomwr tries to make a connection to the printer queue LASER shared on the server. But tomwr doesn't have an account on the server, so LAN Manager checks the permissions assigned to the account named guest. If guest has been given permission to use LASER, then tomwr is allowed to make the connection. If you change the value for guestacct to another name, be sure that you have added an account with that name to the server. The initial guest account, guest, has no password; you can assign a password to the guest account. If you do, then a user must type that password to be able to access the server using the guest account. It is a good idea to give the guest account guest privilege. If you give the guest account user privilege, then the guest account will be a member of the special group users and will have all the resource permissions you have granted to users. Giving the guest account admin privilege allows any user who doesn't have an account on the server to administer the server. If you want no guest account on the server, delete the user account specified by the guestacct entry in LANMAN.INI. Creating a User Account The following procedure explains how to create a new user account. You can also create a user account by cloning another account. Cloning is explained in the "Cloning a User Account" section, later in this chapter. To create a user account: 1. From the Accounts menu, choose Users. The dialog box shown in Figure 4.3 appears. (This figure may be found in the printed book). The list box shows existing user accounts. 2. Choose <Add user>. The dialog box shown in Figure 4.4 appears. (This figure may be found in the printed book). 3. In the "Account name" text box, type the username of the account. The username can have as many as 20 characters, including letters, numbers, and the following characters: ! # $ % & ( ) - . @ ^ _ ` { } ~ 4. In the "Password" text box, type a password for the user. The password can have as many as 14 characters, and the minimum length is determined by the security settings on the server. Security settings are explained in the "Security Settings" section, later in this chapter. Do not assign a null password to an account with admin privilege. Advise each user to change his or her password when he or she logs on for the first time. 5. In the "Full name" text box, optionally type the user's full name. 6. In the "Comment" text box, optionally type a comment. This comment can't be changed by the user and will be displayed when an administrator lists users on the server. 7. In the "User comment" text box, optionally type a user comment. The user can change this comment, which will be displayed when users view a list of users on the server or in the domain. 8. In the "Country code" list box, type the code corresponding to the language in which the user's messages are to be displayed. The default value for the country code is 0. If this value is specified, messages are sent in the language used in the LANMAN\NETPROG\NET.MSG file. See Appendix C, "Country Codes," for a list of the country codes. 9. From the "Privilege level" option buttons, select either "Guest," "User," or "Admin." 10. If you selected "User," you can optionally mark one or more of the "Operator privileges" check boxes (server, accounts, print, and comm) to give a person with user privilege the ability to perform certain types of administrative tasks. 11. To put the user into one or more currently existing groups, choose <Groups>. The dialog box that appears when the <Groups> command button is chosen is described in the following section. 12. To limit the hours when the user can access the server, specify which workstations the user can use, and/or give the account an expiration date, choose <Logon>. The dialog box that appears when the <Logon> command button is chosen is described in the "<Logon> Command Button" section, later in this chapter. 13. To assign the user a logon server, logon script, and/or home directory, choose <Paths>. The dialog box that appears when the <Paths> command button is chosen is described in the "<Paths> Command Button" section, later in this chapter. 14. Choose <OK>. 15. Choose <Done>. <Groups> Command Button When creating a user account, choosing <Groups> displays the dialog box shown in Figure 4.5. (This figure may be found in the printed book). The "Member of" list box displays the groups to which the user belongs. The "Not a member of" list box displays groups to which the user does not belong. To assign group memberships for a user account: 1. In the "Not a member of" list box, select a groupname, then choose <Join>. 2. Repeat step 1 until the user is assigned to as many groups as needed. 3. To remove the user from a group, in the "Member of" list box, select the groupname, then choose >. To remove the user from all groups (except the user's automatic group─admins, users, or guests), choose >. 4. Choose <OK>. <Logon> Command Button When creating a user account, choosing <Logon> displays the following dialog box: (This figure may be found in the printed book). This dialog box is used to set limits on the user's logon privileges. The administrator can set an expiration date for the account, limit logon hours, and limit the workstations from which the user can log on. To specify logon restrictions for a user account: 1. To set an expiration date, in the "Account expires" text box, type a date and/or time. LAN Manager accepts all of the following formats for the expiration date: 7-23-90 7-23-90 8am 7/23/90 5 pm 7-23-90 8:00 7-23-90 17:30:32 To set no expiration date, leave the "Account expires" text box blank. 2. To allow the user to access the server while working at any workstation, from the "Valid workstations" option buttons, select "Any workstation." To limit the workstations from which a user can work, from the "Valid workstations" option buttons, select "Listed" and, in the text box, type the computernames of as many as eight workstations. 3. To limit the times the user can access the server, adjust the graph under "Hours logon allowed:" ■ To allow the user to use resources at the server at all times, choose <Permit all hours>. This is the default value. ■ To allow or prevent use at a specific hour, move to that spot and press the SPACEBAR, or click that spot with the mouse. ■ To clear all logon hours, choose <Clear>. 4. Choose <OK>. <Paths> Command Button When creating a user account, choosing <Paths> displays the following dialog box: (This figure may be found in the printed book). This dialog box is used to define the logon server, logon script, and home directory for the user. Use this dialog box only if you are adding the account to a domain's master user accounts database. To specify a logon server, logon script, and home directory for a user account: 1. From the "Logon server" option buttons, select the option button for the server that will process the user's logon requests: ■ Select "Domain controller" to have the domain's primary domain controller process the user's logon requests. However, if the user logs on and the primary is unavailable, a backup domain controller (if any exist in the domain) will process the logon request. ■ Select "Any server" to have the user's logon requests be processed by any logon server available at the time. This is the default. ■ Select "Servername" and, in the text box, type the computername of a backup domain controller to have that backup process the user's logon requests. However, if the user logs on and the specified backup is unavailable, the primary or another backup will process the logon request. 2. If the user has a logon script, in the "Logon script" text box, type the filename or pathname of the script. For users with LAN Manager 2.0 workstations, the pathname of the logon script is relative to the value for the scripts entry in the [netlogon] section of the logon server's LANMAN.INI file. For users with LAN Manager 1.x workstations, the pathname of the logon script is relative to the LANMAN\ACCOUNTS\USERDIRS directory of the logon server. 3. In the "Home directory" text box, type the name of the user's home directory, if any. The name can be an absolute pathname (in which case the home directory will be on the primary domain controller) or a network pathname. If the directory you specify doesn't exist, LAN Manager will offer to create it. Once you create the home directory for the user, you should give the user permissions for it. Give each user RWCDAP permissions for his or her own home directory. Permissions are explained in the "Resource Permissions and Auditing" section, later in this chapter. 4. To set a limit on the size of the user's home directory, from the "User storage limit" option buttons, select "Maximum" and, in the text box, type the limit (in kilobytes). Exceeding this limit will cause an alert to be sent to both the user and the administrator. The default for this option is "None" (no limit). 5. Choose <OK>. Command Line To create a user account, type net user username password /add [options] See Net User, Microsoft LAN Manager Administrator's Reference. Cloning a User Account An existing user account can be used as a template for a new user account. This is called cloning. When an account is cloned, the new account duplicates all information from the cloned account (except the account name, full name, and password); you need to change only the settings that you want to be different. Cloning can be done only with the LAN Manager Screen; there is no equivalent command-line command. To clone a user account: 1. From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. 2. In the list box, select an account, then choose <Clone>. The "Create a New User Account" dialog box (Figure 4.4) appears. Settings for the template account (except the account name, password, and full name) appear as values for the new account. 3. In the "Account name" text box, type a username. 4. In the "Password" text box, type a password. 5. In the "Full name" text box, optionally type the user's full name. 6. Follow steps 6-13 of the procedure in the "Creating a User Account" section (earlier in this chapter) to customize the account for this user. If the old account being cloned has a home directory, be sure to change that option for the new account. 7. Choose <OK>. 8. Choose <Done>. Viewing and Changing Account Settings When you view an account, LAN Manager can report information about the person's use of passwords and attempts to log on, in addition to the account information you initially set. To view or change information about a user account: 1. From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. 2. In the list box, select an account, then choose <Zoom>. The dialog box shown in Figure 4.6 appears. (This figure may be found in the printed book). This dialog box shows the account information you have set for the user. It also shows when the user last changed his or her password, when the user will be able to change his or her password, and the date the user's password expires. If this account is in a domain's master user accounts database, then the date and time the user last logged on in the domain and how many times the user has unsuccessfully tried to log on in the domain are also shown. However, this information is accurate only if a specific logon server is designated for this user. The dialog box displayed when <Paths> is chosen shows whether a logon server has been specified for this user. Also, the date of last logon and number of unsuccessful logons do not reflect any attempts by the user to log on from workstations running LAN Manager 1.x. You can make changes to the account settings shown in the text boxes of this dialog box. You can't change the information in the "Last logon," "Failed logon count," "Password last changed," "Next change available," and "Password expires" display fields. You can also choose <Groups>, <Logon>, and <Paths> to make changes to those types of information for the account. 3. Choose <OK>. 4. Choose <Done>. Command Line To view or change information about a user account: ■ View information about a user account by typing net user username ■ Change one or more options of a user's account by typing net user username [options] See Net User, Microsoft LAN Manager Administrator's Reference. Disabling or Enabling a User Account Disabling a user account prevents the user from logging on, but doesn't delete the account's information. The account-disabling feature lets you keep generic accounts and allow their use only when needed. You can also temporarily disable accounts of employees who are on vacation. Also, if you use a generic account as a template for cloning accounts, you should keep the template account disabled. To disable or enable a user account: 1. From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. 2. In the list box, select a username, then choose <Zoom>. The "View the User Account username" dialog box (Figure 4.6) appears. 3. Mark the "Disable account" check box. 4. Choose <OK>. 5. Choose <Done>. To enable the account again, unmark the "Disable account" check box. Command Line To disable or enable a user account: ■ Disable a user account by typing net user username /active:no ■ Enable a disabled user account by typing net user username /active:yes See Net User, Microsoft LAN Manager Administrator's Reference. Deleting a User Account Deleting a user account removes all information about the account from the user accounts database. To delete a user account: 1. From the Accounts menu, choose Users. The "Select a User Account" dialog box (Figure 4.3) appears. 2. In the list box, select a username, then choose <Delete>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To delete a user account, type net user username /delete See Net User, Microsoft LAN Manager Administrator's Reference. Groups of Users Creating groups of users who have similar resource needs makes it easier to grant access permissions; when you define access permissions for a resource, you can grant permissions to many users at once by granting permissions to a group. For example, all employees that work with the payroll can be put into a group called payroll. You can then grant permissions for the necessary directories and printers to payroll, rather than granting permissions to each of those users individually. Also, when you add a new user account to the server, and put that account in payroll, the user is instantly granted the permissions already given to payroll. Any number of users can be put in a group, and each user can be a member of as many as 256 groups. However, a group can't be made a member of another group. Groups you create on a domain's primary domain controller are copied to the backup domain controllers and member servers, just as user accounts and security settings are. Creating a Group The following procedure explains how to create a group. You can also create a group by cloning another group. Cloning a group is explained in the following section. To create a group: 1. From the Accounts menu, choose Groups. The dialog box shown in Figure 4.7 appears. (This figure may be found in the printed book). 2. Choose <Add group>. The dialog box shown in Figure 4.8 appears. (This figure may be found in the printed book). The "Non-members" list box displays all users with accounts in the database. 3. In the "Groupname" text box, type a name for the group. The groupname can have as many as 20 characters, including letters, numbers, and the following characters: ! # $ % & ( ) - . @ ^ _ ` { } ~ 4. In the "Comment" text box, optionally type a comment. The comment will be shown when lists of groups on the server are displayed. 5. In the "Non-Members" list box, select a username, then choose <Add member>. 6. Repeat step 5 until you're finished adding members to the group. 7. Choose <OK>. 8. Choose <Done>. Command Line To create a group and add users to a group: ■ Create a group by typing net group groupname /add [/comment:"text"] ■ Add users to a group by typing net group groupname [username[ ...]] /add See Net Group, Microsoft LAN Manager Administrator's Reference. Cloning a Group An existing group can be used as a template for a new group. When you clone a group, the new group has the same members as the original group. Any group, including the special groups users, admins, and guests, can be cloned. Cloning can be done only with the LAN Manager Screen; there is no equivalent command-line command. To clone a group: 1. From the Accounts menu, choose Groups. The "Select a User Group" dialog box (Figure 4.7) appears. 2. In the list box, select a groupname, then choose <Clone>. The "Add a New User Group" dialog box (Figure 4.8) appears. The members of the template group appear in the "Members" list box. 3. In the "Groupname" text box, type a name for the new group. 4. In the "Comment" text box, optionally type a comment for the group. The comment will be shown when lists of groups on the server are displayed. 5. Add more members to the group and remove current members from the group: ■ To add another member to the group, from the "Non-members" list box, select the username, then choose <Add member>. ■ To remove a member from the group, from the "Members" list box, select the username, then choose >. 6. Choose <OK>. 7. Choose <Done>. Changing a Group's Membership The membership of a group can be changed at any time. To change the membership of a group: 1. From the Accounts menu, choose Groups. The "Select a User Group" dialog box (Figure 4.7) appears. 2. In the list box, select a groupname, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. Add more members to the group and remove users from the group: ■ To add a user to the group, from the "Non-members" list box, select the username, then choose <Add member>. ■ To remove a user from the group, from the "Members" list box, select the username, then choose >. ■ To remove all members from the group, choose >. 4. Choose <OK>. 5. Choose <Done>. Command Line To change the membership of a group: ■ Add users to the group by typing net group groupname [username[ ...]] /add ■ Remove users from the group by typing net group groupname [username[ ...]] /delete See Net Group, Microsoft LAN Manager Administrator's Reference. Deleting a Group Deleting a group removes the groupname from the user accounts database and deletes all resource permissions assigned to that group. The user accounts of the group's members are not affected, however. You can't delete the special groups users, admins, and guests. To delete a group: 1. From the Accounts menu, choose Groups. The "Select a User Group" dialog box (Figure 4.7) appears. 2. In the list box, select a groupname, then choose <Delete>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To delete a group, type net group groupname /delete See Net Group, Microsoft LAN Manager Administrator's Reference. Security Settings The server's security settings determine how the passwords of user accounts on the server can be changed, and what happens when a user tries to exceed his or her logon hours. There are five security settings: ■ Minimum password length is the minimum number of characters that passwords must have. The value can range from 0 (where user accounts aren't required to have passwords) to 14 (the maximum length for user passwords). The initial value (set when LAN Manager is installed) is 6. ■ Minimum password age is the minimum number of days that must pass before a user can change his or her password. This setting does not apply to administrators, who can change the password of a user at any time. The initial value is 0. ■ Maximum password age is the maximum number of days that can pass before a user is forced to change his or her password. The initial value is 90. ■ Password uniqueness prevents a user from reusing his or her old passwords. The value you set for password uniqueness is the number of the user's previous passwords that can't be reused. For example, if password uniqueness is 3, when users change their passwords they can't reuse any of their last 3 passwords as the new password. The initial value is 5. ■ Force logoff determines what happens when a user has a session to a server when his or her logon hours expire. You can specify that the user's session be ended immediately, that it be ended after a certain number of seconds, or that it not be ended at all. This value also applies when a user has a session to a server when his or her account expires. This value affects only what happens when a user is already logged on. Regardless of the force logoff value, users are prevented from making a new connection to the server outside of their logon hours or after their accounts expire. Security is more effective when users are forced to change passwords regularly. The maximum password age, minimum password age, and password uniqueness settings work together to ensure this. The maximum password age forces users to change passwords periodically. Setting a value for minimum password age ensures that users won't be able to change to a new password and then immediately change back to the old one. Password uniqueness forces users to use a new password each time they change their password, instead of just alternating between a few passwords. Security settings made on a domain's primary domain controller are replicated to the domain's backup and member servers, just as user accounts and groups are. ──────────────────────────────────────────────────────────────────────────── NOTE You can specify that a particular account not be required to have a password at all, using the /passwordreq option of the net user command. This option partially overrides the minimum password length security setting. For example, if a server's minimum password length is 8, you can use the /passwordreq option to allow the danbe account to not have a password, but if the account does have a password it must have at least 8 characters. ──────────────────────────────────────────────────────────────────────────── Adjusting Security Settings To change security settings: 1. From the Accounts menu, choose Security settings. The "Security Settings on \\server" dialog box (Figure 4.1) appears. The dialog box shows the security settings, as well as the server's role. For more information about server roles, see the "Setting Up Logon Security" section, earlier in this chapter. 2. In the "Minimum password length" text box, type a value. The range is 0-14 characters. 3. In the "Password uniqueness" text box, type a value. The range is 0-8 password changes. 4. In the "Minimum password age" text box, type a value. The range is 0-49710 days. 5. From the "Maximum password age" option buttons: ■ To specify the number of days that can pass before a user is forced to change his or her password, select "Valid for" and, in the text box, type a value. The range is 1-49710 days. ■ To specify no maximum, select "No limit." LAN Manager prevents you from setting a server's minimum password age to be longer than the maximum password age. 6. From the "Force logoff" option buttons: ■ To have users logged off as soon as their logon hours or account expire, select "Immediately." ■ To allow users to remain logged on despite their logon limits, select "Never." ■ To force users to log off within a certain amount of time of expiration, select "After" and, in the text box, type a value. 7. Choose <OK>. Command Line To change security settings, type net accounts [/minpwlen:length] [/uniquepw:number] [/minpwage:days] [/maxpwage:days] [/forcelogoff:{minutes | no}] See Net Accounts, Microsoft LAN Manager Administrator's Reference. Resource Permissions and Auditing The permissions you assign for each resource determine which users can use the resource, and in what ways. Permissions can be assigned to both users and groups. If you don't assign permissions for a resource to a particular user (either by assigning permissions to that user or to a group to which the user belongs), that user can't access that resource. When you assign permissions for a resource, you can also audit use of the resource. When you audit a resource, LAN Manager writes an entry to the audit trail whenever a user accesses the resource in a certain way. The audit entry shows the resource, action performed, user who performed it, and the date and time of the action. Events that can be audited for directories and files include successful and failed attempts to open the directory or file, write to it, change access permissions for it, or delete a file or subdirectory. Audited events for non-disk resources─printer queues, comm queues, and named pipes─are successful and failed attempts to access the resource. ──────────────────────────────────────────────────────────────────────────── NOTE These audit entries are written only if the value of the Server service's auditing option is yes or lists resource. The auditing option is set with the net start server command, or in the [server] section of the LANMAN.INI file. ──────────────────────────────────────────────────────────────────────────── On 386 servers, permissions and auditing information for directories and files on partitions with HPFS386 are kept with the files themselves. Permissions and auditing information for non-disk resources and for directories and files on partitions with the file allocation table (FAT) file system are kept in the NET.ACC file (along with user accounts and groups). On 286 servers, permissions and auditing information for all resources are kept in NET.ACC. ──────────────────────────────────────────────────────────────────────────── NOTE Because LAN Manager keeps the NET.ACC file open and because HPFS386 file permissions can't be copied to disks or tapes that don't have HPFS386, most backup procedures can't save permissions and auditing information. Two LAN Manager utilities, backacc and restacc, are provided to allow permissions and auditing information to be backed up. For more information about these utilities, see the Microsoft LAN Manager Administrator's Reference. ──────────────────────────────────────────────────────────────────────────── On 386 servers with local security, you must consider what permissions to set for all the directories and files in the server's HPFS386 partitions. These permissions control how local users of the server can access those directories and files. Local security has no effect on printer queue, comm queue, or named pipe access, however. For more information about local security, see the "Local Security on 386 Servers" section, later in this chapter. On servers without local security, the only directories and files you need to set permissions for are those that will be shared─but be sure to check the permissions for all subdirectories and files in the directory tree of any directory you share. The following section describes the types of permissions that can be assigned for each type of resource and how permissions affect users' attempts to access resources. This section is followed by procedures explaining how to set resource permissions and audit resource use. Types of Permissions There are different types of permissions for each type of resource (directories, files, printer queues, comm queues, and named pipes), each of which allows users to perform different actions. Directory and File Permissions The following list describes the types of permissions that can be assigned for directories and files and what each permission allows a user to do. R (Read) User can read and copy files, run programs, and change from one subdirectory to another within the shared directory. User can also read the extended attributes of files. W (Write) User can write the contents and extended attributes of a file. Note that when a user with an MS-DOS workstation opens a shared file to write to it, and then truncates the file, the file is recreated. Therefore, to give users with MS-DOS workstations full write access to a file, assign them C permission as well as W permission. C (Create) User can create files and subdirectories within a shared directory. After creating a file, a user with C permission can read from or write to the file and its extended attributes only until closing it. D (Delete) User can delete files and subdirectories within the shared directory but can't delete the shared directory itself. X (Execute) User can run a file (but not read or copy it). Only MS OS/2 computers recognize X permission. To allow a user with an MS-DOS workstation to run a program, grant that user R permission. ──────────────────────────────────────────────────────────────────────────── NOTE X permission isn't needed if R permission is assigned to the user for that directory or file. R permission includes all rights that X permission grants. ──────────────────────────────────────────────────────────────────────────── A (Change Attributes) User can set the physical file flags of the file. P (Change Permissions) User can change the permissions for the directory or file. Giving a user P permission for a directory allows the user to change the permissions for only that directory, not to change the permissions for any subdirectories of the directory. Y (Yes) Gives the user RWCDA permissions. Y serves as an abbreviation for this set of permissions. N (No) Prevents the user from accessing the directory or file. Use this permission to exclude individual users from access to a directory or file, despite the permissions that are assigned to the groups to which that user belongs. You can assign N permission only to individual users. You can give a user or group any combination of R, W, C, D, X, A, and P permissions; for example, you can give a user RWD permissions for a shared directory, allowing that user to read files in the directory, write to them, and delete them. Each user can be assigned Y permission, N permission, one or more of the R, W, C, D, X, A, and P permissions, or no permissions at all. A group can be assigned Y permission, one or more of the R, W, C, D, X, A, and P permissions, or no permissions. ──────────────────────────────────────────────────────────────────────────── NOTE For a user at an MS-DOS workstation to run a program file (with a .COM, .EXE, or .BAT extension), the user must have R permission for both the file and the directory. ──────────────────────────────────────────────────────────────────────────── Printer Queue Permissions The following list describes the three types of permissions you can assign to printer queues. Y (Yes) User can send jobs to the printer queue. N (No) User cannot access the printer queue. Y+P (Yes+Change Permissions) User can send jobs to and set access permissions for the printer queue. "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN Manager Screen. When assigning permissions with the net access command, use Y or C to represent the Yes permission, N or a space to represent the No permission, and CP permissions to represent the Yes+P permission (for printer queues, Y permission is equivalent to C permission). Comm Queue Permissions The following list describes the three types of permissions you can assign to comm queues. Y (Yes) User can send requests to the comm queue. N (No) User cannot access the comm queue. Y+P (Yes+Change Permissions) User can send requests to and set access permissions for the comm queue. "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN Manager Screen. When assigning permissions with the net access command, use Y or RWC to represent the Yes permission, N or a space to represent the No permission, and RWCP permissions to represent the Yes+P permission (for comm queues, Y permission is equivalent to RWC permissions). Named Pipe Permissions Named pipes are used in interprocess communication (IPC), which is communication by different processes running parts of a program. The separate processes may be on the same computer or on different computers. Named pipes are created by some network applications and are used to send information back and forth between computers running the application. See the documentation for your network applications to find the names of named pipes they create. For example, two pipes created by Microsoft SQL Server are \PIPE\SQL\QUERY, which is used for SQL-related communications, and \PIPE\SQL\CONSOLE, which is used for backing up the database to a disk. You can assign permissions to named pipes to restrict the use of the applications that use those named pipes. For example, to allow all users except bobju to use SQL Server to make database queries, you could give the group users Y permission to \PIPE\SQL\QUERY, but give bobju N permission to that resource. The following list describes the three types of permissions you can assign to named pipes. Y (Yes) User can access the named pipe. N (No) User cannot access the named pipe. Y+P (Yes+Change Permissions) User can access and set access permissions for the named pipe. "Yes," "No," and "Yes+P" are used to refer to these permissions on the LAN Manager Screen. When assigning permissions with the net access command, use Y or RW to represent the Yes permission, N or a space to represent the No permission, and RWP permissions to represent the Yes+P permission (for named pipes, Y permission is equivalent to RW permissions). How Resource Permissions are Applied Permissions can be granted to both users and groups, with one exception: N permission can't be granted to a group. Use the N permission only to exclude a user from accessing a resource for which you have given access to a group to which the user belongs. For example, to allow all users except kathykn to access the printer queue LASER, grant Y permission to the group users but give kathykn N permission. If a user belongs to two groups, both of which are granted permissions for a resource, then that user has all permissions granted to either group. For example, suppose donj is a member of users and of marketers. If users is granted RW permissions for the resource REPORTS, and marketers is granted WC permissions, then donj has RWC permissions. If permissions are explicitly granted to a specific user, then that user has only those permissions, no matter what permissions may be assigned to any groups that the user is a member of. For example, if you give beckys, also a member of users and marketers, only R permission for REPORTS in the preceding example, then the permissions given to users and marketers are ignored for beckys, and she would have only R permission. Administrators at a server (people with accounts at the server with admin privilege) can access all resources shared on that server, despite the access permissions that the resources have. Even if you assign an administrator N permission for a resource, the administrator can still use the resource. Setting Permissions and Auditing for a Directory or File The procedure in this section explains how to set permissions and auditing for a directory or file. Use this procedure to set permissions and auditing for the following types of directories and files: ■ Directories that will be shared, and the files and subdirectories of those directories. (You can also do this when you share the directory.) ■ All directories and files on HPFS386 partitions of a server with local security. Local security is explained in the "Local Security on 386 Servers" section, later in this chapter. This procedure is also used to set default permissions for a drive or partition with the FAT file system. Default permissions are set for the drivename of the drive or partition (such as C:). On a FAT partition, a file or directory that doesn't have permissions set for itself or for its parent directory takes the default permissions you set for the drive. Default permissions are explained in Chapter 7, "Disk Resources." To set or change permissions and auditing for a directory or file: 1. From the Accounts menu, choose File permissions. The dialog box shown in Figure 4.9 appears. (This figure may be found in the printed book). 2. In the "Filename" text box, type the absolute path (including the drive) of the file or directory (to set default permissions for a drive or partition, type just the drivename, such as C:). Or use the list box with the <Dir> command button: ■ Select the drive that contains the directory or file you want, then choose <Dir>. ■ If the directory or file you want now appears in the list box, select it. Otherwise, you will need to continue moving down through the directory tree. To do so, in the list box, select a directory, then choose <Dir>. The subdirectories and files of that directory now appear in the list box. Repeat this process until you find the directory or file you want, and then select that file or directory. ■ To choose the directory that the list box is displaying the contents of, select "<current directory>." ■ To move up the directory tree to a parent directory or drive, select "<parent directory>." 3. Choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). This dialog box displays permissions for the selected directory or file. The "Permitted" list box lists groups and users on the server who are assigned permissions for this file or directory (groupnames are preceded by an asterisk), along with the permissions they have. The "Not permitted" list box lists groups and users who don't have permissions. 4. Set the permissions for the directory or file: ■ To grant permissions to a group or user, in the "Not permitted" list box, select the groupname or username. From the "Permissions" option buttons, select the permissions that you want the group or user to have, then choose <Permit>. The groupname or username moves to the "Permitted" list box, along with its permissions. ■ To change the permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Permissions" option buttons, select the permissions that you want the group or user to have. The permissions displayed in the "Permitted" list box change as you change the permissions. ■ To set the permissions for the directory or file to the default, mark the "Use default permissions" check box. For more information about default permissions for directories and files, see Chapter 7, "Disk Resources." ■ To revoke the permissions for a group or user, in the "Permitted" list box, select the groupname or username, then choose >. ■ To revoke permissions for all users, choose >. 5. To specify which types of events to audit for the directory or file, choose <Auditing>. The following dialog box appears: (This figure may be found in the printed book). 6. To turn on auditing, mark the "Auditing enabled" check box. 7. From the "Audited events" check boxes, mark one or more events to be audited. Or to audit all the listed events, choose <Set all>. 8. Choose <OK>. 9. Choose <OK>. 10. If the permissions and audited events you just set were for a directory, and you want them to apply to every subdirectory and file in the directory tree of this directory, choose <Permit tree>. (If the "Filename" text box displays the name of a directory, and you want to remove all permissions for that directory and all subdirectories and files in the directory tree of that directory, choose >.) 11. Choose <Done>. For more information about auditing resources and the audit trail, see Chapter 16, "Monitoring the Network." Command Line To set permissions and auditing for a directory or file: ■ Assign permissions for a directory or file by typing net access drive:path /add [name:permission[ ...]] ■ Assign audited events for a directory or file by typing net access resource /trail:{yes | no} or net access resource /failure[:{all | none | event[,...]}] or net access resource /success[:{all | none | event[,...]}] See Net Access, Microsoft LAN Manager Administrator's Reference. Setting Permissions and Auditing for a Non-Disk Resource Non-disk resources are printer queues, comm queues, and named pipes. Use the following procedure to set or change permissions for a queue or pipe, or to set default permissions for the server's printer queues, comm queues, or named pipes. (For printer queues and comm queues, you can also set permissions when you share the queue.) To set or change permissions and auditing for a non-disk resource: 1. From the Accounts menu, choose Other permissions. The following dialog box appears: (This figure may be found in the printed book). The "Access type" list box shows the types of non-disk resources. The "Resource name" list box shows the queues or pipes for which permissions and auditing have been set. 2. In the "Access type" list box, select the type of resource for which you want to set permissions and auditing. The entries in the "Resource name" list box change to reflect the selection in the "Access type" list box. 3. Select the resource for which you want to set permissions and auditing: ■ To set default permissions and auditing for the resource type, in the "Resource name" list box, select "Default," then choose <Zoom>. Default permissions will be used for resources for which you don't set permissions and auditing individually. For example, default printer queue permissions will be used for any shared printer queues for which you don't set permissions. ■ To set permissions and auditing for a queue or pipe that does not appear in the "Resource name" list box, choose <Add entry>. ■ To change the permissions and auditing for a queue or pipe, in the "Resource name" list box, select the queuename or pipename, then choose <Zoom>. A dialog box similar to the following appears: (This figure may be found in the printed book). The title of the dialog box depends on the type of resource you have selected. Otherwise, the dialog boxes used for printer queues, comm queues, and named pipes are identical. The "Permitted" list box shows groups and users with permissions to use the queue or pipe (groupnames are preceded by an asterisk). The "Not permitted" list box shows all other groups and users. 4. Set permissions for the queue or pipe: ■ To grant permissions to a group or user, in the "Not permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select the permission you want to assign to the group or user, then choose <Permit>. The groupname or username moves to the "Permitted" list box. ■ To change the permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select the permission you want the group or user to have. ■ To revoke the permissions for a group or user, in the "Permitted" list box, select the groupname or username, then choose >. ■ To revoke permissions for all users, choose >. ■ If you are setting permissions for an actual queue or pipe (not setting default permissions), you can set the permissions to the default by marking the "Use default permissions" check box. 5. To audit successful or failed attempts to use this resource (or both), from the "Enable auditing for" check boxes, mark one or both check boxes. 6. Choose <OK>. 7. Choose <Done>. Command Line To set permissions and auditing for a non-disk resource: ■ Assign permissions for a non-disk resource by typing net access resource /add [name:permission[ ...]] ■ Assign audited events for a non-disk resource by typing net access resource /trail:{yes | no} or net access resource [/failure:{all | none | event}] [/success:{all | none | event}] See Net Access, Microsoft LAN Manager Administrator's Reference. Local Security on 386 Servers A 386 server with the high-performance file system (HPFS) and user-level security can have local security. Local security extends user-level security so that file access permissions apply to local users─users working at the server itself─as well as to remote users. Local security makes a server completely secure from unauthorized access. It protects the server's files at all times, regardless of whether the Workstation service or any other part of LAN Manager is running. When a local user tries to access a file on an HPFS partition on the server, LAN Manager checks the permissions for the file. Access is allowed only if the user has been granted sufficient permissions. LAN Manager also checks file permissions when a user runs a program that accesses files. On a server with local security, file-access auditing is also improved. Auditing of the files and directories on the server's HPFS partitions begins when the computer is started, even if the Server service isn't started. When LAN Manager is installed on a 386 server, the server's HPFS file system is replaced with HPFS386. Local security protects all files on drives and partitions with HPFS386. Files on drives and partitions with the FAT file system are not protected by local security (but they are still protected from unauthorized remote access by user-level security). To install local security on the server, use the Setup program. If you want to run local security on a server but it isn't installed, install it now using the Setup program. For more information about the Setup program, see the Microsoft LAN Manager Installation Guide. Starting a Server with Local Security When the computer starts, many system processes must run. On a server with local security, these won't run correctly if the special group local lacks RX permissions for some system files. For more information about the group local, see the following section. If the system processes can't run, the computer can't start correctly. To help you solve problems caused by incorrect permissions for system files, LAN Manager displays the following prompt when a server with local security is started: LAN Manager local security has started. Press ESC to log on now, or press ENTER to start the computer with no one logged on. Pressing ESC causes a logon prompt to appear on the screen, and you can then log on at the server. System initialization will then continue. If you press ENTER, the computer will start with no one logged on. If the computer isn't starting properly with no one logged on, restart it and press ESC when this prompt appears, then log on using an account that has admin privilege on the server. The computer should start correctly, and you can then adjust the local group's permissions for the system files so that the computer will be able to start with no one logged on. For more information about what system files are involved in computer startup, see the "Local Security Guidelines" section, later in this chapter. Only administrators can start services on servers with local security. Whenever you stop administering the server, be sure to log off, so that other users can't start working at the server using your account with admin privilege. File Access with Local Security LAN Manager creates a special group called local on servers with local security. This group represents local users of the server. When a user begins working at the server, he or she temporarily becomes a member of local and gains the permissions granted to local. Any user has these permissions as long as he or she works at the server's keyboard. A local user gains the permissions granted to local whether or not he or she is logged on. If the user is logged on to the network, he or she also has the permissions granted to his or her own user account, and to any groups he or she is a member of. If a user with admin privilege is logged on, the user can access all files on the server, regardless of permissions. LAN Manager provides the logon utility as a way to log on locally at a server with local security. This utility lets a user gain the permissions granted to his or her account on the local server, but not to use the network in any other way. Users can use the logon utility when they want to gain the local file permissions granted to their own accounts, but for some reason can't or don't want to access the network. The logon utility is used with the following syntax: logon username password If a person uses the logon utility when the Workstation service isn't running on the server (logging on to the local server only), the logon request is processed at the local server only─LAN Manager checks for the username and password in the local server's user accounts database. If the username and password don't match an account in the local database, the logon request is denied. When a local logon request is validated, LAN Manager displays the following message: Username logged on successfully in the LOCAL domain. If the Workstation service is running, the logon utility has the same effect as the net logon command, and a user typing logon will log on to the network. If the domain has logon security, the logon request will be processed at a logon server; if the domain doesn't have logon security, the logon request will be processed as a standalone logon. LAN Manager also has a logoff utility, which lets a user log off from a server locally. All users (especially administrators) should be sure to log off when finished working at a server with local security, to prevent other users from working at the server and gaining the original user's permissions and privilege. ──────────────────────────────────────────────────────────────────────────── NOTE If you log on locally to a server with local security, then log on to the network and log off from the network, you are also logged off from the local server. ──────────────────────────────────────────────────────────────────────────── For more information about the logon and logoff utilities, see the Microsoft LAN Manager Administrator's Reference. The following list summarizes the permissions and abilities of a user working at the console of a server with local security. Local user not logged on User has only the permissions granted to local, and can't access the network. Local user logged on only to local server User has permissions granted to local and the permissions granted to his or her account, and can't access the network. Local user logged on to the network User has permissions granted to local and the permissions granted to his or her account, and can access the network. ──────────────────────────────────────────────────────────────────────────── NOTE If the local user has logged on to the network with a username that is not found in the local server's user accounts database, or logs on to the network with a username found in the local user accounts database but without the password matching that username in the local database, the user has only the permissions granted to local. ──────────────────────────────────────────────────────────────────────────── Local Security Guidelines On a server with local security, the local security restrictions begin when the computer starts, before many of the system initialization files run. Therefore, the group local must have permission to execute these files, so that the computer starts and works correctly, even when no one is logged on. To facilitate this, the Setup program automatically grants local permissions for certain files when local security is installed. These permissions are shown in Table 4.2. Table 4.2 Permissions Granted to local on Servers with Local Security ╓┌────────────────────────────────────────────────────────────────┌────────── File or directory Permissions ──────────────────────────────────────────────────────────────────────────── Root directories of all HPFS386 drives and partitions RX Each directory specified in PATH RX File or directory Permissions ──────────────────────────────────────────────────────────────────────────── Each directory specified in PATH RX C:\OS2 RX C:\OS2\SYSTEM RX C:\OS2\DLL RX C:\OS2\BOOK RX C:\OS2\INTRO RX C:\OS2\OS2.INI RWX C:\OS2\OS2SYS.INI RWX ──────────────────────────────────────────────────────────────────────────── LANMAN RX File or directory Permissions ──────────────────────────────────────────────────────────────────────────── LANMAN RX LANMAN\SETUP.* None LANMAN\NETPROG RX LANMAN\NETPROG\HPFS.386 None LANMAN\NETPROG\HPFS386.IFS None LANMAN\SERVICES RX LANMAN\NETLIB RX LANMAN\ACCOUNTS\NET.ACC RX LANMAN\ACCOUNTS\NETACC.BKP None ──────────────────────────────────────────────────────────────────────────── File or directory Permissions ──────────────────────────────────────────────────────────────────────────── ──────────────────────────────────────────────────────────────────────────── C:\PUBLIC RWX C:\SPOOL RWXCD The directories specified by the environment variables TMP and RWXCD TEMP, if either or both exists ──────────────────────────────────────────────────────────────────────────── Once LAN Manager has been installed, you can modify these permissions. However, when doing so, and when setting permissions for any files on a server with local security, keep in mind the following security guidelines for each type of file: ■ System files─System files include CONFIG.SYS, PRIVINIT.CMD, STARTUP.CMD, OS2INIT.CMD, LANMAN.INI, SECURESH.EXE, and base device drivers such as BASEDD.SYS and the DISK01.SYS disk device driver. These files are used when the computer starts, so for the computer to be able to start with no one logged on, local must have RX permissions for them. However, only an administrator should modify these files, so do not grant local W, C, or D permission for them. You have two options for setting permissions for OS2.INI and OS2SYS.INI. Giving local RXW permissions for these files allows all local users to modify the configuration of the computer's Presentation Manager, performing tasks such as determining what programs are listed in the "Start Programs" dialog box. If local is given only RX permissions for these files, then how the computer is started determines whether users will be able to configure Presentation Manager: if an administrator or a user with W permission for the OS2.INI and OS2SYS.INI files logs on at the special logon prompt displayed during system startup, then all users will be able to configure Presentation Manager until the computer is restarted. Otherwise, nobody (even administrators) will be able to configure Presentation Manager until the computer is restarted. The C:\ directory contains many system files. To ensure the security of these files, do not give local W, D, or C permissions to the C:\ directory. ■ Data files─For public data files that can be read by any user, grant local R permission. For data files that are written to by programs that all users are allowed to use, grant local RW permissions. For private user data files, do not give any permissions to local. Give permissions only to the appropriate users. ■ Executable programs and dynamic link libraries─These are programs and files with .EXE and .DLL filename extensions (dynamic link libraries are files of commands used internally by executable programs). For those used by general users, grant local RX permissions. In general, it is safe to grant RX permissions for executable files, as long as the permissions for the data files that these programs may modify are set correctly. For programs and dynamic link libraries used only by administrators, grant no permissions to local or any other user or group. Don't grant W permission for any program or dynamic link library, to prevent users from substituting these files with others. Also, don't grant C permission for any directory specified in the MS OS/2 path command. These steps help ensure that no viruses or trojan horses get onto the server. ■ NET.ACC file─The NET.ACC file contains the server's user accounts database. The Setup program gives local RWX permissions for NET.ACC. Giving local these permissions should not cause security problems, as the account information in NET.ACC is stored in binary format (instead of ASCII text) and thus isn't easily readable with a text editor. Also, as long as the Workstation service is running, it keeps the NET.ACC file open, so commands and programs that need exclusive access to a file (such as the MS OS/2 copy and del commands) will not work on NET.ACC while LAN Manager is running. You can choose to revoke the permissions for NET.ACC given to local. If you do so, users who have accounts on the server won't be able to view or change their passwords or user comments while working locally at the server (but will still be able to do so from remote workstations). All other LAN Manager commands will still work if you revoke the local group's NET.ACC permissions. NETACC.BKP is the NET.ACC backup file created by the backacc utility. All users and groups should always be prevented from accessing it in any way. Background Processes On servers with local security, all background processes are subject to file access permissions. Every process always has the permissions granted to the local group. Also, while a user is logged on locally at the server, the process has the permissions granted to that user. While an administrator is logged on, the process can access all files on the server, just as administrators can. While a background process is running, several different users may log on and log off. If the process is not privileged, then each time a user logs on, the process gains the permissions granted to that user, in addition to the permissions of local. When the user logs off, the process loses the permissions of that user and again has only the permissions of local. Privileged Processes Many processes must have access to all the server's files, regardless of who logs on to or off from the server locally. To let these processes work, the administrator can run them as privileged processes. These processes can access all files on the server, whether or not anyone is logged on locally. Only an administrator can make a process privileged, and only when starting the process. An administrator has two ways to start a privileged process when the computer starts: ■ Put the command starting the process in PRIVINIT.CMD, which is located in the C:\ directory. This is a special batch program run when a computer with local security starts. Each command in PRIVINIT.CMD is started as a privileged process. Commands in PRIVINIT.CMD are not automatically run as background processes. To start a background process from PRIVINIT.CMD, use the MS OS/2 detach command. For more information about the detach command, see your operating system manual(s). ■ Put the command to start the program in CONFIG.SYS using the run command. Programs started with the run command are always started as background processes. For more information about the run command, see your operating system manual(s). Commands in STARTUP.CMD and OS2INIT.CMD are not run as privileged processes. ──────────────────────────────────────────────────────────────────────────── NOTE LAN Manager services must be started as privileged processes. To have a service start automatically when the computer starts (before anyone logs on at the server), put the net start command in PRIVINIT.CMD. On servers with local security, do not start LAN Manager services from STARTUP.CMD. ──────────────────────────────────────────────────────────────────────────── To start a privileged process at the MS OS/2 prompt once the computer is running, type priv followed by the command to start the process. For example, suppose sort is normally started in the background by typing detach sort < source > destination To start sort as a privileged background process, type detach priv sort < source > destination ──────────────────────────────────────────────────────────────────────────── NOTE LAN Manager services are an exception to this requirement. When started by an administrator, LAN Manager services are automatically treated as privileged processes─using the priv command is unnecessary. ──────────────────────────────────────────────────────────────────────────── When you start a program as a privileged process, the privilege applies only to that instance of the program. If you or another user runs the program again later, the program is not automatically privileged. This applies to privileged processes started both from the command line and by the PRIVINIT.CMD file. Descendant processes started by a privileged process─no matter how the privileged process was started─are also privileged. ──────────────────────────────────────────────────────────────────────────── NOTE Be careful when using the Netrun service on a server with local security. The Netrun service must be started as a privileged process, so processes run on the server by a remote user (using the Netrun service) are also privileged processes. ──────────────────────────────────────────────────────────────────────────── SECURESH.EXE and the CONFIG.SYS File When local security is installed, LAN Manager adds the pathname of the file SECURESH.EXE to the protshell entry of the CONFIG.SYS file. SECURESH.EXE implements local security on the server's files. By default, LAN Manager adds SECURESH.EXE to CONFIG.SYS without any options, but SECURESH.EXE can take two options: protshell=securesh.exe [/n] [/f:pathname] files (files represents the original value of protshell, to which LAN Manager added SECURESH.EXE.) The /n option nullifies local security, causing all users and processes to have access to all files on the server. However, if this option is specified, PRIVINIT.CMD (or the file specified by the /f option) is still executed, and auditing the file use for the server's HPFS386 partitions still begins when the computer is started. Use the /n option if you need to temporarily disable local security (to fix problems with the computer's configuration, for example), and if you want the PRIVINIT.CMD file to run automatically as usual. The /f option specifies a filename other than PRIVINIT.CMD to be executed as privileged when the computer starts. This file should be in a drive or partition with HPFS386, ensuring that it will be protected by local security. If you specify a file with this option, PRIVINIT.CMD will not be run when the computer starts. Upgrading MS OS/2 or LAN Manager To prepare LAN Manager for upgrade or removal, see the Microsoft LAN Manager Installation Guide. Chapter 5 Share-Level Security ──────────────────────────────────────────────────────────────────────────── With share-level security, each shared resource is protected with a single password. The administrator assigns this password when sharing the resource and controls who has access to the resource by controlling who knows the password. To gain access to a shared resource, a user has to know the password for that resource. User accounts are not created on servers with share-level security. ──────────────────────────────────────────────────────────────────────────── NOTE The default security mode is user-level security. If you're not sure what type of security the server has, type net config server. To change from user-level security to share-level security, use the Setup program's configuration management feature. For information about using the Setup program, see the Microsoft LAN Manager Installation Guide. ──────────────────────────────────────────────────────────────────────────── Administering a Server with Share-Level Security To locally administer a server with share-level security, just start the server and log on. You can then share resources and use other administrative commands. When you start a server with share-level security, you must decide whether to share the administrative resources ADMIN$ and IPC$. ADMIN$ controls remote administration of the server. You must share it to be able to administer the server remotely. If you share ADMIN$, assign a password to it and give that password only to people who you want to remotely administer the server. If you share ADMIN$ with no password, any network user can administer the server from a workstation running LAN Manager for MS OS/2 or LAN Manager Enhanced for MS-DOS. Note that changing the ADMIN$ password when users have active sessions will not change the status of those sessions. The sessions remain active until the users disconnect their workstations from the server. When a user begins to administer the server remotely (by typing net admin \\computername or setting the focus on the server), LAN Manager prompts the user for the ADMIN$ password. When you begin administering a server with share-level security, you will probably want to share IPC$. It enables interprocess communication (IPC), which is necessary for users to view the list of resources shared at the server, for the Netrun service and some network applications to work, and for remote administration. It is easiest to share IPC$ with no password. If IPC$ is password protected, users must first make a connection to IPC$, supplying the password, before performing any task requiring IPC$ (including viewing the list of resources shared on the server). For details about the use and sharing of ADMIN$, IPC$, and the other special administrative resources, see Chapter 6, "Administrative Resources." Setting Resource Permissions When you share a resource, you can assign a password to the resource. Only users who know the password will be able to access the resource. When you share a directory as a resource, you also set permissions for the resource. Permissions define what types of action can be taken by users who make a connection to that resource. These permissions apply to each user who accesses the directory, and are the same for the shared directory and each of its subdirectories and files. For directories on servers with share-level security, there are seven types of permissions. The following list describes each permission and what each allows users to do. R (Read) Users can read and copy files, run programs, and change from one subdirectory to another within the shared directory. Users can also read the extended attributes of files. W (Write) Users can write the contents and extended attributes of a file. C (Create) Users can create files and subdirectories within the shared directory. After creating a file, a user with C permission can read from or write to the file and its extended attributes only until closing it. D (Delete) Users can delete files and subdirectories within the shared directory, but not the shared directory itself. X (Execute) Users can execute a file. Only computers with MS OS/2 recognize X permission. To let a user with an MS-DOS workstation run a file, you must assign R permission for the directory. ──────────────────────────────────────────────────────────────────────────── NOTE X permission isn't needed if R permission is assigned for the directory. R permission includes all rights that X permission grants. ──────────────────────────────────────────────────────────────────────────── A (Change Attributes) Users can set the physical file flags of the file. P (Admin only) Users can access the directory only if the user has administrator status. Users gain administrator status by making a connection to the ADMIN$ resource. When sharing a directory as a resource, you can grant any combination of these permissions, depending on how you want users to be able to access the directory. When you share a directory as a resource and grant permissions for it, those permissions apply only to that resource─they are not assigned to the directory itself, so if you share the directory again you can grant different permissions for it. ──────────────────────────────────────────────────────────────────────────── NOTE To share a directory and give different permissions to different people, share the directory twice, with different sharenames, passwords, and permissions. For example, you could share the directory C:\SALES with the sharename SALES1 with only R permission, and also share it with the sharename SALES2 with RWCDA permissions. You might share SALES1 with no password, allowing all users to read the information in the directory, but share SALES2 with a password and let only certain users know the password. ──────────────────────────────────────────────────────────────────────────── When you share a printer queue, grant C permission for the queue. When sharing a comm queue, grant RWC permissions. For either type of queue, you can also grant P (admin-only) permission; doing so restricts access to the queue, allowing only users with administrator status to use the queue. With share-level security, permissions are effective only until you stop sharing the resource. No record of the permissions is saved. To save the permissions associated with a shared resource, save a profile, and load the profile later to recreate the resource configuration. For more information, see Chapter 10, "Profiles." For a full explanation of how resources are shared and assigned permissions on servers with share-level security, see Part 3, "Sharing Resources." PART III Sharing Resources ──────────────────────────────────────────────────────────────────────────── Servers make disk resources and devices available over the local-area network through a process known as sharing. The first four chapters in Part 3 tell how to share the four types of resources. Chapter 6 discusses the sharing of the special administrative resources that support remote use and administration of the server. Chapter 7 tells how to share the server's directories. Chapters 8 and 9 tell how to share printer queues and communication-device queues (comm queues), which store and route users' requests to devices on servers. The final chapter, Chapter 10, explains how to use profiles. Profiles allow you to save and load a server's configuration of shared and used resources. Chapter 6 Administrative Resources ──────────────────────────────────────────────────────────────────────────── A server's administrative resources are used when network users and administrators perform certain tasks on the server. These tasks include viewing the resources that the server is sharing, administering the server remotely, using the Netrun service, and running distributed applications. How a server's administrative resources are shared determines which of these tasks can be performed on the server. Whether a server has user-level or share-level security determines what kind of access a user has to these resources, and whether the resources are shared automatically when the server starts. This chapter explains the functions of each of the administrative resources, and tells how to share and stop sharing them on servers with user-level or share-level security. Using the Administrative Resources The administrative resources are ADMIN$, IPC$, and the disk administrative resources. They are hidden from most network users─only administrators can see them when using the LAN Manager Screen to view the resources that the server is sharing. ADMIN$ ADMIN$ controls remote administration. A server's ADMIN$ resource must be shared for an administrator to administer the server remotely. To administer a server remotely, an administrator does not need to make a connection to ADMIN$. When a remote administration session begins, LAN Manager makes the connection automatically. An administrator working at a remote computer can make an explicit connection to a server's ADMIN$ resource, however. Making such a connection gives the administrator access to all files and programs in the LAN Manager directory. When a server with user-level security starts, LAN Manager automatically shares ADMIN$. Sharing ADMIN$ is not automatic on servers with share-level security. An administrator must share the resource. To prevent security breaches, it is important to assign the ADMIN$ resource a password and to give the password only to people who will administer the server remotely. Anyone who connects to the ADMIN$ resource on a server with share-level security becomes an administrator for the server. You can limit the number of users who can perform remote administration on the server by changing the "Max. users" value for ADMIN$. See the "Changing Administrative Resource Options" section, later in this chapter. When you set or change the limit for "Max. users," it overrides the numadmin value set in the [server] section of the LANMAN.INI file. IPC$ IPC$ controls interprocess communication (IPC). IPC is the communication between different processes of a program, different computers running parts of a single program, or two programs working together. In LAN Manager, IPC takes place when a user or administrator performs one of the following actions: ■ Views a list of a server's available resources. ■ Administers the server remotely. ■ Uses the Netrun service. ■ Runs a distributed application. Distributed applications are software products, such as Microsoft SQL Server, that are designed to run on a network. In these applications, individual computers run programs that cooperate to get a single job done. IPC$ must be shared for any of these tasks to be performed. On a server with user-level security, LAN Manager automatically shares IPC$. On a server with share-level security, an administrator must share IPC$; it is not shared automatically. Users and administrators usually don't need to make an explicit connection to IPC$. When IPC$ is needed, LAN Manager automatically makes a connection. You can assign IPC$ a password on a server that has share-level security, but this is not recommended. If you assign IPC$ a password, users must supply the password to view lists of resources available on the server, to use the Netrun service, and to run distributed applications. Also, to perform remote administration when IPC$ has a password, administrators must first connect to ADMIN$, then supply both the ADMIN$ and the IPC$ passwords. ──────────────────────────────────────────────────────────────────────────── NOTE To enable remote administration of a server, a server must share ADMIN$ and IPC$. To prevent remote administration, you can choose not to share ADMIN$ or IPC$, or both. However, if IPC$ is not shared, users cannot view the server's resources and use the Netrun service. To prevent remote administration but allow these other features, share IPC$ but not ADMIN$. ──────────────────────────────────────────────────────────────────────────── Disk Administrative Resources The disk administrative resources represent the server's disk drives. One of these is automatically shared for each of the server's drives whenever you start a server with either user-level or share-level security. The sharename for each disk administrative resource is the drive letter followed by $. For example, when you start a server with A, B, and C drives, LAN Manager shares the A$, B$, and C$ resources. Only administrators can connect to the disk administrative resources. Doing so gives an administrator access to all directories and files on the server's drives. Administrators working at remote computers cannot access a server's administrative resources unless ADMIN$ and IPC$ are shared. Sharing an Administrative Resource ADMIN$ and IPC$ must be explicitly shared on a server with share-level security. To control remote administration or access to named pipes, you can stop or start sharing ADMIN$ and IPC$. Disk administrative resources are shared automatically. For more information, see the "Sharing a Disk Administrative Resource" section, later in this chapter. Sharing ADMIN$ and IPC$ To share ADMIN$ or IPC$: 1. From the View menu, choose Shared resources. The dialog box shown in Figure 6.1 appears. (This figure may be found in the printed book). The list box shows the resources the server is sharing. Administrative resources are not displayed unless the "Show hidden shares" check box is marked. 2. To display shared administrative resources, mark the "Show hidden shares" check box. 3. Choose <Add share>. The following dialog box appears: (This figure may be found in the printed book). 4. Select the "Admin share" option button, then choose <OK>. The following dialog box appears: (This figure may be found in the printed book). If the server has share-level security, a "Password" text box appears in the dialog box. 5. From the "Sharename" option buttons, select either "ADMIN$" or "IPC$." 6. In the "Remark" text box, optionally type a descriptive comment to be displayed when administrators view lists of the server's shared resources. ──────────────────────────────────────────────────────────────────────────── NOTE If you do not type a comment for this resource, LAN Manager displays the default comment─"Remote IPC$" for IPC$, or "Remote ADMIN$" for 7. To protect the ADMIN$ resource (if the server has share-level security), in the "Password" text box, type a password for the resource. To let users more easily perform tasks requiring interprocess communication, do not type a password for the IPC$ resource. 8. If you don't want to limit the number of people who can use the resource simultaneously, from the "User limit" option buttons, select "Unlimited." To set a limit, select "Max. users," and type the number in the text box. 9. If you are sharing the IPC$ resource and want to make it available only to administrators, mark the "Admin only" check box. 10. Choose <OK>. 11. Choose <Done>. Command Line To share ADMIN$ or IPC$: ■ Share ADMIN$ by typing net share ADMIN$ [password] ■ Share IPC$ by typing net share IPC$ [password] See Net Share, Microsoft LAN Manager Administrator's Reference. Sharing a Disk Administrative Resource Disk administrative resources are shared automatically. If you have stopped sharing a disk administrative resource, however, you must start sharing the resource again. This can be done from the command line only. Command Line To share a disk administrative resource, type net share sharename=devicename [password] See Net Share, Microsoft LAN Manager Administrator's Reference. Changing Administrative Resource Options You can change the configuration of an administrative resource that has been shared on a server with user-level or share-level security. The options you can change are ■ The remark for the administrative resource ■ The user limit ■ Who is permitted to use the resource, such as administrators only or all users To change administrative resource options: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 6.1) appears. 2. If the list box does not display administrative resources, mark the "Show hidden shares" check box. 3. In the list box, select the administrative resource, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 4. Change any options that you want to change, then choose <OK>. 5. Choose <Done>. Command Line To change administrative resource options, type net share sharename [/permissions:permissions] [/users:number | /unlimited] [password] [/remark:"text"] See Net Share, Microsoft LAN Manager Administrator's Reference. Stop Sharing an Administrative Resource To stop sharing an administrative resource: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 6.1) appears. 2. If the list box does not display administrative resources, mark the "Show hidden shares" check box. 3. In the list box, select the administrative resource, then choose <Stop sharing>. 4. When prompted for confirmation, choose <OK>. 5. Choose <Done>. Command Line To stop sharing an administrative resource, type net share sharename /delete See Net Share, Microsoft LAN Manager Administrator's Reference. Chapter 7 Disk Resources ──────────────────────────────────────────────────────────────────────────── With LAN Manager you can share directories and specify which users have access to the directories. Any directory on the server can be shared, including the root directory. When sharing a directory, you assign it a sharename, which identifies the shared directory to users. No two resources on a server can have the same sharename. By assigning permissions for shared directories, you determine what types of actions users can take with the directories. LAN Manager also lets you audit how users access shared directories. You specify what types of access attempts are audited. Entries are written to the audit trail when the specified events occur. Permissions and auditing work differently for servers with user-level and share-level security. With user-level security, permissions and auditing can be set for individual files, directories, or drives. With share-level security, permissions and auditing can be set for all accesses to a shared resource. Directory Access with User-Level Security When sharing a directory on a server with user-level security, you specify the names of groups and users who can access the shared directory and its subdirectories and files. You also define the permissions each group or user has for the shared directory. You can set different permissions for each subdirectory and file in the shared directory. The following list explains the access that each type of permission allows for directories shared on a server with user-level security. R (Read) User can read and copy files, run programs, and change from one subdirectory to another within the shared directory. User can also read the extended attributes of files. W (Write) User can write the contents and extended attributes of a file. Note that when a user with an MS-DOS workstation opens a shared file to write to it, and then truncates the file, the file is recreated. Therefore, to give users with MS-DOS workstations full write access to a file, assign them C (Create) permission as well as W permission. C (Create) User can create files and subdirectories within a shared directory. After creating a file, a user with C permission can read from or write to the file and its extended attributes only until closing it. D (Delete) User can delete files and subdirectories within the shared directory, but can't delete the shared directory itself. X (Execute) User can run a file (but not read or copy it). Only MS OS/2 computers recognize X permission. To allow a user with an MS-DOS workstation to run a program, grant that user R permission. ──────────────────────────────────────────────────────────────────────────── NOTE X permission isn't needed if R permission is assigned to the user for that directory or file. R permission includes all rights that X grants. ──────────────────────────────────────────────────────────────────────────── A (Change Attributes) User can set the physical file flags of the file. P (Change Permissions) User can change the permissions for the directory or file. Giving a user P permission for a directory allows the user to change the permissions for only that directory, not to change the permissions for any subdirectories of the directory. Y (Yes) Gives the user RWCDA permissions. Y serves as an abbreviation for this set of permissions. N (No) Prevents the user from accessing the directory or file. Use this permission to exclude individual users from access to a directory or file, despite the permissions that are assigned to the groups to which that user belongs. You can assign N permission only to individual users. Assigning Inherited Permissions Inherited permissions can be assigned to files and directories within a shared disk resource. Inherited permissions apply to an entire directory tree, and can only be assigned using the LAN Manager Screen. To use inherited permissions, you set permissions for a directory, then specify those permissions to be copied down through the directory tree to all files and subdirectories under that directory. Assigning Default Permissions If you don't set permissions for a directory or file, LAN Manager uses default permissions, determined by other permissions you have set: ■ If you have set explicit permissions for a parent directory of a file or subdirectory, then those permissions are used as the default by all files and subdirectories contained in the parent directory. ■ If permissions have not been set for a parent directory, and the drive containing the file or directory uses the file allocation table (FAT) file system or the high-performance file system (HPFS) provided with MS OS/2, then the default permissions are the permissions set for the drive. NOTE HPFS386 doesn't recognize default permissions set for drives. You set drive permissions by setting permissions for the drive letter (such as C:). Initially, a drive has no permissions. Figure 7.1 shows the effects of explicit and default permissions for a shared directory. (This figure may be found in the printed book). Auditing Disk Use When you share a directory on a server with user-level security, you can have LAN Manager audit the resource's use and record these events in an audit trail. You can audit different types of activity for each file and subdirectory within a shared resource. The audit trail is useful for determining how often a file or directory is used and whether access permissions for the file or directory are appropriate. You define what types of access to audit. The audit can include successful and failed attempts to open, write to, delete, and change permissions for each file and directory. To learn how to set audited events, see the "Setting Permissions and Audited Events" section, later in this chapter. Directory Access with Share-Level Security On a server with share-level security, each shared directory can be protected by a password. Any user can access the directory by supplying the password. This lets you control who has access to the directory by limiting who knows the password. You can set the password when you share the directory or anytime. One set of permissions is assigned for the shared directory; these permissions apply to every person who uses the directory. The permissions also apply to every file and subdirectory in the shared directory. The following list explains the access that each type of permission allows for directories shared on a server with share-level security. R (Read) Users can read and copy files, run programs, and change from one subdirectory to another within the shared directory. Users can also read the extended attributes of files. W (Write) Users can write the contents and extended attributes of a file. Note that when a user with an MS-DOS workstation opens a shared file to write to it, and then truncates the file, the file is recreated. Therefore, to give users with MS-DOS workstations full write access to a file, assign them C (Create) permission as well as W permission. C (Create) Users can create files and subdirectories within a shared directory. After creating a file, a user with C permission can read from or write to the file and its extended attributes only until closing it. D (Delete) Users can delete files and subdirectories within the shared directory, but can't delete the shared directory itself. X (Execute) Users can run a file (but not read or copy it). Only MS OS/2 computers recognize X permission. To allow a user with an MS-DOS workstation to run a program, you must assign R permission to the directory. ──────────────────────────────────────────────────────────────────────────── NOTE X permission isn't needed if R permission is assigned. R permission includes all rights that X grants. ──────────────────────────────────────────────────────────────────────────── A (Change Attributes) Users can set the physical file flags of the file. P (Admin only) Users can access the directory only if the user has administrator status. Users gain administrator status by connecting to the ADMIN$ resource. When you share a directory and define permissions, these permissions are associated with the sharename─not with the physical directory. You can share the same directory twice─each time with a different sharename, password, and permissions─to give different types of access to different users. You could, for instance, share the LEVEL1 resource (shown in Figure 7.1), telling the password to only a few key people, and then share the LEVEL2 and LEVEL3 directories separately, with more general audiences. You could also share LEVEL1 as two different resources with two different sharenames─giving one set of people RWCDX access to the first resource, and a larger group read-only access to the second resource. Figure 7.2 illustrates this sharing scheme. (This figure may be found in the printed book). Auditing Disk Use When you share a directory on a server with share-level security, LAN Manager audits all accesses to that resource. Auditing is either enabled for all resource uses, or disabled. When auditing=yes in the [server] section of the LANMAN.INI file, accesses to all shared resources will be recorded in the audit trail. When auditing=no, accesses to shared resources aren't recorded. Sharing a Directory with User-Level Security To share a directory with network users on a server with user-level security, you must share the directory, and then set permissions to give groups and users access. As you share a disk resource, you can also set up the auditing of certain types of access. And you can set up auditing for specific files and subdirectories of the shared disk resource. The following sections tell how to do all of these things. ──────────────────────────────────────────────────────────────────────────── NOTE For a user at an MS-DOS workstation to run a program file (with a .COM, .EXE, or .BAT extension), the user must have R (Read) permission for both the file and the directory. Sharing a Directory ──────────────────────────────────────────────────────────────────────────── To share a directory on a server with user-level security: 1. From the View menu, choose Shared resources. The dialog box shown in Figure 7.3 appears. (This figure may be found in the printed book). 2. Choose <Add share>. The dialog box shown in Figure 7.4 appears. (This figure may be found in the printed book). 3. Select the "Disk directory" option button, then choose <OK>. The following dialog box appears: (This figure may be found in the printed book). 4. In the "Sharename" text box, type a sharename for the directory. Sharenames can have as many as 12 characters, including letters, numbers, and the following characters: ! # $ % & ( ) - . @ ^ _ ` { } ~ The sharename does not have to be the same as the directory name. 5. In the "Path" text box, type the absolute path (include the drive letter) of the directory that you want to share. Or use the "Contents of resource" list box with the <Dir> command button to select the directory. To use the "Contents of resource" list box: ■ Select the drive containing the directory, then choose <Dir> to see a listing of the drive's directories. ■ Select the directory of interest. If you want to share one of its subdirectories, choose <Dir> to see a listing. Repeat this step until the list box displays the directory that you want to share. The pathname for the selection is displayed in the "Contents of resource" field. 6. In the "Remark" text box, optionally type a descriptive comment to be displayed with the resource when users view a list of available resources. 7. With the "User limit" option buttons, specify how many people will be able to use the resource at once: ■ To set no limit on the number of users, select the "Unlimited" option button. ■ To set a limit, select the "Max. users" option button, and type the number of users to be allowed. If a number appears in the accompanying text box when you select the "Max. users" option button, this value is from the maxusers entry in the [server] section of the LANMAN.INI file. The number of users cannot exceed this value. 8. If you want to make the directory available only to users with administrator privileges, mark the "Admin only" check box. 9. Choose <OK>. The dialog box shown in Figure 7.5 appears. (This figure may be found in the printed book). From this dialog box, you can set permissions and audited events for the directory, and for any of its files and subdirectories. For information about setting permissions and audited events, see the following section. ──────────────────────────────────────────────────────────────────────────── NOTE If you do not want to set permissions and audited events as you share the resource, choose <Done> twice. Command Line ──────────────────────────────────────────────────────────────────────────── To share a directory on a server with user-level security, type net share sharename=drive:path [/users:number | /unlimited] [/remark:"text"] See Net Share, Microsoft LAN Manager Administrator's Reference. Setting Permissions and Audited Events Permissions and audited events can be set when you share the directory, or changed afterwards. The procedure to set or change permissions and audited events is the same. For servers with local security, you can also set permissions and audited events for unshared resources using the following procedures. To set permissions and audited events on a server with user-level security: 1. If you are setting permissions or audited events as you share the resource, follow the steps in the preceding section. The "Select a File for Access Permissions" dialog box (Figure 7.5) appears. 2. If you are changing permissions or audited events on a previously shared resource, from the Accounts menu, choose File permissions. The "Select a File for Access Permissions" dialog box (Figure 7.5) appears. 3. To set permissions for the resource, in the "Contents of resource" list box, be sure that "<current directory>" is selected, then choose <Zoom>. The dialog box shown in Figure 7.6 appears. (This figure may be found in the printed book). This dialog box displays permissions for the shared directory. The "Not permitted" list box lists all groupnames and usernames for which permissions have not been assigned. The "Permitted" list box lists all groupnames and usernames for which permissions have been assigned, along with the permissions they have. 4. To set the permissions for the directory: ■ To grant permissions to a group or user, in the "Not permitted" list box, select the groupname or username. From the "Permissions" check boxes, mark the permissions, then choose <Permit>. The groupname or username moves to the "Permitted" list box, with the selected permissions displayed. ■ To change permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Permissions" check boxes, mark the permissions. The permissions displayed in the "Permitted" list box change as new permissions are assigned. ■ To assign default permissions for all of the groups and users for this directory, mark the "Use default permissions" check box. When prompted for confirmation, choose <OK>. NOTE On servers with user-level security, you can create a set of default permissions for directories. Then, when you share a new directory, you can use the default permissions. To learn how to set default permissions for a directory, see Chapter 4, "User-Level Security." ■ To revoke the permissions for a group or user, in the "Permitted" list box, select the groupname or username, then choose >. ■ To revoke permissions for all of the groups and users for this directory, choose >. 5. To specify which types of events to audit for the directory or file, choose <Auditing>. The dialog box shown in Figure 7.7 appears. (This figure may be found in the printed book). 6. To turn on auditing, mark the "Auditing Enabled" check box. 7. From the "Audited events" check boxes, mark one or more events to audit. Or choose <Set all> to audit all of the listed events. 8. Choose <OK>. The "Access Permissions for resource" dialog box (Figure 7.6) appears. 9. Choose <OK>. The "Select a File for Access Permissions" dialog box (Figure 7.5) appears. 10. If you want to apply the permissions and audited events to each existing subdirectory and file in the directory tree of the resource, choose <Permit tree>. 11. If you want to assign permissions and audited events for a file or subdirectory within the resource, in the "Filename" list box, type the absolute pathname of the file or directory. Or use the "Contents of resource" list box with the <Dir> command button to select and display the filename or subdirectory. 12. Repeat steps 3-11 to set permissions and audited events for additional files and subdirectories. 13. Choose <Done>. Command Line To set permissions and audited events on a server with user-level security: 1. For a group or user, provide access to and set permissions for a resource by typing net access resource /add [name:permission[ ...]] 2. Assign audited events for a directory or file on a server with user-level security by typing net access /trail:{yes | no} or net access resource /failure[:{all | none | event[,...]}] or net access resource /success[:{all | none | event[,...]}] See Net Access, Microsoft LAN Manager Administrator's Reference. For more information about auditing resources and the audit trail, see Chapter 16, "Monitoring the Network." Sharing a Directory with Share-Level Security Sharing a directory on a server with share-level security is done from one dialog box. All subdirectories and files are given the permissions you assign for the shared directory. Also, since auditing is either enabled or disabled with share-level security, auditing isn't set for each resource. To share a directory on a server with share-level security: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 7.3) appears. 2. Choose <Add share>. The "What would you like to share?" dialog box (Figure 7.4) appears. 3. Select the "Disk directory" option button, then choose <OK>. The following dialog box appears: (This figure may be found in the printed book). 4. In the "Sharename" text box, type a name for the resource. Sharenames can have as many as 12 characters, including letters, numbers, and the following characters: ! # $ % & ( ) - . @ ^ _ ` { } ~ The sharename doesn't have to be the same as the directory name. 5. In the "Path" text box, type the absolute path (include the drive letter) of the directory that you want to share. Or use the "Contents of resource" list box with the <Dir> command button to select the directory. To use the "Contents of resource" list box: ■ Select the drive containing the directory, then choose <Dir>. ■ Select the directory of interest. If you want to share one of its subdirectories, choose <Dir> to see a listing. Repeat this step until the selection shows the directory that you want to share. The pathname for the selection is displayed in the "Contents of resource" field. 6. In the "Remark" text box, optionally type a descriptive comment to be displayed with the resource when users view a list of available resources. 7. In the "Password" text box, optionally type a password (which can have as many as eight characters) for the directory. If you leave the "Password" text box blank, no password is required for users to access the directory. 8. With the "User limit" option buttons, specify how many people will be able to use the resource at once: ■ To set no limit on the number of users, select the "Unlimited" option button. ■ To set a limit, select the "Max. users" option button, and type the number of users to be allowed. If a number appears in the accompanying text box when you select the "Max. users" option button, this value is from the maxusers entry in the [server] section of the LANMAN.INI file. The number of users cannot exceed this value. 9. Set permissions for the directory using the "Permissions" check boxes by marking the check box for each permission that you want to give to users. Marking the "Admin only" check box restricts use of the directory to administrators. Users gain administrator status by connecting to the ADMIN$ resource. 10. Choose <OK>. 11. Choose <Done>. Command Line To share a directory on a server with share-level security, type net share sharename=drive:path [password] [/permissions:permissions] [/users:number | unlimited] [/remark:"text"] See Net Share, Microsoft LAN Manager Administrator's Reference. Stop Sharing a Directory To stop sharing a directory: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 7.3) appears. 2. In the list box, select the directory that you want to stop sharing, then choose <Stop sharing>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To stop sharing a directory, type net share sharename /delete See Net Share, Microsoft LAN Manager Administrator's Reference. Chapter 8 Printers ──────────────────────────────────────────────────────────────────────────── LAN Manager shares printers through printer queues. A printer queue stores print jobs as users submit them, then routes each print job to a printer when the printer becomes available. Printer queues can route print jobs to one or more printers. Likewise, one printer can receive jobs from one or more printer queues. From a workstation, users can connect to a printer queue, then send documents to that queue as though they were using a local printer. In this chapter, you'll learn how to create, customize, and share printer queues. This chapter also describes how to control printer queues once they are shared. Note that you can set up printers and control printing using Print Manager, a Presentation Manager application. For information about using Print Manager, see Appendix D, "Using the MS OS/2 Print Manager with LAN Manager," and your MS OS/2 manual(s). How Printer Queues Work LAN Manager printer queues are spooled. That is, each print job is stored in the queue until a printer is available. Meanwhile, the workstation that sends the job is free for other tasks─it doesn't have to wait for the job to be printed. Unspooled queues tie up the workstation until the job is completed. Some applications must communicate directly with certain serial printers (such as some PostScript(R) printers), so they cannot be used with a spooler. These printers can be shared through a communication-device queue (comm queue). To find out if a certain serial printer can be spooled, see your application and printer manuals. For information about sharing communication devices, see Chapter 9, "Communication Devices." Printer Queue Setups LAN Manager provides several ways to set up printer queues to work with your printers─one queue per printer, several queues per printer, or several printers per queue. One Queue Using One Printer The simplest queue configuration is one queue for one printer. If the network has only one printer, or if each printer is used for a different type of printing, this is the recommended method. Figure 8.1 illustrates how a printer queue works with a printer. In this illustration, three workstations send print jobs to the queue. The queue sends the first job on to the printer, and stores the other jobs until the printer has finished printing the first job. (This figure may be found in the printed book). One Queue Using Several Printers When a printer queue uses several printers, the first job in the queue always goes to the next available printer. This is an efficient way to share a group of similar printers. Figure 8.2 shows how a printer queue works with several printers. (This figure may be found in the printed book). ──────────────────────────────────────────────────────────────────────────── NOTE All printers accessed by a single queue must use the same printer driver. ──────────────────────────────────────────────────────────────────────────── Several Queues Using One or More Printers Two or more queues can send jobs to the same printer(s). This is especially useful if you configure the queues differently─giving them different priority levels, for example. As shown in Figure 8.3, jobs in a high-priority queue are printed before those in a low-priority queue. (This figure may be found in the printed book). This method also can be used if you have an application that requires a special print processor. A printer queue using that processor would be used for print jobs from that application, while another printer queue would be used for all other print jobs. Figure 8.4 shows a more complex printer setup. Queue A sends jobs to Printers A, B, and C. Queue B sends jobs only to Printer B, and Queue C sends jobs to Printers B and C. (This figure may be found in the printed book). A configuration like this one is both flexible and convenient. It offers flexibility to the administrator who wants to set up different queues for different purposes. Plus, it offers convenience to users who want to use a queue that sends jobs to the next available printer. One Queue Using Local and Remote Printers A printer queue can route jobs to printers on more than one server. The remote printers are shared as comm queues, and connections are made from the local server to the comm queue. You then create the printer queue on the local server, specifying the devicenames assigned to the comm queues and the devicenames of the local printers. You can use this method to make a printer attached to a workstation running the Peer service available to several users. Share the printer attached to that workstation as part of a comm queue; then, from a server, connect to that comm queue and specify its devicename as part of a printer queue. For instructions about how to use remote printers, see the "Including a Remote Printer in a Printer Queue" section, later in this chapter. Printer Queue Options The option settings for a printer queue control the configuration of the queue─how the queue accesses printers and uses a printer driver, print processor, and separator page. This section describes each option. For information about how to set options for a printer queue, see the "Sharing a Printer Queue" section, later in this chapter. Priority Levels If two jobs are waiting for a printer at the same time, priority levels determine which job prints first. Each printer queue has a priority level that determines what priority its jobs get when several queues are trying to access the same printer. When a printer finishes printing a document, it prints the next waiting job with the highest priority. The highest priority is 1, the lowest is 9, and the default is 5. If the queue receives two jobs with the same priority, the jobs are printed in the order received. The arrival of a high-priority job does not interrupt a job currently being printed. Printing Times You can set the times during which a printer queue can send jobs to a printer. This lets you queue large print jobs together, and save them for times when demand for the printers is low. The printer queue accepts jobs submitted at any time, but doesn't start printing until a designated time. At the queue's stop-printing time, it stops sending jobs to printers, and any jobs remaining in the queue are saved until the start-printing time. The Printer Driver Each printer queue uses a printer driver for the printers to which it routes jobs. A printer driver is a program that controls printing on a particular type of printer (for example, the printing of graphics), defining options such as printing quality and paper size. The default printer driver is IBM4201. Use the printer driver that supports the type of printer you have. If no compatible printer driver is available, you can use IBMNULL. (Note that with IBMNULL, graphics from some Presentation Manager applications may not print correctly.) The Print Processor Queued print jobs go through a print processor─a program that prepares files for printing. By default, the LMPRINT processor is used for LAN Manager documents. Certain applications, such as page-design programs, use document files containing special characters that require a different print processor. To print these files, set up a queue that sends jobs to the appropriate print processor. When setting up a queue that uses a different print processor, you can supply options for the print processor, if needed. If you don't want separator pages to print, you can specify PMPRINT instead of LMPRINT. The Separator Page A printer queue can cause one or more separator pages to print before each job. Separator pages typically tell who submitted the job and the date and time of printing. To use print separator pages, supply the name of a separator page file as a queue option. You can use LAN Manager's built-in separator page or define one of your own. The default separator, DEFAULT.SEP, prints the username of the person printing the document, the print job number, and the date and time of printing. (The default separator page is built into the program; DEFAULT.SEP is not a separate file on your disk.) Figure 8.5 shows an example of a default separator page. (This figure may be found in the printed book). You can create and use your own separator page files instead of the default separator page. Separator page files include escape codes that give instructions to the printer. Escape codes always start with an escape character, which can be any character you choose, and end with a letter or number. The first line of the separator page file must contain only the escape character. Table 8.1 shows the escape codes you can include in a separator page file. Table 8.1 Escape Codes for Separator Page Files ╓┌─────────────────────────────────┌───────────────────────────────────────── Code Function ──────────────────────────────────────────────────────────────────────────── @N Prints the username of the person that submitted the job. @I Prints the job number. @D Prints the date and time the job was printed. @T Prints the time the job was printed. @Ltext Prints the text specified by text. Code Function ──────────────────────────────────────────────────────────────────────────── @Fpathname Prints the contents of the file specified by pathname. @Hnn Sets a printer-specific control sequence, where nn is a hexadecimal number sent directly to the printer. To find the numbers to use, see your printer manual. @Wnn Sets the width of the separator page. The default is 80. @n Skips n number of lines. The range is 0-9. Skipping 0 lines moves to the next line. @B@S Begins printing in single-width block characters. Text is printed this way until @U is encountered. Code Function ──────────────────────────────────────────────────────────────────────────── @B@M Begins printing in double-width block characters. Text is printed this way until @U is encountered. @U Turns off block-character printing. @E Ejects a page from the printer. Use this to start a new separator page or to end the separator page file. ──────────────────────────────────────────────────────────────────────────── By default, separator page files are kept in the C:\SPOOL directory. The following example shows the contents of DEFAULT.SEP, which creates the default separator page (see Figure 8.5 for sample output of this separator page). @ @B@S@N@4 @I@4 @U@D @E Printer Queue Security To give the appropriate users access to a printer queue, administrators assign permissions and/or a password to the queue. For a server with share-level security, you can assign passwords to printer queues. Users who know the queue's password can access the queue. You can also share a queue as Admin only, which makes it available only to administrators who have made a connection to the ADMIN$ resource. Those who want to print graphics from Presentation Manager applications must also connect to the server's IPC$ resource. For a server with user-level security, you can assign individual permissions to users and groups. There are three types of permission for printer queues on servers with user-level security: ■ Y (Yes) permission gives access. ■ N (No) denies access. ■ Y+P (Yes+P) gives access to the queue and the right to set permissions for other users accessing that queue. If several printer queues will be serving the same or similar groups of users, it may be helpful to create a default set of printer queue permissions. These can be applied quickly to a new queue simply by marking the "Use default permissions" check box as you share the queue. This is useful mainly with user-level servers, on which each person must have permission to gain access to the queue. For instructions on how to do this, see Chapter 4, "User-Level Security." Sharing a Printer Queue This section explains how to share a printer queue, change printer queue options, and stop sharing a printer queue. When you share the queue for the first time, LAN Manager automatically displays the dialog boxes that allow you to set the queue's options. If you stop sharing the queue, LAN Manager keeps a record of the printer queue's options so you can share it again later. Adding a Printer Queue to a Server's Shared Resources To give network users access to a printer queue, you need to share that queue with the network. This is true whether you are creating a printer queue for the first time, or resharing a queue that is already created. When you create a new queue, you must assign a sharename by which users can refer to the queue. You must also set options for the queue. ──────────────────────────────────────────────────────────────────────────── NOTE Before you can share a printer queue, you must set up each printer using the MS OS/2 Print Manager. For information about adding printers, see your MS OS/2 manual(s). ──────────────────────────────────────────────────────────────────────────── To share a printer queue: 1. From the View menu, choose Shared resources. The dialog box shown in Figure 8.6 appears. (This figure may be found in the printed book). 2. Choose <Add share>. The following dialog box appears: (This figure may be found in the printed book). 3. Select the "Printer" option button, then choose <OK>. A dialog box similar to the following appears: (This figure may be found in the printed book). The list box shows printer queues that are created but are not currently shared, if any. If the server has share-level security, the "Password" text box appears in the dialog box. 4. Specify a new or existing sharename for the printer queue: ■ In the "Sharename" text box, type a new sharename. ■ From the "Queue" list box, select an existing sharename. 5. In the "Remark" text box, type a descriptive comment for the printer queue. This comment is visible to users viewing the resources available on the server. 6. If the server has share-level security, a "Password" text box is displayed. In the "Password" text box, type a password to allow only users who know the password to access the queue. Without a password, anyone can use the queue. The password can have as many as 15 characters. 7. From the "User limit" option buttons, select one option: ■ Select the "Max. users" option button to set a limit. Type the number of users in the accompanying text box. If a number appears in the accompanying text box when you select the "Max. users" option button, this value is from the maxusers entry in the [server] section of the LANMAN.INI file. The number of users cannot exceed this value. ■ Select the "Unlimited" option button to specify no limit. 8. Mark the "Admin only" check box to make the queue accessible only to administrators. 9. Choose <OK>. If a printer queue with the sharename you specified doesn't already exist, a message box asks if you want to create it. (Note that you cannot use the same sharename for more than one queue.) When prompted for confirmation, choose <OK>. 10. Choose <OK>. If the server has user-level security, another dialog box appears, allowing you to set options for the queue. For an explanation of how to set the options for the queue, see the following section. Command Line To share a printer queue: ■ Share a new printer queue by typing net share sharename=devicename[,...] ■ Share an existing printer queue by typing net share sharename /print See Net Share, Microsoft LAN Manager Administrator's Reference. Setting Options for a Printer Queue When you share a new queue, LAN Manager creates the queue and lets you set the configuration options for the queue. ──────────────────────────────────────────────────────────────────────────── NOTE Before you can use a device driver as a printer queue option, and before you can use a print processor with a printer queue, they must be installed using the MS OS/2 Control Panel. For information about adding a device driver and a print processor, see your MS OS/2 manual(s). ──────────────────────────────────────────────────────────────────────────── To set options for a new printer queue: 1. Follow the steps in the preceding section to share the new queue. The dialog box shown in Figure 8.7 appears. (This figure may be found in the printed book). 2. In the "Priority" text box, type the priority level for the queue. The range is 1-9; the default is 5. To set the highest priority for the queue, use 1. 3. In the "Printer device(s)" text box, type the devicename(s) of the printer(s) to which the queue will send jobs. If the queue will send jobs to more than one printer, use a space, comma, or semicolon to separate the devicenames. To include a device as part of a printer queue, you must add that printer using the MS OS/2 Print Manager. For more information about adding printers, see your MS OS/2 manual(s). 4. In the "Separator file" text box, type the name of the separator page file you want to use with the queue, if any. To specify a file in the C:\SPOOL directory (the default location for separator page files), type just the filename. To specify a file in any other directory, type its entire pathname. The separator page provided by LAN Manager is DEFAULT.SEP. 5. In the "Print after" text box, specify the time at which the queue can start sending jobs. Use 12-hour format. The default value is 12:00AM. 6. In the "Print until" text box, specify the time after which the printer queue can no longer send jobs. Use 12-hour format. The default value is 11:59PM. 7. In the "Print processor" text box, specify the print processor (LMPRINT is the default). 8. In the "Parameters" text box, type the values required for the print processor. 9. In the "Driver name" text box, type the name of the printer driver. 10. In the "Comment" text box, type a comment. 11. Choose <OK>. For a server with user-level security, the "Add Permissions for Printer Queue" dialog box appears. Use this dialog box to add permissions and enable auditing. For an explanation of how to add permissions and enable auditing, see the following section. Command Line To set options for a new printer queue, type net print sharename [/priority:number] [/route:devicename[,...]] [/separator:pathname] [/after:time] [/until:time] [/driver:filename] [/processor:pmname] [/remark:"text"] See Net Print, Microsoft LAN Manager Administrator's Reference. Setting Permissions and Audited Events On a server with user-level security, you can set permissions and audited events for a printer queue. For an explanation of the types of permissions, see the "Printer Queue Security" section, earlier in this chapter. To set permissions and audited events for a printer queue: 1. If you are setting permissions or audited events as you share the queue, follow the steps in the preceding sections. 2. If you are changing permissions or audited events on a previously shared queue, from the Accounts menu, choose Other permissions. The following dialog box appears: (This figure may be found in the printed book). 3. Set permissions for the printer queue: ■ To grant permissions to a group or user, in the "Not permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select a permission. Choose <Permit>. Note that the selected groupname or username moves to the "Permitted" list box. ■ To change permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select a permission. ■ To revoke permissions for a group or user, in the "Permitted" list box, select the groupname or username, then choose >. ■ To revoke permissions for all groups and users, choose >. ■ To use the default permissions, mark the "Use default permissions" check box. 4. To enable auditing for accesses to the resource, from the "Enable auditing for" check boxes, mark one or both of the check boxes. 5. Choose <OK>. 6. Choose <Done>. Command Line To set permissions for a printer queue, type net access resource /add [name:permission[ ...]] See Net Access, Microsoft LAN Manager Administrator's Reference. ──────────────────────────────────────────────────────────────────────────── NOTE On servers with user-level security, you can create a set of default permissions for printer queues. Then, when you share a new printer queue, you can use the default permissions. To learn how to set default permissions for a printer queue, see Chapter 4, "User-Level Security". ──────────────────────────────────────────────────────────────────────────── Including a Remote Printer in a Printer Queue You can create a printer queue that routes jobs to both local and remote printers. This is called a "distributed printer queue." To set up and share a distributed printer queue: 1. On the remote server, share the printer(s) as part of a comm queue. Do this on each remote server that controls printers for this queue. For further instructions, see Chapter 9, "Communication Devices." 2. On the local server, make connections to the remote comm queue(s). For information about how to connect to a shared comm queue, see the Microsoft LAN Manager User's Guide for MS OS/2. 3. Use the MS OS/2 Print Manager to add a printer using the local devicename. For more information about adding printers, see your MS OS/2 manual(s). 4. Create the printer queue on the local server, following the procedures in the preceding sections. Set up the printer queue to route jobs to the devicename(s) of the local printer(s) and to the devicename(s) assigned to the remote comm queue(s). Command Line To set up and share a distributed printer queue: 1. On the remote server, share the printer as a comm queue by typing net share sharename=devicename /comm 2. On the local server, make a connection to the comm queue by typing net use devicename \\computername\sharename /comm 3. On the local server, create a printer queue by typing net share sharename /print 4. On the local server, redirect output for the new printer queue to the remote comm queue by typing net print sharename /route:devicename See Net Print, Net Share, and Net Use, Microsoft LAN Manager Administrator's Reference. Changing Options for a Printer Queue You can change the options for an existing printer queue, whether or not it is currently shared. Changes you make will take effect immediately. Two procedures follow, each of which allows you to change different options. To change the priority level, printer list, separator file, printing times, and print processor options for a printer queue: 1. From the View menu, choose Printer queues. The dialog box shown in Figure 8.8 appears. (This figure may be found in the printed book). 2. In the list box, select a printer queue, then choose <Zoom>. The "Printing Options for Queue" dialog box (Figure 8.7) appears. 3. Change the text boxes for the options you want to modify. For more information, see steps 2-11 of the "Setting Options for a Printer Queue" section, earlier in this chapter. 4. Choose <Done>. To change the devices, maximum number of users, and remark options: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 8.6) appears. 2. In the list box, select a printer queue, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. Change the text boxes or check boxes for the options you want to modify. 4. Choose <OK>. 5. Choose <Done>. Command Line To change options for a printer queue, type net print sharename [/priority:number] [/route:devicename[,...]] [/separator:pathname] [/after:time] [/until:time] [/driver:filename] [/processor:pmname] [/remark:"text"] See Net Print, Microsoft LAN Manager Administrator's Reference. Stop Sharing a Printer Queue When you stop sharing a printer queue, it is no longer available to the network. LAN Manager saves the name and option settings in a queue configuration file for use if you decide to share the same queue again. To stop sharing a printer queue: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 8.6) appears. 2. In the list box, select the printer queue, then choose <Stop sharing>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To stop sharing a printer queue, type net share sharename /delete See Net Share, Microsoft LAN Manager Administrator's Reference. Deleting a Printer Queue If you remove a printer from the network, you can delete the printer queue from the server. Deleting the queue removes that queue's record─including its settings and related permissions─from the server. To delete a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the queue, then choose <Delete>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. NOTE If the printer queue contains print jobs, the queue's status will change to "Pending delete" until all jobs print. Then the queue will be deleted. Managing Printers, Queues, and Print Jobs You can control printer queues, printers, and print jobs with a variety of procedures. You can ■ View a list of printer queues and print jobs. ■ Hold or release a printer queue. Holding a printer queue prevents it from sending jobs to printers. ■ Purge a printer queue, removing all pending print jobs. ■ Hold or release a print job in a queue. Holding a job prevents it from printing. ■ Restart a print job from the beginning. ■ Move a print job to the first or last position in the queue. ■ Delete a print job. ■ Stop the job currently being printed. Viewing Queues and Job Information You can view a list of the server's printer queues, a single queue, and the print jobs in each queue. To view information about all the printer queues on a server: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. The list box shows all of the printer queues on the server, whether or not they are currently shared. Under the name of each queue is a list of the print jobs in that queue. 2. Choose <Done>. Command Line To view information about all the printer queues on a server, type net print [\\computername] See Net Print, Microsoft LAN Manager Administrator's Reference. To view information about a single printer queue on a server: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 8.6) appears. 2. In the list box, select a printer queue, then choose <View queue contents>. The following dialog box appears: (This figure may be found in the printed book). This dialog box shows the sharename and status of the queue. Below this, an indented list displays the print jobs that are currently in the queue. 3. Choose <Done>. 4. Choose <Done>. Command Line To view information about a single printer queue on a server, type net print [\\computername\]sharename See Net Print, Microsoft LAN Manager Administrator's Reference. Holding and Releasing a Printer Queue You can hold a printer queue, preventing it from sending any jobs to printers. (You can't hold a job once it is printing, however.) When a queue is held, the printer(s) finishes printing the current job(s), but all further jobs remain in the queue until the queue is released. Releasing the queue returns it to normal status. To hold a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the queue, then choose <Hold>. The status message for the queue changes to "Queue Held." 3. Choose <Done>. To release a held printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the held queue, then choose <Release>. The status message for the queue changes to "Queue Active." 3. Choose <Done>. Command Line To hold a printer queue or release a held printer queue, type net print [\\computername\]sharename [/hold | /release] See Net Print, Microsoft LAN Manager Administrator's Reference. Purging Print Jobs from a Printer Queue Purging a printer queue deletes all jobs in the queue except the one currently printing. To purge a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the queue, then choose <Purge>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To purge a printer queue, type net print [\\computername\]sharename /purge See Net Print, Microsoft LAN Manager Administrator's Reference. Holding and Releasing a Print Job You can hold any print job. The held job remains in the queue until released. Other jobs in the queue will be printed. To hold a print job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the job, then choose <Hold>. The status message for the job changes to "Held." The user who sent the job receives an alert message saying that the job is being held. 3. Choose <Done>. To release a held job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the held job, then choose <Release>. The status message for the job changes to "Waiting" or "Printing." The user who sent the job is notified that the job is again scheduled for printing. 3. Choose <Done>. Command Line To hold a print job or release a held print job: 1. Find the job number for the print job by typing net print [\\computername\]sharename 2. Hold or release the print job by typing net print [\\computername] job# [/hold | /release] See Net Print, Microsoft LAN Manager Administrator's Reference. Restarting a Print Job You can restart a print job, printing it again from the beginning. This is useful if a job is interrupted by an error or printer problem. To restart a print job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the job, then choose <Restart>. 3. Choose <Done>. Command Line To restart a print job, type net device devicename /restart See Net Device, Microsoft LAN Manager Administrator's Reference. Moving a Print Job in a Printer Queue At times, you may want to change the position of a job already in the queue. With LAN Manager, you can move a job to the beginning of the queue. Likewise, LAN Manager lets you move jobs to the end of the queue to delay printing. To move a print job to the first or last position in a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the job, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. To move the job to the top of the queue, select the "First in queue" option button. To move the job to the bottom of the queue, select the "Last in queue" option button. 4. Choose <OK>. 5. Choose <Done>. Command Line To move a print job to the first or last position in a printer queue: 1. Find the job number for the job by typing net print [\\computername\]sharename 2. Move the job by typing net print [\\computername] job# [/first | /last] See Net Print, Microsoft LAN Manager Administrator's Reference. Deleting a Print Job While a job is waiting in a printer queue, you can delete the job. To delete a print job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 8.8) appears. 2. In the list box, select the job, then choose <Delete>. 3. When prompted for confirmation, choose <OK>. The user who submitted the job is notified that the job has been deleted. 4. Choose <Done>. Command Line To delete a print job: 1. Find the job number for the print job by typing net print [\\computername\]sharename 2. Delete the job by typing net print [\\computername] job# /delete See Net Print, Microsoft LAN Manager Administrator's Reference. Canceling a Print Job that Is Printing While a job is printing, you can cancel the job. To cancel a print job that is printing: 1. From the Status menu, choose Device status. The dialog box shown in Figure 8.9 appears. (This figure may be found in the printed book). This dialog box shows the status of each shared device on the server, and the user currently using each device (if any). 2. In the list box, select the device printing the job, then choose <Kill>. 3. When prompted for confirmation, choose <OK>. Printing stops and the job is deleted from the queue. The user who submitted the job is notified that the job has been deleted. 4. Choose <Done>. Command Line To stop a print job that is printing, type net device devicename /delete See Net Device, Microsoft LAN Manager Administrator's Reference. Pausing and Continuing a Printer You can pause an individual printer on the network. When you pause a printer, it finishes printing the current job but will not accept new jobs from any printer queue until you continue it. To pause a printer: 1. From the Status menu, choose Device status. The "Shared Device Status" dialog box (Figure 8.9) appears. 2. In the list box, select the printer, then choose <Pause>. The status message for the printer changes to "Paused." 3. Choose <Done>. To continue a paused printer: 1. From the Status menu, choose Device status. The "Shared Device Status" dialog box (Figure 8.9) appears. 2. In the list box, select the printer, then choose <Continue>. Note that the status message for the printer changes. 3. Choose <Done>. Command Line To pause a printer and continue a paused printer: ■ Pause a printer by typing net pause print=devicename ■ Continue a paused printer by typing net continue print=devicename See Net Continue and Net Pause, Microsoft LAN Manager Administrator's Reference. Chapter 9 Communication Devices ──────────────────────────────────────────────────────────────────────────── You can give network users access to communication devices attached to any server on the network. Communication devices include modems, image scanners, and serial printers. As an administrator, you decide how to set up and share communication devices. You also monitor the use of shared communication devices, making any needed adjustments to their setup. In this chapter, you will learn how to create and share communication-device queues (comm queues) for both individual communication devices and for pools of communication devices. This chapter also explains how to change queue options, view the queue's status, clear requests from a queue, and stop sharing a comm queue. How Comm Queues Work For a communication device to be shared, the device must be attached to a network server. It can be connected to any of the server's serial (COM) or parallel (LPT) ports. To share a communication device, you create and share a comm queue. You assign a sharename to the queue─not to the communication device itself. To use a communication device, the workstation sends a request to the comm queue. If the communication device is available, the queue passes the request to it. If the communication device is not available─because it is already in use─the request waits in the queue. The queue stores requests as they arrive. Each time the communication device finishes with a request, the queue sends it the next one. Figure 9.1 shows how a queue controls communication devices. While a request waits in a comm queue, the workstation that sent the request also waits. (Users with MS OS/2 workstations can work in other MS OS/2 sessions while their requests wait in a queue.) When the request is sent from the queue to the communication device, the user can begin using the device. (This figure may be found in the printed book). Comm Queue Setups LAN Manager gives you several options for setting up comm queues. One Queue Using One Communication Device You can set up one queue for each communication device. This is a simple choice if you have only one communication device of a certain type─one modem or one image scanner, for example. One Queue Using Several Communication Devices You can set up a queue to send requests to more than one communication device. A group of communication devices receiving requests from a single queue is called a pool. When one of these queues receives a request, it searches its pool for the next available communication device and sends the request to that device. Figure 9.2 illustrates this concept. This is an efficient way to use a group of several similar devices, such as a group of modems. (This figure may be found in the printed book). Several Queues Using One Communication Device You can set up more than one queue to send requests to the same communication device, with the queues having different priority levels. The queue's priority levels determine which request is processed first when a communication device has requests pending in different queues─requests from a high-priority queue are processed before those from a low-priority queue. Figure 9.3 shows two queues serving one communication device. Priority levels are explained in detail in the "Priority Levels" section, later in this chapter. (This figure may be found in the printed book). Several Queues to Several Communication Devices You can set up several queues to send requests to a particular pool of devices as well. Again, this is useful if you vary the priority levels of the queues. Figure 9.4 shows a complex setup for sharing communication devices. Queue A sends requests to Modems A, B, and C. Queue B sends requests to Modem B. Queue C sends requests to Modems B and C. (This figure may be found in the printed book). Priority Levels You assign each comm queue a priority level from 1 through 9. The highest priority is 1, the lowest is 9, and the default is 5. Each comm queue assigns its priority level to all requests it receives. When a communication device becomes available and has requests waiting in several queues, it processes the next request in the queue with the highest priority. The arrival of a new high-priority request does not interrupt or end a request being processed. The device always finishes the current request before starting a new one. Setting Up Comm Queues This section contains procedures for ■ Sharing a comm queue ■ Changing the way an existing comm queue is set up ■ Stopping the sharing of a comm queue ──────────────────────────────────────────────────────────────────────────── NOTE Once you share a communication device, you should no longer use the device without using the queue, unless you first pause the queue. For example, suppose you share the communication device attached to a server's COM1 port with the comm queue MODEM, and then want to use the modem as you work at the server. You should not use COM1 directly. Doing this can disrupt the queue. Instead, either pause the MODEM queue, or connect to it and assign it another of the server's devicenames (such as COM4:), then use COM4:. ──────────────────────────────────────────────────────────────────────────── Sharing a Comm Queue When you share a comm queue on a server with user-level security, you assign permissions for each queue and set audited events. On a server with share-level security, you assign a password to the queue. The following procedure explains how to share a comm queue. For information about how to set permissions and audited events, see the following section, "Setting Permissions and Audited Events." To share a comm queue: 1. From the View menu, choose Shared resources. The dialog box shown in Figure 9.5 appears. (This figure may be found in the printed book). 2. Choose <Add share>. The following dialog box appears: (This figure may be found in the printed book). 3. Select the "Comm-device" option button, then choose <OK>. A dialog box similar to the following appears: (This figure may be found in the printed book). If the server has share-level security, the "Password" text box appears in the dialog box. 4. In the "Sharename" text box, type a sharename for the queue. 5. In the "Devices" text box, type the devicename(s). You can use devicenames COM1-COM9 and LPT1-LPT9. Use a space, comma, or semicolon to separate multiple devicenames. 6. In the "Remark" text box, type a descriptive comment for the comm queue. This comment is visible to users viewing the resources available on the server. 7. If the server has share-level security, a "Password" text box is displayed. In the "Password" text box, type a password to allow only users who know the password to access the queue. If the queue has no password, anyone can use the queue. The password can have as many as 15 characters. 8. From the "User limit" option buttons, specify how many people will be able to use the comm queue: ■ To set no limit on the number of users, select the "Unlimited" option button. ■ To set a limit, select the "Max. users" option button, and type the number of users to be allowed. If a number appears in the accompanying text box when you select the "Max. users" option button, this value is from the maxusers entry in the [server] section of the LANMAN.INI file. The number of users cannot exceed this value. 9. Mark the "Admin only" check box to make the queue accessible only to administrators. 10. In the "Priority" text box, type a priority level for the queue. 11. Choose <OK>. If the server has user-level security, the "Add Permissions for Comm-device Queue" dialog box appears. Use this dialog box to add permissions and enable auditing. For an explanation of how to add permissions and enable auditing, see the following section. 12. Choose <Done>. Command Line To share a comm queue: 1. Share the comm queue by typing net share sharename=devicename[,...] /comm [password] [/users:number | /unlimited] [/remark:"text"] 2. Set the options for the comm queue by typing net comm sharename [/route:devicename[,...]] [/priority:number] See Net Comm and Net Share, Microsoft LAN Manager Administrator's Reference. Setting Permissions and Audited Events On a server with user-level security, you can set permissions and audited events for a comm queue. There are three types of permission for comm queues on servers with user-level security: ■ Y (Yes) permission gives access. ■ N (No) permission denies access. ■ Y+P (Yes+P) permission gives access to the queue and the right to set permissions for other users accessing that queue. You can also set default permissions, which are the permissions assigned to the \COMM resource. For information about how to set default permissions, see Chapter 4, "User-Level Security." On a server with share-level security, you assign a password for each queue, but you don't set permissions. Also, audited events are set for the server, not for each comm queue. To set permissions and audited events for a comm queue: 1. If you are setting permissions or audited events as you share the queue, follow the steps in the preceding section. 2. If you are changing permissions or audited events on a previously shared queue, from the Accounts menu, choose Other permissions. The following dialog box appears: (This figure may be found in the printed book). The "Permitted" list box shows groups and users with permissions to use the queue. The "Not permitted" list box shows all other groups and users. 3. Set permissions for the comm queue: ■ To grant permissions to a group or user, in the "Not permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select a permission. Choose <Permit>. ■ To change the permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select a permission. ■ To revoke the permissions for a group or user, in the "Permitted" list box, select the groupname or username, then choose >. ■ To revoke permissions for all groups and users, choose >. ■ To use the default permissions, mark the "Use default permissions" check box. 4. To enable auditing for accesses to the resource, from the "Enable auditing for" check boxes, mark one or both of the check boxes. 5. Choose <OK>. 6. Choose <OK>. Command Line To set permissions and audited events for a comm queue: 1. Set permissions for the comm queue: ■ Set permissions for a comm queue on a user-level server by typing net access resource [/add name:permission[ ...]] or net access resource [/grant name:permission[ ...]] | [/change name:permission[ ...]] | [/revoke name[ ...]] ■ Set permissions for a comm queue on a share-level server by typing net share sharename /comm /permissions:permissions 2. Set audited events for the comm queue by typing net access resource [/trail:{yes | no}] or net access resource /failure[:{all | none | event[,...]}] or net access resource /success[:{all | none | event[,...]}] See Net Access and Net Share, Microsoft LAN Manager Administrator's Reference. Changing Options for a Comm Queue You can change the options for an existing comm queue, whether or not it is currently shared. Changes you make will take effect immediately. To change the devices, maximum number of users, and remark options: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 9.5) appears. 2. In the list box, select the queue, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. Change the text boxes or check boxes for the options you want to modify. 4. Choose <OK>. 5. Choose <Done>. To change the priority level and device options: 1. From the View menu, choose Comm-device queues. The dialog box shown in Figure 9.6 appears. (This figure may be found in the printed book). 2. In the list box, select a queue, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. To change the list of devices to which the queue routes requests, in the "Devices" text box, type the devicenames for the queue (COM1-COM9 and/or LPT1-LPT9). Use a space, comma, or semicolon to separate multiple devicenames. 4. To change the queue's priority, in the "Priority" text box, type the value (1-9). 5. Choose <OK>. 6. Choose <Done>. Command Line To change the options for a comm queue, type net comm sharename [/route:devicename[,...]] [/priority:number] See Net Comm, Microsoft LAN Manager Administrator's Reference. Stop Sharing a Comm Queue When you stop sharing a comm queue, that queue is removed. To stop sharing a comm queue: 1. From the View menu, choose Shared resources. The "Shared Resources at \\server" dialog box (Figure 9.5) appears. 2. In the list box, select the queue, then choose <Stop sharing>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To stop sharing a comm queue, type net share sharename /delete See Net Share, Microsoft LAN Manager Administrator's Reference. Managing Comm Queues and Requests You can view a list of comm queues that the server is sharing, along with the number of requests in each queue. You can also purge a comm queue, deleting all of the requests that are pending. Viewing Comm Queues When you view a list of the server's comm queues, the list shows the number of requests currently in each queue. You can also choose to view more information about requests in a particular comm queue. To view a list of comm queues on a server: 1. From the View menu, choose Comm-device queues. The "Comm-device Queues on \\server" dialog box (Figure 9.6) appears. The list box shows each comm queue on the server and the number of requests in each queue. If you have a request waiting in the queue, the number of requests ahead of your own is also shown. 2. To get more information about requests in a particular queue, in the list box, select the queue, then choose <Zoom>. 3. Choose <Done>. Command Line To view a list of comm queues on a server, type net comm See Net Comm, Microsoft LAN Manager Administrator's Reference. Purging Requests from a Comm Queue You can purge a comm queue, deleting all of the requests that are pending, or purge all pending requests from all shared communication device queues. This does not affect requests currently being processed by a communication device. To purge requests from one or all comm queues on a server: 1. From the View menu, choose Comm-device queues. The "Comm-device Queues on \\server" dialog box (Figure 9.6) appears. 2. To purge all requests from a selected queue, in the list box, select the queue, then choose <Purge self>. 3. When prompted for confirmation, choose <OK>. 4. To purge all requests from all queues, choose <Purge all>. 5. When prompted for confirmation, choose <OK>. 6. Choose <Done>. Command Line To purge requests from a comm queue, type net comm sharename /purge See Net Comm, Microsoft LAN Manager Administrator's Reference. Chapter 10 Profiles ──────────────────────────────────────────────────────────────────────────── A server's current configuration of shared and used resources can be saved in a profile. A profile is a file containing the LAN Manager commands necessary to create that configuration. Loading the profile recreates the configuration. You can set up a server to load a profile automatically each time the server starts, and to save a profile each time the server stops. In this chapter, you will learn how to save and load server profiles. You will also find out how to set up a server to save and load profiles automatically. How Profiles Work For a workstation that is not running the Peer service, the only commands you can save in a profile are net use commands, which make connections to shared resources. The workstation profile is discussed in the Microsoft LAN Manager User's Guide. For a server, or a workstation running the Peer service, a profile can contain commands to share resources (net share) and commands to configure printer queues and comm queues (net print and net comm), as well as net use commands. When you use the LAN Manager Screen to save a server profile, you can choose which types of commands to save. There are four types of commands you can save in a profile: ■ net use commands, which make connections to shared resources. Profiles don't include any passwords required to access resources on servers with share-level security. For workstations not running the Peer service, only net use commands are saved. ■ net share commands, which share the server's resources. NOTE When net share commands are saved on a server with share-level security, resource passwords are also saved. Be sure that only authorized users have access to server profiles that contain resource passwords. ■ net print commands, which configure shared printer queues, determining such options as the devices the queue uses, the priority levels, printing hours, the print processor, the printer driver, and the separator page file. ■ net comm commands, which configure shared comm queues, determining such options as the devices the queue uses and the priority level. If no other pathname is specified, profiles are stored in the LANMAN\PROFILES directory. Profiles normally have a .PRO extension, and if you save or load a profile without specifying a filename extension, LAN Manager adds the .PRO extension. If no other filename is specified, a workstation uses the filename NETLOGON.PRO. If NETLOGON.PRO has been created to save workstation connections, it is automatically loaded when the Workstation service is started and you log on. For a server profile, if no other filename is specified, the filename is SRVAUTO.PRO. If SRVAUTO.PRO has been created, it is automatically loaded when you start the Server service. When you use the LAN Manager Screen to load a profile, you can specify whether the profile will replace or be appended to the server's current configuration. If you replace the current configuration, the server stops sharing all resources before loading the profile. If the profile contains net use commands, any connections the server has to other shared resources also are canceled before the profile is loaded. If you append a profile, the profile does not delete any shared resources or cancel any connections. If the profile shares a resource with a sharename that is already in use, LAN Manager displays an error message and the existing resource remains shared. LAN Manager can save and load the profile automatically each time the server starts and stops. However, when you save or load a profile automatically, LAN Manager doesn't save or load net use commands in the profile. For information about how to set up the automatic saving and loading of the server profile, see the "Loading and Saving Profiles Automatically" section, later in this chapter. ──────────────────────────────────────────────────────────────────────────── NOTE Profiles do not affect administrative resources that are automatically shared when the server starts. LAN Manager does not stop sharing these resources when you load a profile, and does not save commands to share these resources when you save a profile. These resources include the disk administrative resources (such as A$), and, for servers with user-level security, IPC$ and ADMIN$. For more information about these resources, see Chapter 6, "Administrative Resources." ──────────────────────────────────────────────────────────────────────────── Saving a Server Profile You can save a server profile locally or on a server where you are performing remote administration. When you create a profile, the profile contains settings for the server of current focus. For example, to save the local computer's configuration on a remote server, first save a profile with the current focus set on the local computer. Then change the current focus and load that profile on the remote server. You can then save the configuration as a profile on the remote server. You can update a profile at any time by the same method used to create it. When you update a profile, the current configuration replaces all settings in the profile. Profile files should never be edited. To save a server profile: 1. Adjust the server's configuration to include settings you want in the profile: ■ Use the View menu's Shared resources command to share the resources that you want the profile to include. For instructions, see Chapters 6 through 9. ■ Use the View menu's Used resources command to make any resource connections that you want the profile to include. For instructions, see the Microsoft LAN Manager User's Guide. 2. From the Config menu, choose Save profile. The following dialog box appears: (This figure may be found in the printed book). The "Contents of path" list box displays files in the LANMAN\PROFILES directory. 3. To view the server's directories, in the "Contents of path" list box, select a directory or select "<parent directory>," then choose <Dir>. This allows you to change to other levels of the directory tree. 4. From the "Save current" check boxes, mark the type(s) of settings to save in the profile. 5. If you have set the current focus on a remote server, adjust the "Contents of path" list box to display profiles for the computer on which you want to save the profile: ■ To display the files on the local computer, select the "Local computer" option button. ■ To display the files on the remote server, select the "Remote server \\server" option button. 6. If you are creating a new profile, in the "Filename" text box, type a filename, then choose <OK>. No filename extension is needed; LAN Manager will give the filename the extension .PRO, and save it in the directory shown in the "Contents of path" list box. 7. If you want to update an existing profile, in the "Contents of path" list box, select the filename, then choose <OK>. NOTE If the filename NETLOGON.PRO appears in the "Filename" text box, you should use SRVAUTO.PRO or another filename to save server configurations. In loading NETLOGON.PRO (the profile for workstations), LAN Manager ignores net share, net print, and net comm commands. 8. If a profile with the filename you specified already exists, a message box prompts for confirmation to replace the existing file. Choose <OK>. 9. Choose <OK>. Command Line To save a server profile: ■ Save the current configuration by typing net save filename ■ Save the current configuration of the local server in a profile on a remote server by typing net admin \\computername /command net save filename See Net Admin and Net Save, Microsoft LAN Manager Administrator's Reference. Loading a Server Profile You can load a server profile either locally or remotely (on the server of current focus). The profile you're loading can replace the current profile or can be appended to the profile. However, when you load a profile using the command line, the profile can only replace the current profile. To load a server profile: 1. If you want to load a profile on a remote server, set the current focus on that server. 2. From the Config menu, choose Load profile. The following dialog box appears: (This figure may be found in the printed book). The "Contents of path" list box displays files in the LANMAN\PROFILES directory of the server of current focus. 3. To view the server's directories, in the "Contents of path" list box, select a directory or select "<parent directory>," then choose <Dir>. This allows you to change to other levels of the directory tree. 4. If you are in a remote administration session and want to load a profile from the local server, from the "Display files on" option buttons, select "Local computer" to view a listing of files in the local server's profiles directory. NOTE The "Display files on" option buttons determine only the server from which the profile is loaded. With either option, the profile is loaded on the server of current focus. 5. In the "Contents of path" list box, select the profile that you want to load; the selection is displayed in the "Filename" text box. Or, in the "Filename" text box, type the filename. No filename extension is needed; LAN Manager will give the filename the extension .PRO, and save it in the directory shown in the "Contents of path" list box. 6. Select one of the two "Load options" option buttons: ■ To add the profile's commands to the server's current configuration, select the "Append to existing configuration" option button. ■ To have the profile replace the server's existing configuration, select the "Replace existing configuration" option button. 7. Choose <OK>. NOTE If a command in a profile causes an error, LAN Manager gives you the choice of continuing to load the profile or canceling the loading. Command Line To load a server profile that replaces the current configuration, type net load [drive:path] filename See Net Load, Microsoft LAN Manager Administrator's Reference. Loading and Saving Profiles Automatically You can have a server automatically load a profile each time the Server service starts and save a profile each time the Server service stops. If no other pathname is specified, the automatic profile is SRVAUTO.PRO, stored in the LANMAN\PROFILES directory. Two entries in the [server] section of the LANMAN.INI file─autoprofile and autopath─control how the server uses automatic profiles. The autoprofile entry determines whether the server loads the automatic profile, saves the automatic profile, or does both. The entry has four possible values: none Does not use the server's automatic profile. load Loads a profile when the Server service starts. save Saves a profile when the Server service stops. both Loads a profile when the Server service starts, and saves a profile when the server stops. The autopath entry specifies the pathname, relative to the LANMAN\PROFILES directory, for the automatic profile. If autopath is blank, LAN Manager uses LANMAN\PROFILES\SRVAUTO.PRO. You can specify any filename. To indicate a file in a directory not relative to LANMAN\PROFILES, supply an absolute pathname. When you installed LAN Manager, a SRVAUTO.PRO file, containing a command to share the PUBLIC directory, was created. The PUBLIC directory is the default share used for the Peer service. When a server saves a profile automatically, it saves the configuration of the server at the time the Server service is stopped. The server saves commands to share resources (net share), set printer queue options (net print), and set comm queue options (net comm). The server does not save commands to use shared resources (net use). When a server loads a profile automatically, the profile is appended─existing resource configurations and connections are not canceled. Any net use commands in the profile are not loaded. To have the server automatically load a standard profile each time it starts, just save that configuration in the profile SRVAUTO.PRO. To have the server also save a profile each time it stops or use a different automatic profile, edit the LANMAN.INI file. Changes to the autoprofile or autopath LANMAN.INI entries take effect when the Server service is restarted. PART IV Advanced Features ──────────────────────────────────────────────────────────────────────────── Part 4 introduces some useful LAN Manager features that go beyond the basics. Chapter 11 explains the console screen, useful for monitoring and controlling shared devices on a public-access server. Three optional services enhance LAN Manager's capabilities. The Netrun service allows users to run programs in the server's memory, and accommodates distributed applications (see Chapter 12). The Replicator service is used to broadcast periodic updates of files and directories to other computers (see Chapter 13). And the Remoteboot service enables workstations to boot from software stored on a central server (see Chapter 14). Features discussed in Chapters 15 and 16 help keep the server running smoothly. Chapter 15 deals with safeguarding data. LAN Manager's fault-tolerance system can be used to monitor and correct disk errors, and to mirror or duplex drives. The UPS service, also discussed, provides orderly shutdowns when power fails. Chapter 16 discusses auditing, server statistics, and other network monitoring tools. Chapter 11 Running an Unattended Server ──────────────────────────────────────────────────────────────────────────── To secure an unattended server that is physically available to users, LAN Manager includes a console version of the LAN Manager Screen. This screen is especially for servers with printer queues and communication-device queues (comm queues). Users can view resources and modify their own requests for shared devices (on servers with user-level security). The console screen also has menu commands for administrators to control devices and queues, and a command for changing a password. This chapter tells how the console version of the LAN Manager Screen secures an unattended server, and how a server using the console screen is used and administered. Administering an Unattended Server The console screen is displayed by typing net console and providing an exit password. The display cannot be removed without supplying the exit password. ──────────────────────────────────────────────────────────────────────────── NOTE Supply an exit password to prevent users from removing the display and performing administrative tasks. ──────────────────────────────────────────────────────────────────────────── The console screen prevents users from changing sessions in MS OS/2 (by pressing ALT+ESC or CTRL+ESC). Attempting to access other sessions results in the following message box: (This figure may be found in the printed book). To return to the console screen, choose OK. Before displaying the console screen, complete administrative tasks such as starting services and sharing printers and communication devices. The Workstation, Messenger, and Netpopup services start with the net console command. The console screen, however, provides no way to start any of the other LAN Manager services. You might want to start the Server service and log on to the network before displaying the console screen. To perform administrative tasks on a server with user-level security, a user with admin privilege, or print and comm operator privileges (verified by a password), must be logged on at the server. A server with the console screen displayed can be administered remotely. For information about the LAN Manager services, see Chapter 2, "Getting Started." To learn how to share queues, see Part 3. Using the Console Screen The console screen limits users' access to the server, while giving them control over their own print jobs (if the server has user-level security). It shows the status of printer and communication devices that the server is sharing. Administrators can use the screen to monitor and control the status of the server's queues and control print jobs in local printer queues. The following sections tell how to start the console screen and how to perform tasks using the menu commands. ──────────────────────────────────────────────────────────────────────────── NOTE No command-line equivalents are given for these procedures, because net commands can't be used when the console screen is displayed. ──────────────────────────────────────────────────────────────────────────── Starting the Console Screen To start the console version of the LAN Manager Screen: 1. At the MS OS/2 prompt, type net console If the Workstation service isn't running, LAN Manager displays a message box while it starts the service. The following dialog box appears: (This figure may be found in the printed book). 2. In the "Password" text box, type a password. The password can have as many as 14 characters. ──────────────────────────────────────────────────────────────────────────── NOTE LAN Manager does not prompt for confirmation, and you do not see the password as you type 3. Choose <OK>. Removing the Console Screen To remove the console screen, press F3. When prompted, supply the exit password. Screen Menus and Commands After you type a password, a screen similar to the one shown in Figure 11.1 appears. The screen displays menus and the status of the server's printer queues. (This figure may be found in the printed book). From menus on the console version of the LAN Manager Screen, you can perform the following tasks: View menu Printer queues Display the configuration, status, and queued jobs for the server's printer queues. With user-level security, users can control their own print jobs. Administrators can reconfigure and control the queue, and can control jobs in a queue. Comm-device queues Display a sharename and the number of requests pending for the server's comm queues. Exit F3 Remove the console screen. Message menu Send a typed message Send messages to network users. Status menu Device status Display the status of a printer or communication device shared in a queue. Administrators can change a device's status. Accounts menu Change your password Allow users to change their passwords if the server has user-level security. Help menu Provides context-sensitive help for most tasks, as well as a glossary of terms. The following sections tell how to use the commands in these menus. Printer Queues The View menu's Printer queues command can be used to view the contents, status, and configuration of the server's spooled printer queues. An administrator can use this command to change the status or configuration of a queue or control its print jobs. Viewing Printer Queue Information Anyone can view information about the jobs held in queues, the queues' configurations, and the status of the jobs and the queues. The Printer queues command initially displays status and content information, but can also display configuration options for a selected queue. The following procedure tells how to view both. To view the contents, status, or configuration of a local printer queue: 1. From the View menu, choose Printer queues. A dialog box similar to the following appears: (This figure may be found in the printed book). For each printer queue on the server, the status of the queue and the number of jobs in the queue is shown. The job number and size of each job are displayed in the indented list beneath the queue status. 2. To view configuration options for a particular queue, in the list box, select the queue, then choose <Zoom>. A dialog box similar to the following appears: (This figure may be found in the printed book). This dialog box shows the following options for the selected queue: Sharename The name for the queue. Status The current status for the queue, which is Active, Waiting, or Paused. Priority The priority level, from 1 to 9 (1 is highest priority), for jobs in the queue. Printer device(s) The device(s) to which this queue routes jobs. Separator file The file, if any is in use, that prints one or more separator pages before each print job. Print after The time at which the queue starts sending jobs to a printer(s). Jobs that are requested during hours other than the queue's printing hours are held in the queue. Print until The time after which the queue no longer sends jobs to a printer(s). Print processor The filename of the print processor, if any is in use. Parameters The values supplied for the print processor program. Drivername The Presentation Manager device driver for the queue. Comment A descriptive comment displayed in resource lists. 1. Choose <OK>. 2. Choose <Done>. Changing the Status of a Printer Queue Changing the status of a printer queue─holding, releasing, purging, or deleting it─requires that you have admin privilege or print operator privilege and know the exit password. To change the status of a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 11.2) appears. 2. In the list box, select the printer queue. 3. Choose one of the following command buttons: ■ <Hold> to suspend all jobs except those that are printing. ■ <Release> to reactivate a held queue. ■ <Delete> to delete the printer queue. ■ <Purge> to remove all pending requests from a queue. (Jobs that are printing are not affected.) 4. If you choose <Delete>, a prompt for confirmation appears. Choose <OK>. 5. If you choose <Hold>, <Release>, or <Purge>, and after the confirmation prompt if you choose <Delete>, the following dialog box appears: (This figure may be found in the printed book). 6. In the "Password" text box, type the exit password. 7. Choose <OK>. 8. Choose <Done>. Viewing Print Job Information For any print job, a user can view information about its length, how long it has been queued or printing, the user who requested the job, and the queue and printer handling it. This is done using the View menu's Printer queues command. To view information about a print job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 11.2) appears. 2. In the list box, select a print job. 3. Choose <Zoom>. A dialog box similar to the following appears: (This figure may be found in the printed book). This dialog box shows the following information about the selected print job: Job # The job number for the request. Username The user who submitted the request. Sharename The name for the printer queue. Size The size in bytes of the document to be printed. Time queued The amount of time (in minutes and seconds) a job has been queued. Time printing The amount of time (in minutes and seconds) a job has been printing. Printing on The device that is printing a current job. Status The status for the job, which is Spooled, Held, Printing on (device), Held on (device), Out of paper on (device), Error on (device), Offline on (device), or Waiting. The "Printing Options for Job" dialog box also contains a text box for supplying a comment about the job and a set of option buttons for moving the request to the top or bottom of the queue. 1. To close the dialog box without making changes, choose <Cancel>. 2. Choose <Done>. Changing the Position of a Print Job You can change the position of a job in a printer queue, and can supply a comment that is displayed in job lists. For a server with user-level security, users, from their workstations, can move their own print jobs down in a queue, but can't move them up. Moving a print job that you do not own requires that you have admin privilege or print operator privilege and know the exit password. To change the position of a print job in a printer queue: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 11.2) appears. 2. In the list box, select a print job. 3. Choose <Zoom>. The "Printing Options for Job" dialog box (Figure 11.4) appears. 4. Select one of the "Move job to" option buttons: ■ "Unchanged" cancels a "First in queue" or "Last in queue" selection. ■ "First in queue" moves the job to the top of the queue so that it will be the next job to print. ■ "Last in queue" moves the job to the bottom of the queue, so that all other jobs print first. The user who owns the job can select this option. The "Enter User Password" dialog box (Figure 11.3) appears. 5. In the "Password" text box, type the exit password. 6. Choose <OK>. 7. Choose <Done>. Changing the Status of a Print Job Users can hold, release, restart, or delete their own print jobs using the View menu's Printer queues command. This can't be done at servers with share-level security. An administrator can change the status of any print job in a printer queue shared by the server, regardless of the type of security. Changing the status of a print job that you do not own requires that you have admin privilege or print operator privilege and know the exit password. To change the status of a print job: 1. From the View menu, choose Printer queues. The "Print Queues on \\server" dialog box (Figure 11.2) appears. 2. In the list box, select a print job. 3. Choose one of the following command buttons: ■ <Hold> to keep the job in the queue and suspend it from printing. ■ <Release> to release a job that has been held. ■ <Restart> to reprint, from the beginning, a print job that has been interrupted. ■ <Delete> to delete the job, canceling the printing. 4. If you choose <Delete>, a prompt for confirmation appears. Choose <OK>. 5. If you choose <Hold>, <Release>, or <Restart>, and after the confirmation prompt if you choose <Delete>, the "Enter User Password" dialog box (Figure 11.3) appears. 6. In the "Password" text box, if the print job is your own, type your own password. Otherwise, type the exit password. 7. Choose <OK>. 8. Choose <Done>. Comm-device Queues You can check the availability of comm queues on the server using the View menu's Comm-device queues command. To check the status of a comm queue: 1. From the View menu, choose Comm-device queues. The following dialog box appears: (This figure may be found in the printed book). The list box shows all comm queues shared by this server. For each queue, it shows how many requests are pending, and how many of these are ahead of requests made from this server. 2. Choose <Done>. Exit To remove the console version of the LAN Manager Screen: 1. From the View menu, choose Exit. The following dialog box appears: (This figure may be found in the printed book). 2. In the "Password" text box, type the exit password that was used to start the console screen. 3. Choose <OK>. Send a Typed Message You can use the Message menu to send a typed message to one or more network users. The message can be sent to a list of names, or it can be broadcast to everyone in a domain. For more information about sending messages, see the Microsoft LAN Manager User's Guide. To send a message: 1. From the Message menu, choose Send a typed message. The following dialog box appears: (This figure may be found in the printed book). 2. If you want to send the message only to specified people, select the "Name" option button. Then, in the text box to the right of the "Name" option button, type the name(s) you want to receive the message. Use a space to separate multiple names. 3. If you want to broadcast the message to everyone in a domain, select the "Domain" option button. Then, in the text box to the right of the "Domain" option button, type the domain name. A message can only be broadcast throughout one domain at a time. 4. In the "Message" text box, type a message. The maximum length for a message depends on the setting of the message buffer at both sending and receiving computers (see the sizmessbuf entry in the [messenger] section of the LANMAN.INI file). 5. Choose <OK>. Device Status The Status menu contains the Device status command, used to check or change the status of devices shared through server queues. Any user can view the status of a device. By supplying a privileged password, a user can also change the status of a device, or the status of a request routed to the device. Viewing Device Status Information To view status information for shared devices on the server: 1. From the Status menu, choose Device status. A dialog box similar to the following appears: (This figure may be found in the printed book). For each device, the list box displays the status, how long that status has been in effect, and which user's job or request is being processed. 2. Choose <Done>. Changing the Status of a Device Changing the status of a device requires that you have admin privilege, or comm or print operator privilege, and know the exit password. Changing status is pausing or continuing a printer, restarting a print job, or canceling the request that a communication device or printer is processing. To change the status of a device: 1. From the Status menu, choose Device status. The dialog box shown in Figure 11.5 appears. 2. In the list box, select a device. 3. Choose one of the following command buttons: ■ <Pause> to pause a printer. Pausing a printer also pauses the document that is printing. (Communication devices cannot be paused.) ■ <Continue> to restart a paused printer, continuing the current print job. ■ <Restart> to reprint, from the beginning, a print job that has been interrupted. ■ <Kill> to cancel the request being processed by a printer or communication device. 4. If you choose <Kill>, a prompt for confirmation appears. Choose <OK>. 5. If you choose <Pause>, <Continue>, or <Restart>, and after the confirmation prompt if you choose <Kill>, the "Enter User Password" dialog box (Figure 11.3) appears. 6. In the "Password" text box, type the exit password. 7. Choose <OK>. 8. Choose <Done>. Changing Your Password Using the Accounts menu's Change your password command, you can change your password. The password change occurs just as it does when the change is made from a workstation. This command is valid only for servers with user-level security. To change your password: 1. From the Accounts menu, choose Change your password. The following dialog box appears: (This figure may be found in the printed book). 2. In the "Old password" text box, type your current password. The password is not displayed as you type it. 3. In the "New password" text box, type a different password. The password can have as many as 14 characters and is not displayed as you type it. 4. Choose <OK>. Chapter 12 Sharing Processing Power ──────────────────────────────────────────────────────────────────────────── There are two ways to share processing power with LAN Manager: using LAN Manager's Netrun service or using distributed applications. With the Netrun service, you can let users run programs on a server from MS OS/2 workstations. As an administrator, you decide how to set up the Netrun service, what programs to run under it, and which people can use them. Distributed applications are software products, such as Microsoft SQL Server, that are designed to run on a network. In these applications, individual computers run programs that cooperate to get a single job done. Distributed applications are similar to the Netrun service, but are not controlled by LAN Manager. In this chapter you will learn how to set up a server to use the Netrun service, how to start and stop the service, how to specify which programs can be used with the Netrun service, and how to control the number of people using the Netrun service. Using the Netrun Service When a user runs a program with the Netrun service, the program runs on the server, but the person uses an MS OS/2 workstation to start the program and specify what input the program uses and where the program's output goes. This service lets users take advantage of the greater memory, disk space, and processing speed that servers usually have. It gives them a way to run large, time-consuming programs on a server, leaving their own workstations free for other work. The Netrun service also provides an efficient way to run programs that use data files kept on the server. When these programs run on the server, the data does not have to be transported from server to workstation, as is the case when a workstation runs this type of program. Only programs with a .EXE extension can be run under Netrun. Interactive, screen-oriented programs such as Presentation Manager applications, word processors, and spreadsheets cannot be used. ──────────────────────────────────────────────────────────────────────────── NOTE Before making a commercial program available for use with Netrun, check the program's licensing agreement. The licensing terms may limit the number of users who can use a program simultaneously, or may prevent the program's use with the Netrun service. ──────────────────────────────────────────────────────────────────────────── Creating a Run Path To specify the programs that users can run on the server, you define a run path. The run path is a list of directories containing programs available for use with Netrun. To use a program with Netrun, the program must be in a directory in the server's run path. The run path is set in the [netrun] section of the LANMAN.INI file, or can be adjusted when you start the Netrun service. When defining the run path, be sure that directories in the run path contain only programs that you want to allow users to run. For example, if you put LANMAN\NETPROG in the run path, users have full administrative access to the server. The directories in the run path do not need to be shared for the Netrun service to work─in fact, there is a good reason not to share them. If a directory in the run path is shared, a user can add a new program to that directory and run the program on the server. If you share a directory that is in the run path, limit users' access to the directory when you assign permissions. For more information, see Part 2, "Managing Security." Controlling Access to Netrun and Distributed Applications The Netrun service and distributed applications create and use named pipes to send information back and forth between computers running the application. On servers with user-level security, you can assign permissions to these named pipes to control access to the programs. For the Netrun service, this named pipe is PIPE\LANMAN\NETRUN. For distributed applications, see the manuals for these applications to find the names of named pipes they create. Also, IPC$ must be shared for the Netrun service or distributed applications to work. IPC$ is an administrative resource that controls how interprocess communication (IPC) works on servers. IPC$ is automatically shared on servers with user-level security, but you must explicitly share IPC$ on servers with share-level security. For more information about sharing the IPC$ resource, see Chapter 6, "Administrative Resources." All programs running under the Netrun service run as if started at the server by a user with admin privilege. As a result, all network file security (including local security) is bypassed. It is advisable to make only carefully designed programs available to non-administrators via the Netrun service. In particular, do not make the MS OS/2 command interpreter, CMD.EXE, available for use with the Netrun service. ──────────────────────────────────────────────────────────────────────────── NOTE If security is important, run the server with user-level security, which allows more control over the Netrun service. ──────────────────────────────────────────────────────────────────────────── The following sections tell how to control access to programs in the run path on servers with user-level and share-level security. It also tells how to control the number of users running programs on the server simultaneously. User-Level Security On a server with user-level security, restrict access to programs available through the Netrun service or distributed applications by setting the permissions for the named pipe resource (PIPE\LANMAN\NETRUN for the Netrun service). Only those users with permissions to use the named pipe can use the Netrun service or the distributed application. You can assign the following permissions for a named pipe to a user or group: Permitted access (Yes) User or group can use the named pipe. (Y includes the Read and Write permissions.) Denied access (No) User or group cannot use the named pipe. Permitted access; can change permissions (Yes + P) User or group can use, and set access permissions for, the named pipe. You can also set default permissions, which are the permissions assigned for the \PIPE resource. To control access to individual programs, set the permissions for each program file in the run path. Only users who have R or X (Read or Execute) permission for a program can run the program with the Netrun service. For information about how to set permissions for directories and files, see Chapter 7, "Disk Resources." To set permissions for a named pipe resource: 1. From the Accounts menu, choose Other permissions. The following dialog box appears: (This figure may be found in the printed book). 2. From the "Access type" option buttons, select "Named pipes." 3. Choose <Add entry>. The following dialog box appears: (This figure may be found in the printed book). 4. In the "Sharename" text box, type the name of the pipe. For the Netrun service, type PIPE\LANMAN\NETRUN. 5. Set the permission for the named pipe: ■ To grant permissions for a group or user, in the "Not permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select the permission you want to assign for the group or user. Then choose <Permit>. The groupname or username moves to the "Permitted" list box. ■ To change the permissions for a group or user, in the "Permitted" list box, select the groupname or username. From the "Assigned permission" option buttons, select the permission you want to assign for the group or user. ■ To revoke the permissions for a group or user, in the "Permitted" list box, select the groupname or username. Then choose >. ■ To reset the permissions for this resource to the default permissions, mark the "Use default permissions" check box. ■ To revoke permissions for all users, choose >. 6. To audit successful or failed attempts to use this resource (or both), from the "Enable Auditing for" check boxes, mark the appropriate check box(es). 7. Choose <OK>. 8. Choose <Done>. Command Line To set permissions for a named pipe resource, type net access resource [/add name:permission[ ...]] or net access resource [/grant name:permission[ ...]] | [/change name:permission[ ...]] | [/revoke name[ ...]] See Net Access, Microsoft LAN Manager Administrator's Reference. Share-Level Security On a server with share-level security, you must explicitly share IPC$ to be able to use the Netrun service or to run distributed applications. You can assign a password to IPC$ when you share it. Users must supply this password as part of the command to run a program with the Netrun service or with a distributed application. Assigning a password to IPC$ has other effects. If you assign a password to IPC$, users must explicitly connect to IPC$ and supply the password before they can view the resources shared by the server, use the Netrun service on the server, or run a distributed application on the server. Administrators will also have to type the password before remotely administering the server. To do this, they will have to type a command with the following form: net use \\server\ipc$ password Note that on a server with share-level security you do not assign permissions to the named pipes. For more information about IPC$, see Chapter 6, "Administrative Resources." Controlling the Number of Netrun Users The maxruns entry in the LANMAN.INI file's [netrun] section defines the maximum number of users who can run programs simultaneously on the server using the Netrun service. The range for maxruns is 1-10; the default is 3 users. If you change the value of maxruns while the Netrun service is running, you must restart the Netrun service for the change to take effect. Managing the Netrun Service This section explains how to set up the server to run the Netrun service and how to start and stop the Netrun service. Setting Up the Server for the Netrun Service Before starting the Netrun service on a server, you must complete four tasks: 1. Change the runpath entry in the LANMAN.INI file's [netrun] section. Type the pathname of each directory containing programs that you want to make available. Use a semicolon to separate multiple pathnames. For example, the following LANMAN.INI entry makes the programs in the SORT and DB\PROGS directories available for use with the Netrun service: runpath=c:\sort;c:\db\progs 2. If the server has share-level security, share the IPC$ resource. (IPC$ is automatically shared on a server with user-level security.) For information about IPC$ and how to share it, see Chapter 6, "Administrative Resources." 3. Share a directory on the server. Before anyone can use the Netrun service to run a program on a server, they must connect to a shared directory on the server. Therefore, you must be sure that a directory is shared, and that those users who will use the Netrun service have access to the directory. The directory you share does not have to be in the run path, and directories you put in the run path do not have to be shared. You share the directory only so that people using the Netrun service can make a connection to the appropriate server. For information about how to share a directory, see Chapter 7, "Disk Resources." 4. On servers with user-level security, be sure that users who will run programs with the Netrun service have permission to use the named pipe PIPE\LANMAN\NETRUN. Also, be sure each user has either R or X (Read or Execute) permission for each program that they will be running with the Netrun service. Starting the Netrun Service When you start the Netrun service, you can specify the maximum number of users who can use it, and set the run path. There are two ways to start the Netrun service using the Config menu. You can choose the Control services command and set Netrun options, or you can choose the Server options command, and start Netrun as part of the server configuration. Both procedures are described in the sections that follow. ──────────────────────────────────────────────────────────────────────────── NOTE When you start the Netrun service for the first time and when you add programs to the server's run path, be sure to tell the appropriate users. For security reasons, users cannot use the LAN Manager Screen or any commands to find out what programs are available for use. ──────────────────────────────────────────────────────────────────────────── To start the Netrun service and set options: 1. From the Config menu, choose Control services. The following dialog box appears: (This figure may be found in the printed book). 2. In the list box, select "Netrun." 3. Choose <Start>. The following dialog box appears: (This figure may be found in the printed book). 4. In the list box, select the option you want to modify and, in the "Value" text box, enter the value. 5. Choose <Set>. 6. Choose <OK>. 7. Choose <Done>. To start the Netrun service as part of the server configuration: 1. From the Config menu, choose Server options. The following dialog box appears: (This figure may be found in the printed book). 2. From the "Start server services" check boxes, mark "Netrun service." 3. Choose <OK>. NOTE You cannot set the run path using this procedure. Command Line To start the Netrun service and set options, type net start netrun [/maxruns:number] [/runpath:pathname] See Net Start Netrun, Microsoft LAN Manager Administrator's Reference. Starting Netrun Automatically You can have the Netrun service start automatically each time the server starts by adding netrun to the list of services in the srvservices entry of the LANMAN.INI file's [server] section. For more information about the LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference. Stopping the Netrun Service Before stopping the Netrun service, be sure nobody is running a program using the Netrun service. If you stop the Netrun service while such a program is running, the program will fail. To stop the Netrun service: 1. To see if anyone is using the Netrun service, from the Status menu, select Opened files. The following dialog box appears: (This figure may be found in the printed book). This dialog box shows which server files are currently in use and who is using them. If PIPE\LANMAN\NETRUN is listed, then the person whose username appears by the resource is using the Netrun service. 2. Choose <Done>. 3. If nobody is using the Netrun service, from the Config menu, choose Server options. The "Set Configuration for Server \\server" dialog box (Figure 12.1) appears. 4. From the "Start server services" check boxes, unmark the "Netrun service" check box. 5. Choose <OK>. Command Line To stop the Netrun service: 1. See if anyone is using the Netrun service by typing net file If the resource PIPE\LANMAN\NETRUN is listed, then the person whose username appears by that resource is using the Netrun service. 2. If nobody is using the Netrun service, type net stop netrun See Net File and Net Stop, Microsoft LAN Manager Administrator's Reference. Adding a Program At any time after you begin using the Netrun service, you can modify the list of programs available under the Netrun service. To add a program for use with the Netrun service: 1. Move the new program to a directory in the run path, or add the directory containing the program to the run path. If you add a directory to the run path, be sure the directory includes only programs that you want to give users access to. To add a directory to the run path, add the pathname of the directory to the runpath entry in the LANMAN.INI file's [netrun] section. Use a semicolon to separate multiple pathnames. For details on how to do this, see the "Creating a Run Path" section, earlier in this chapter. 2. If the server has user-level security, be sure that the users who will run the new program have either R or X (Read or Execute) permission for the program file. 3. If you added a directory to the run path, you must restart the Netrun service before the new directories are recognized. For instructions on how to stop and start the Netrun service, see the "Starting the Netrun Service" and "Stopping the Netrun Service" sections, earlier in this chapter. Removing a Program You have three options for removing a program from use with the Netrun service: ■ Move the program to a directory not in the run path. ■ Remove the directory containing the program from the run path. This also prevents all other files in the directory from being used with the Netrun service. After you remove a directory from the run path, stop and restart the Netrun service. ■ If the server has user-level security, you can modify a user's permissions for the program. Removing the user's RX (Read and Execute) permissions prevents the person from running the program with Netrun. For information about using permissions with user-level security, see Chapter 4, "User-Level Security." Chapter 13 Replicating Files and Directories ──────────────────────────────────────────────────────────────────────────── The Replicator service lets you maintain identical sets of files and directories on different servers and MS OS/2 workstations. Replication simplifies the task of updating and coordinating files. If users need access to particular files, you can update the files on one server and let replication take care of updating the files on other workstations and servers. The Replicator service can replicate administrative and application program source files, including configuration profiles and application directories. This service, for example, is used to maintain a set of identical logon scripts on all servers with user-level security that process logon requests in a domain. Replication is controlled by options to the service that can be set using the LANMAN.INI file or from the command line using the net start replicator command. This chapter describes the replication process. It tells how to configure LAN Manager servers to export files during replication, and how to set up servers and MS OS/2 workstations to receive the updates. How Replication Works To replicate a set of files and directories on several computers, you designate an export server on which you maintain a master set of files and directories to be replicated. Only a LAN Manager server can be configured as an export server. LAN Manager servers and MS OS/2 workstations that receive the file replicas are configured as import servers. All files and directories to be replicated are kept in the export server's export directory. Import servers have a corresponding import directory. Export servers can replicate directory trees with as many as 32 levels. Each directory can contain as many as 200 files and subdirectories. The Replicator service monitors the export directory. When you change a file, or add or delete a directory or file in the export directory, the Replicator service makes the equivalent change in the complementary import directories on all import servers. Files cannot be replicated if they are open. From an export server, replication can be targeted─replicating to some files on one group of import servers and to other files on another group─by creating subdirectories under the export directory. Files in the export directory itself are not replicated. Export servers replicate only those subdirectories for which there is a matching directory directly under the import directory on the import server. A network can have any number of export and import servers. A server can be both an export and an import server; workstations can be configured only as import servers. The import directory path can be local or remote. To replicate files locally, specify both an export and import directory path on the export server. This creates "mirror" copies of the data; these are useful for updating shared directories on the export server. A remote import directory path has the effect of "pushing" data changes to the remote target. This can be used to replicate data to LAN Manager 1.x servers, which do not support the Replicator service. ──────────────────────────────────────────────────────────────────────────── NOTE Two export servers should not replicate the same directories and files to the same import servers. Import servers can only synchronize with one export server for a specific directory. ──────────────────────────────────────────────────────────────────────────── The REPL.INI File For each directory immediately below the export directory, you can create a REPL.INI file, which controls how much of the subdirectory tree is replicated, and under what conditions. The REPL.INI file contains two entries: extent and integrity. For each entry, the value is either tree or file. The extent entry specifies whether or not all subdirectories are replicated. If extent equals tree, all files and subdirectories are replicated. Setting extent equal to file replicates only files in the first-level directory. If integrity equals tree, all files and subdirectories must be stable (no changes) for a specified interval before any replication takes place. If integrity equals file, each file can be replicated as soon as it is changed. If you don't create a REPL.INI file for one of these directories, the Replicator service uses the following default values: extent=tree integrity=file Each entry (extent and integrity) must be on a different line in the file. Figure 13.1 shows a typical export directory that replicates two subdirectories, RECEIPTS and OFFICES. The REPL.INI file is shown for each subdirectory. (This figure may be found in the printed book). The entire RECEIPTS directory tree is replicated (extent=tree), but only after all files in the tree are stable for the specified interval (integrity=tree). In the OFFICES subdirectory, the STRATEGY.TXT and HISTORY.TXT files are replicated, but not the CURRENT and PLANNED subdirectories (extent=file). Because integrity=file for this subdirectory, HISTORY.TXT can be open while STRATEGY.TXT is being replicated. The following procedures tell how to prepare an export server to send replicas, and how to prepare an import server to receive replicated directories using the Replicator service. Preparing an Export Server For information about exporting logon scripts for user-level security, see Chapter 4, "User-Level Security." To prepare an export server for replication: 1. Edit the LANMAN.INI file's [replicator] section: ■ For the replicate entry, change the value to export. You can set up the server as both an export and import server (replicate=both). ■ For the exportpath entry, specify the path to the server's export directory tree. By default, the Replicator service expects REPL\EXPORT (relative to the LANMAN directory). ■ For the exportlist entry, specify the list of import servers and domains to receive update notices; 0-32 names can be included. When specifying a computername, do not include the two backslashes (\\) at the beginning of the name. Use a semicolon to separate multiple names. The default is the export server's domain. ■ For the interval entry, specify how often (in minutes) the Replicator service checks the export directory for changes. The range is 1-60; the default is 5 minutes. ■ For the guardtime entry, specify the number of minutes the export directory must be stable (no file changes) before it can be replicated to import servers. The range is 0 to (interval/2); the default is 2 minutes. ■ For the pulse entry, specify how often the export server sends update messages to an import server when no change occurs. This value is in multiples of interval minutes. The range is 1-10; the default is 3. ■ For the random entry, specify the maximum number of seconds import servers can stagger the replication of files. The range is 1-120; the default is 60 seconds. NOTE With the exception of replicate, each entry in the [replicator] section of the LANMAN.INI file pertains to either export or import servers, but not both. 2. To start the Replicator service automatically, add replicator to the list of services in the srvservices entry in the [server] section of LANMAN.INI. 3. Create the export directory tree specified by the exportpath entry. 4. Within the export directory tree: ■ Create a subdirectory for each set of files that you want to replicate. ■ Copy the files to be replicated into each subdirectory. ■ If you don't want to accept the default REPL.INI settings (extent=tree, integrity=file) for any of the subdirectories, create a REPL.INI file in the subdirectory with the desired extent and integrity values. 5. Start the Replicator service for the changes to take effect. Assigning Permissions for Replication To replicate files and directories to an import server, the Replicator service must be able to access the export directory tree on behalf of the import server. Regardless of the method used, the import server must have RA (Read and Change Attribute) permissions for the export directory tree. Method for User-Level Security On an import server with user-level security, there are two ways to grant access to the export directory tree: ■ Set the tryuser entry in the [replicator] section of the import server's LANMAN.INI file to yes. This causes the Replicator service to try to replicate using the permissions for the user logged on at the import server. For replication to take place, the user must have an account on the export server and have RA permissions on the REPL\EXPORT directory. If tryuser=no or the replication fails, the Replicator service tries the next method. ■ Set the logon entry in the [replicator] section of the import server's LANMAN.INI file to username, where username is the name of a user account that has RA permissions on the REPL\EXPORT directory on the export server. Also, set the password entry to that account's password on the export server. For replication to occur, no users can be logged on at the import server. Creating a Default Access Account - The simplest way to give access to multiple import servers is to create a group on the export server, giving the group RA (Read and Change Attribute) permissions for the export directory tree. This group contains an account for each import server. To create a default access account: 1. On the export server, create the group rep. 2. Create user accounts using the computernames of each import server, and add them to the rep group. Set the minimum password length to 0, and do not assign passwords to the accounts. 3. Assign the rep group RA (Read and Change Attribute) permissions for the export directory tree. For information about creating groups and user accounts, controlling password restrictions, and setting permissions for a directory or file, see Chapter 4, "User-Level Security." Method for Share-Level Security On a server with share-level security, the export directory tree (LANMAN\REPL\EXPORT) is automatically shared as REPL$ with RA (Read and Change Attribute) permissions when you start the Replicator service. It is shared without a password. Preparing an Import Server To prepare an import server for replication: 1. Edit the LANMAN.INI file's [replicator] section: ■ For the replicate entry, change the value to import. If configuring a LAN Manager server, you can set up the server as both an import and export server (replicate=both). ■ For the importpath entry, specify the path to the import directory. By default, the Replicator service expects REPL\IMPORT (relative to the LANMAN directory). ■ For the importlist entry, specify the list of export servers and domains that will replicate files to the import server; 0-32 names can be included. When specifying a computername, do not include the two backslashes (\\) at the beginning of the name. Use a semicolon to separate multiple names. The default is the import server's domain. ■ For the tryuser entry, indicate whether the Replicator service should try to replicate files on an import server if a user is logged on at the server. The default is yes. A no value means files will not be replicated while a user is logged on. ■ For the logon entry, specify a username for the Replicator service to use when logging on at the import server. The entry is not used while a user is logged on. ■ For the password entry, specify the password the Replicator service is to use with the logon entry. 2. To start the Replicator service automatically, add replicator to the list of services in the srvservices entry in the [server] section (servers only) or the wrkservices entry in the [workstation] section of the LANMAN.INI file. NOTE With the exception of replicate, each entry in the [replicator] section of the LANMAN.INI file pertains to either export or import servers, but not both. 3. Create the import directory tree specified by the importpath entry. 4. Within the import directory tree, create a subdirectory with the same name as each first-level subdirectory that you want to replicate in the export server's export directory tree. For example, to replicate the directory tree shown in Figure 13.1, you would create the first-level directories RECEIPTS and OFFICES. When extent=tree in the REPL.INI file (the default value), the Replicator service creates the needed subdirectories within those directories. 5. Start the Replicator service for the changes to take effect. Maintaining Replication Users should not change any of the files in import directories. These changes are overwritten when the Replicator service updates the import directory. To ensure that files and directories in the export directory are not replicated while they are being updated, in a first-level subdirectory of the export directory, create a file named USERLOCK. USERLOCK doesn't have to contain any data; its presence prevents replication. In the REPL directory tree shown in Figure 13.1, putting a USERLOCK file in the RECEIPTS directory would prevent replication of all files in the RECEIPTS, JANUARY, and FEBRUARY subdirectories. USERLOCK files are only in effect when integrity=tree in the export directory's REPL.INI file. If integrity=file, the USERLOCK file is ignored. To indicate the import directory's replication status, the Replicator service puts a signal file in each first-level subdirectory. Signal files have the following meanings: OK.RP$ The directory is receiving regular updates from an export server, and the data is identical to that of the export. The date of this file is set to the last time an update was received. NO_MASTR.RP$ The directory is not receiving updates. Either the export server is not running, or it has stopped exporting this directory. This file is also placed in newly created import directories when the Replicator service first starts. NO_SYNC.RP$ The directory is receiving updates from an export server, but the data is not up to date. This could be due to a communication failure, open files on the import or export server, the import server not having access permissions at the export server, or the export server going down suddenly. The date of this file is set to the time the directory first became out of date. Stopping Replication Stopping replication of files is easily done on either an export server or an import server. To stop replication: 1. On an export server, use any of the following methods: ■ Stop the Replicator service. ■ Delete files from the export directory. ■ Delete the first-level subdirectory (and its contents) that you no longer wish to export. ■ Place a USERLOCK file in the subdirectories you want to temporarily stop replicating. 2. On an import server, use one of two methods: ■ Stop the Replicator service. ■ Delete the first-level subdirectory for any directories or files for which replicas are no longer needed. Chapter 14 Using the Remoteboot Service ──────────────────────────────────────────────────────────────────────────── When you boot a computer, the operating system is loaded into memory. The LAN Manager Remoteboot service, running on a server, supports MS OS/2 or MS-DOS workstations that boot using the server's hard disk instead of their own. Each participating workstation has a network adapter card that retrieves startup and configuration software from the server when the workstation starts; the workstation does not need to have a hard disk at all. This process is known as remoteboot, or remote program load (RPL). For remoteboot, workstations must have a Token-Ring network adapter card with the RPL ROM chip installed. ──────────────────────────────────────────────────────────────────────────── NOTE The server's MS OS/2 license does not extend to other computers. You must have one valid MS-DOS or MS OS/2 license for each remoteboot workstation. ──────────────────────────────────────────────────────────────────────────── The Microsoft LAN Manager Installation Guide describes how to install the Remoteboot service on one server and set it up to boot one workstation. This chapter describes the following: ■ Adding remoteboot workstations ■ Supporting other versions of MS-DOS (version 4.01 is initially supported) ■ Customizing device drivers for each workstation ■ Replicating remoteboot support to other servers for backup ■ Booting from one server and sharing work directories from another server ──────────────────────────────────────────────────────────────────────────── NOTE The LANMAN directory in the following procedures may have another pathname on the server; this is set during installation. The default is C:\LANMAN. ──────────────────────────────────────────────────────────────────────────── Adding a Remoteboot Workstation to the Network Once the Remoteboot service is set up to boot one workstation, you can modify the server to boot additional workstations. Adding a workstation includes the following processes: ■ Creating remoteboot directories ■ Adjusting user-level security ■ Adding a workstation record in the RPL.MAP file ■ Adding a .FIT file for the workstation ■ Modifying configuration files for an MS OS/2 workstation ■ Enabling the remoteboot process on a workstation with a hard disk Creating Remoteboot Directories To create remoteboot directories for the new workstation: 1. Choose a computername for the workstation; the computername can have as many as eight characters. 2. Create a workstation directory in the server's LANMAN\RPL\MACHINES directory. Name the directory LANMAN\RPL\MACHINES\computername, where computername is the workstation's name. For example, for the computer RM150, you could create the logon directory LANMAN\RPL\MACHINES\RM150. 3. Copy the LANMAN\RPL\MACHINES\DEFAULT directory to LANMAN\RPL\MACHINES\computername. The DEFAULT directory contains a CONFIG.SYS and STARTUP.CMD file and a LANMAN subdirectory with a LANMAN.INI file. 4. Create a work directory for the workstation in the server's LANMAN\RPLUSER directory. Name the directory LANMAN\RPLUSER\computername, where computername is the workstation's name. Or, create a subdirectory in the workstation's work directory for each user. For example, for the computer RM150, you could create the work directory LANMAN\RPLUSER\RM150, and then within it create a subdirectory for each user. 5. For an MS OS/2 workstation, copy all of the files in the LANMAN\RPLUSER\DEFAULT subdirectory to LANMAN\RPLUSER\computername. Or, if you set up the account under the user's name, copy the directory to LANMAN\RPLUSER\computername\username. Adjusting User-Level Security On a server with user-level security, you must create user accounts and assign permissions to allow access for remoteboot workstation users. If the server has user-level security: 1. Create a user account with the workstation's computername, adding the account name to the rpl group. Do not assign a password to this account. This account is used by the server to establish the identity of the workstation at boot time. 2. Create a user account for each person who will use the workstation. Use account names different from the computername. If you want to restrict this user to work only at this workstation, specify the computername of the workstation in the "Valid workstations" field (the net user /workstation option). 3. Assign the computer's account RWCDXA permissions for the work directory that the person will use. Specify that these permissions are to be inherited (using <Permit> and <Permit tree> in the LAN Manager Screen for administrators). 4. Assign the computer's account RX permissions for the LANMAN\RPL\MACHINES\computername directory and specify that these permissions are to be inherited. Adding a Workstation Record When a remote workstation sends out a boot request over the network, a server checks whether its LANMAN\RPL\RPL.MAP file contains a workstation record for the workstation. If no record is found, the server waits until the number of requests specified in field 3 of the server record is received from the workstation. If this number is reached within the time specified in field 4 of the server record, the server boots the workstation using a copy of the enabled default workstation record. To add a new workstation record to a server's RPL.MAP file: 1. To make a backup copy of the RPL.MAP file, type copy rpl.map rpl.old 2. On the server, edit the RPL.MAP file's default workstation record, typing the server's computername in field 5. 3. RPL.MAP is initially adjusted to boot workstations with MS-DOS. To boot the workstation with MS OS/2: ■ Edit the default MS-DOS workstation record, replacing the R that begins field 12 with D. This disables the MS-DOS record. ■ Edit the default MS OS/2 workstation record, replacing the D that begins field 12 with R. This enables the MS OS/2 record. 4. Start the server's Server and Remoteboot services. 5. Start the remote workstation, and allow time for the server to respond to the workstation's boot request. Enabling Workstation Records When booting a workstation remotely for the first time, the server automatically creates a copy of the default workstation record in the RPL.MAP file and copies the workstation's adapter ID into field 1 of the new workstation record. Figure C.5 shows the RPL.MAP file as it appears when a new workstation record is added to the end of it. ???????????? DEFAULT ~ DOS401 RPLSERVR ~ ~ ~ ~,,, Z R_DOS ~ ~ ???????????? DEFAULT ~ FITS\DEFAULT RPLSERVR ~ ~ ~ ~,,, ~ D_OS2 ~ ~ . . . 10005A25DDF8 DEFAULT ~ DOS401 RPLSERVR ~ ~ ~ ~,,, Z D_DOS ~ ~ Figure C.5 A new workstation record in RPL.MAP The new record is automatically appended to the end of the RPL.MAP file. To boot the workstation using the new record, you must enable the record. Otherwise, the workstation will continue to use the default workstation record each time it boots. To enable a new workstation record: 1. Edit the new workstation record in the RPL.MAP file, making the following changes: ■ Type the workstation's computername in field 2. ■ Replace the D that begins field 12 with R. 2. If the workstation was booted using MS OS/2, change field 4 of the record to the pathname of the workstation's .FIT file (FITS\computername). 3. To put the RPL.MAP file changes into effect, reboot the workstation. ──────────────────────────────────────────────────────────────────────────── NOTE If the workstation has a hard drive, you must use the rplenabl utility to prepare the workstation for using the Remoteboot service. For information about rplenabl, see the "Enabling the Remoteboot Process on a Workstation's Hard Disk" section, later in this chapter. ──────────────────────────────────────────────────────────────────────────── Adding a .FIT File for the Workstation Each workstation uses a file index table (.FIT file) to translate pathnames of certain files to the actual locations of the files on the server running the Remoteboot service. For example, if the user types c:\config.sys, the server running the Remoteboot service translates this to LANMAN\MACHINES\computername\CONFIG.SYS. To prepare a .FIT file for the first remoteboot workstation: 1. Change directories to the LANMAN\RPL\FITS directory. 2. Edit DEFAULT.FIT, changing all occurrences of RPLSERVR to the boot server's computername. 3. Copy DEFAULT.FIT to computername.FIT. 4. In the new computername.FIT file, change all instances of DEFAULT to the new workstation's computername. Adjusting Configuration Files for an MS OS/2 Workstation Each MS OS/2 remoteboot workstation has its own CONFIG.SYS, STARTUP.CMD, OS2INIT.CMD, and LANMAN.INI files, but uses a central copy of the MS OS/2 and LAN Manager software. (MS-DOS remoteboot workstations use a central copy of the MS-DOS and LAN Manager initialization files.) You need to modify the workstation's own configuration files to suit that workstation. (For example, be sure to type the name of the server's domain for the domain entry in the workstation's LANMAN.INI file.) This section describes other adjustments you may need to make to the CONFIG.SYS and computer.FIT files. Video Display Device Drivers By default, the remoteboot workstation is configured to use the same type of video display as the one used by the server. If the workstation and server have different video display types, modify the CONFIG.SYS and computer.FIT files for the workstation. To configure the workstation for a video display that is different than the server's: 1. Modify CONFIG.SYS: ■ If the workstation has an EGA display monitor, find the three lines preceded by REM for VGA, use these Insert the word REM at the beginning of each of these three lines to comment out the lines. Find the three lines preceded by REM for EGA, use these Remove REM from the beginning of each of these three lines to enable the EGA configuration. ■ If the workstation has a CGA display monitor, find the three lines preceded by REM for VGA, use these Insert the word REM at the beginning of each of these three lines to comment out the lines. Add the following lines: devinfo=scr,cga,c:\os2\viotbl.dcp set video_devices=vio_ibmcga set vio_ibmcga=device(bvhcga) ■ Add configuration lines for any drivers the workstation requires that are not provided in the default CONFIG.SYS. Copy the drivers into the LANMAN\RPL\MACHINES\computername directory. 2. In the new computername.FIT file, you may need to add a display device driver for the workstation. If the workstation uses the same type of display monitor as the server, don't change anything. If the workstation uses a different display monitor, type the following line in the computername.FIT file: c:\os2\dll\display.dll os2\dll\xxxxxx.dll where xxxxxx is the appropriate display driver for the workstation. The display driver is one of the following: ■ IBMCGA ■ IBMEGA ■ IBMVGA NOTE If you want to allow users to edit their configuration files, copy the contents of LANMAN\RPL\MACHINES\DEFAULT into the workstation's work directory instead of LANMAN\RPL\MACHINES\computername. Then change all MACHINES subdirectory references in the workstation's .FIT file to \\servername\WRKFILES. Memory Swapping If the remote workstation has memory swapping enabled, the path for the swap file (the swappath entry) in LANMAN\RPL\MACHINES\computername\CONFIG.SYS should be set to use the workstation's hard disk (if it has one). This ensures that the swapper information is available to MS OS/2 should the server go down, and the user will not lose the use of the workstation. If the remote workstation is diskless, the server can be used for the swappath; however, if the server goes down, the user will have to wait for it to come back up before using the workstation. If this is a concern, turn swapping off for diskless MS OS/2 workstations. To use a remoteboot workstation's local hard disk for memory swapping: 1. On the server, change directories to the LANMAN\RPL\MACHINES\computername directory. 2. Edit the CONFIG.SYS file, setting the parameters as follows (pathname is the path of the swap directory): swappath=d:\pathname memman=swap,move,swapdos To use the server for swapping: 1. On the server, change directories to the LANMAN\RPL\MACHINES\computername directory. 2. Edit the CONFIG.SYS file, setting the parameters as follows: swappath=c:\os2\system memman=swap,move,swapdos To turn swapping off for either case, change the CONFIG.SYS file as follows: memman=noswap,move Other CONFIG.SYS Options To increase performance, change the libpath line to the following: libpath=c:\os2\dll;c:\lanman\netlib;c:\; If the workstation does not have a hard drive or if its hard drive does not have any HPFS partitions, comment out the following line by adding REM to the beginning of the line: ifs=c:\os2\hpfs.ifs -c:64 If the workstation will not use the DOS session, set the protectonly line to read protectonly=yes and comment out the following lines: device=c:\os2\dos.sys device=c:\os2\ega.sys Enabling the Remoteboot Process on a Workstation's Hard Disk Before a workstation with a hard disk can be booted remotely, its hard disk must be properly configured for the Remoteboot service. This does not prevent users from accessing the hard disk after the workstation is booted. Use the LAN Manager rplenabl utility to prepare the workstation to use the Remoteboot service. Later, if you want to boot the workstation using its hard disk, run the rpldsabl utility to disable the Remoteboot configuration. To configure a workstation's hard disk for the remoteboot process: 1. Create a LAN Manager utility disk: ■ Format an MS-DOS floppy disk. ■ Copy the files RPLENABL.EXE and RPLDSABL.EXE from the LANMAN\RPL\DOS directory to the disk. 2. Boot MS-DOS on the workstation. 3. Put the LAN Manager utility disk in drive A and type rplenabl 4. Remove the disk, and press CTRL+ALT+DEL. The Remote Program Load Module information is displayed as the RPL ROM chip initializes the network adapter card. Disabling the Remoteboot Process on a Workstation's Hard Disk If you no longer want to boot a workstation remotely and it contains a bootable hard disk, run the rpldsabl utility to disable the Remoteboot service configuration and let the workstation boot using its hard disk. To disable the Remoteboot configuration: 1. Boot MS-DOS on the workstation. 2. Put the LAN Manager utility disk containing the rpldsabl utility in drive A and type rpldsabl 3. Remove the disk, and press CTRL+ALT+DEL. The workstation will now boot from its hard disk. Booting More than One Version of MS-DOS The following procedure tells how to create custom image files that allow some workstations to boot MS-DOS 4.01 and others to boot MS-DOS versions 3.20, 3.30, and 3.31. ──────────────────────────────────────────────────────────────────────────── NOTE MS-DOS version 3.11 and IBM(R) DOS version 4.00 are not supported by the Remoteboot service. ──────────────────────────────────────────────────────────────────────────── To create custom image files: 1. Make the directory LANMAN\RPL\DOSxxx, where xxx corresponds to the version of MS-DOS that you want to boot (for example, DOS330). 2. Copy all files from the MS-DOS version 3.xx installation disks to LANMAN\RPL\DOSxxx. 3. Change directories to the LANMAN\RPL\DOS directory. 4. In the LANMAN\RPL\DOS directory: ■ Copy the CONFIG.SYS file to DOSxxx.SYS. ■ Copy AUTOEXEC.BAT to DOSxxx.BAT. ■ Copy DOS401.DEF to DOSxxx.DEF. 5. Edit the DOSxxx.DEF file in the following ways, substituting the MS-DOS version number for xxx: ■ Change all occurrences of DOS401 to DOSxxx. ■ Change NETWKSTA.400 as shown in the following list: ─For MS-DOS version 4.01, use NETWKSTA.400 ─For MS-DOS version 3.31, use NETWKSTA.330 ─For MS-DOS version 3.30, use NETWKSTA.330 ─For MS-DOS version 3.20, use NETWKSTA.320 ■ Change LANMAN\RPL\DOS\CONFIG.SYS to LANMAN\RPL\DOS\DOSxxx.SYS. ■ Change LANMAN\RPL\DOS\AUTOEXEC.BAT to LANMAN\RPL\DOS\DOSxxx.BAT. 6. Add the appropriate lines to DOSxxx.DEF for any device drivers that you are adding to the DOSxxx.SYS file. For example, to add the enhanced memory adapter driver for a 286 workstation, add the following line: ...\dosxxx\xma2ems.sys a:\xma2ems.sys 7. Make the necessary changes to DOSxxx.SYS or DOSxxx.BAT for each workstation. For example, to add the enhanced memory adapter driver for a 286 workstation, add the following line to DOSxxx.SYS: device=a:\xmaems.sys frame=xxxx p254=yyyy p255=zzzz If you add a line to run a .COM or .EXE file, put the line after the a:\net logon line. ──────────────────────────────────────────────────────────────────────────── NOTE When changing DOSxxx.BAT, be sure that the command a:\rplterm is the last line of the file. You should not use DOSxxx.BAT to start application programs. Doing so prevents rplterm from executing, and prevents users from using the A drive.─────────────────────────────────────────────────────────────────────── 8. Ensure that the LANMAN\RPL\DOS directory is the current directory. 9. Put a formatted MS-DOS version x.xx system disk into drive A. 10. Create a new image file by typing makeimg dosxxx 11. In the RPL.MAP file, edit the workstation record for each workstation that is to run MS-DOS version x.xx, changing field 4 from DOS401 to DOSxxx. 12. Reboot any MS-DOS version x.xx workstations to put the changes into effect. Each time that you add a device driver entry to DOSxxx.SYS, you must add a corresponding entry to the LANMAN\RPL\DOS\DOSxxx.DEF file. Any time that you change files referenced in DOSxxx.DEF, and any time that you make changes to DOSxxx.DEF, or to the CONFIG.SYS, AUTOEXEC.BAT, or LANMAN.INI file in the LANMAN\RPL\DOS directory, you must run the makeimg utility to build a new image file. Adding Device Drivers At times, the default setup for booting workstations remotely is not adequate for all workstations. For example, to add a mouse to a remote workstation, you must add the pathname of the device driver to the MS-DOS boot image file or the MS OS/2 CONFIG.SYS file. Differences in workstation microprocessors also present a need for customized image files. For example, a 286 workstation needs a different extended memory device driver than does a 386 workstation. The process for adding device drivers is different for MS-DOS and MS OS/2. The following procedures tell how to add device drivers to the boot configuration for MS-DOS and MS OS/2. Adding Device Drivers to MS-DOS Workstations To boot different configurations based on workstation and user needs, you must create a directory to hold the specialized device driver files. In this directory, create a custom boot image file to boot the driver software on the workstation. To add a device driver to a remoteboot MS-DOS workstation: 1. On the server, create the directory LANMAN\RPL\CUSTOM. 2. Copy the device driver to the LANMAN\RPL\CUSTOM directory. 3. Change directories to the LANMAN\RPL\DOS directory. 4. In the LANMAN\RPL\DOS directory: ■ Copy the CONFIG.SYS file to CUSTOM.SYS. ■ Copy the AUTOEXEC.BAT file to CUSTOM.BAT. ■ Copy the DOS401.DEF file to CUSTOM.DEF. 5. Edit the CUSTOM.DEF file, adding a line for each device driver that you want to add to the workstation. For example, if the device driver is in the LANMAN\RPL\CUSTOM directory, add the following line: ...\custom\drivername a:\drivername 6. Edit the CUSTOM.SYS file, adding the following line for each new device driver: device= a:\drivername 7. Put the formatted MS-DOS 4.01 system disk in drive A, and create a new boot image file by typing makeimg custom This creates the boot image file CUSTOM.IMG. 8. For each workstation that will boot using the CUSTOM.IMG file, edit its workstation record in the RPL.MAP file, changing field 4 from DOS401 to CUSTOM. 9. Reboot each workstation to load the device drivers(s). Adding Device Drivers to MS OS/2 Workstations To add a device driver to a remoteboot MS OS/2 workstation: 1. On the server, edit the LANMAN\RPL\MACHINES\computername\CONFIG.SYS file, adding the following line for each new device driver: device=c:\os2\drivername 2. Copy the device driver(s) to the C:\LANMAN\RPL\OS2 directory. 3. Reboot each workstation to load the device driver(s). Booting from One Server and Sharing Work Directories from Another Server If many workstations boot remotely on the network, you may want to have one server provide the Remoteboot service and one or more servers share the workstations' work directories. This reduces the amount of disk space that the server requires, and it balances out the boot process among network servers, improving performance at boot time. To provide boot service from one server and work directories from another, complete the following processes. On the server providing the disk space for work directories: 1. Create the LANMAN\RPLUSER directory. 2. Create a LANMAN\RPLUSER\computername subdirectory for each workstation that the server will service. 3. For each workstation that is to boot MS OS/2, copy the LANMAN\RPLUSER\DEFAULT directory and its contents to the LANMAN\RPLUSER\computername directory. 4. If the server has user-level security, create the necessary user accounts and assign permissions for the workstation. See the "Adjusting User-Level Security" section, earlier in the chapter. 5. Share the LANMAN\RPLUSER directory as the WRKFILES resource. If the server has share-level security, share the resource with no password, and assign RWCDXA permissions. On the server providing the Remoteboot service: 1. For MS OS/2 workstations: ■ Edit the LANMAN\RPL\FITS\computername.FIT file for each workstation, changing all occurrences of \\RPLSERVR\WRKFILES to \\servername\WRKFILES, where servername is the computername of the server that is sharing the work directories. 2. For MS-DOS workstations: ■ Edit the LANMAN\RPL\DOS\AUTOEXEC.BAT file, changing each occurrence of ~~~~~~~~~~~~~~~5\WRKFILES to \\servername\WRKFILES. ■ Change directories to LANMAN\RPL\DOS, and rerun the makeimg utility. When you have made the changes, reboot the workstations to put the changes into effect. Chapter 15 Guarding Against Data Loss ──────────────────────────────────────────────────────────────────────────── LAN Manager offers two features for assuring that server data is always reliable and available. The fault-tolerance system helps save data should a disk error occur, and performs fault monitoring. The UPS (uninterruptible power supply) service performs orderly shutdowns during power failures. Both the fault-tolerance system and UPS service are included with LAN Manager; however, the UPS service also requires a battery and data cable. This chapter explains the fault-tolerance system and how to perform error correction. How to use a battery to keep the server running if there is a power failure is also described. Understanding the Fault-Tolerance System The fault-tolerance system monitors disk operations and lets you correct disk errors. The fault-tolerance system can be installed on any workstation or server using MS OS/2 1.2, and can be administered remotely on any server that is sharing IPC$ and ADMIN$. For information about installing the fault-monitoring system, see the Microsoft LAN Manager Installation Guide. Fault monitoring detects errors that occur while performing hard-disk read and write operations. When you monitor disk operations, the fault-tolerance system issues an alert when an error occurs. Error correction helps recover and restore data that would be lost due to a disk error. Error correction is best supported by a computer with the high-performance file system (HPFS). Part of preventing data loss is ensuring that there are two copies of data at all times. Two methods for this are drive mirroring and drive duplexing. A mirrored or duplexed drive consists of a primary partition and a secondary partition. The secondary partition is invisible to the operating system and maintains the same data as the primary partition. If the data on the two partitions differs, the drives are synchronized through drive verification, which ensures that the mirrored or duplexed drives are identical. Drive mirroring sets up two identical partitions on separate hard disks using the same disk controller. MS OS/2 treats these partitions as a single logical drive (such as drive D). Drive mirroring can only be performed on a computer with HPFS and two hard disks. Drive duplexing is like drive mirroring except that the two hard disks are controlled by separate disk controllers. This provides protection against errors caused by a faulty controller and provides better performance. Drive duplexing can only be performed on a computer with HPFS, two hard disks, and two disk controllers. If a disk error occurs during normal operation, the fault-tolerance system automatically recovers data through hotfixing. Hotfixing detects bad sectors and reroutes data to a good sector in a reserved area on the disk. Hotfixing is automatic and can only be done on a drive with HPFS. For example, if a bad read error occurs on the mirrored drive D, you receive an alert, and the fault-tolerance system redirects the read to the secondary partition. It then performs a hotfix to fix the corrupted sector of drive D. The hotfix corrects both the primary and secondary partitions. Drive fault monitoring is possible regardless of the number of disks in the system and whether they are mirrored, duplexed, or neither. You don't need a LAN Manager server with HPFS for drive fault monitoring. However, if no disks are mirrored or duplexed, the detectable errors and the alerts are limited. The fault-tolerance system supports as many as 24 disk partitions (the MS OS/2 drive limit), where a mirrored or duplexed drive counts as two partitions. The Fault-Tolerance Utilities Three utilities─ftsetup, ftmonit, and ftadmin─control the disk fault-tolerance system. These utilities are explained in the following sections, and are discussed in the Microsoft LAN Manager Administrator's Reference. ■ The ftsetup utility is used to install the fault-tolerance system, to configure fault monitoring, and to mirror and duplex drives. The ftsetup utility is controlled through the Disk Fault Tolerance Setup Screen. To display this screen, at the MS OS/2 prompt, type ftsetup. ■ The ftmonit utility, which is the fault-tolerance monitor, is run automatically when run=ftmonit.exe is added to CONFIG.SYS. (This line is added to CONFIG.SYS as part of the fault-tolerance system installation.) The ftmonit utility controls fault-tolerance monitoring and reports errors. By default, errors are logged and administrators are alerted about errors. The ftmonit utility is controlled through the ftadmin screen, or through the ftmonit command. ■ The ftadmin utility is used to view the fault tolerance error log, manage fault tolerance on remote servers, view drive statistics, and control error correction and disk verification. The ftadmin utility is controlled through a Presentation Manager screen. To display the ftadmin screen, at the MS OS/2 prompt, type ftadmin. Configuring Drive Mirroring or Duplexing The fault-tolerance setup utility ftsetup is used to configure drive mirroring or duplexing. This can involve creating or removing the mirror or duplex of a drive, deleting partitions, and exposing drives. The utility requires the same procedure for mirroring and duplexing, and it steps you through these processes. You can use the ftsetup utility to delete disk partitions to create more space for drive mirroring or duplexing. For a complete explanation of the ftsetup utility and screen, see the Microsoft LAN Manager Installation Guide. Any partition that is formatted for HPFS and is not the boot volume can be mirrored or duplexed on a computer system that has two hard disks. Floppy disk drives and redirected network drives cannot be mirrored or duplexed. Whenever you change the configuration of a mirrored or duplexed drive, you must restart the computer to put the change into effect. Mirroring and Unmirroring Drives The procedures for mirroring and duplexing drives are the same. Remember that to duplex a drive, the hard disks that contain the primary and secondary partitions must have separate disk controllers. To mirror or duplex a drive: 1. At the MS OS/2 prompt, type ftsetup The ftsetup screen displays two menus, Config and Exit. 2. From the Config menu, choose Mirror drive(s). The following dialog box appears: (This figure may be found in the printed book). 3. In the list box, select the drive or drives that you want mirrored or duplexed, then choose <OK>. The following dialog box appears: (This figure may be found in the printed book). 4. Choose <OK>. 5. Choose the Exit menu. The following dialog box appears: (This figure may be found in the printed book). 6. Choose <OK>. 7. Restart the computer. When the system restarts, the following dialog box appears: (This figure may be found in the printed book). 8. Continue formatting the drive: ■ To label the drive with the default volume label, choose <OK>. ■ To give the drive a different volume label, choose <Cancel>. After the drive has been formatted, you will be prompted to type the volume label. 9. If you choose <Cancel>, the following dialog box appears: (This figure may be found in the printed book). Type the volume label, then choose <OK>. The system issues a prompt when formatting is complete. 10. Choose the Exit menu. A normal system startup continues. Any startup batch programs specified are run. To unmirror a drive, you perform a procedure similar to mirroring the drive. To unmirror a drive: 1. At the MS OS/2 prompt, type ftsetup The ftsetup screen displays two menus, Config and Exit. 2. From the Config menu, choose Unmirror drive(s). The following dialog box appears: (This figure may be found in the printed book). 3. In the list box, select the drive or drives that you want to unmirror, then choose <OK>. The fault-tolerance system issues a prompt that it is writing changes to the partition table, and that you must restart the system for changes to take effect. 4. Choose the Exit menu. 5. Restart the computer. Exposing a Drive In a mirrored or duplexed pair, a secondary partition that doesn't have an associated primary partition is called an orphaned drive. Orphaned drives appear as a ? drive icon in the ftadmin screen. For example, if you have a mirrored drive and the hard disk with the primary partition goes bad and needs to be replaced, the ? drive icon appears when you next start the system. This indicates that the secondary partition has been orphaned. You can expose the secondary partition, making it visible to the operating system. Once an orphaned drive is exposed, you can remirror it and make it the primary partition. When you expose an orphaned drive, it is given a drive letter, which may change the drive letters of the other drives. To sort out any changes in the drive letter configuration, note the volume label on each drive. Though drive letters may change, volume labels don't. To expose an orphaned drive: 1. At the MS OS/2 prompt, type ftsetup The ftsetup screen displays two menus, Config and Exit. 2. From the Config menu, choose Exposed orphaned drive(s). The following dialog box appears: (This figure may be found in the printed book). This dialog box lists the orphaned drives. 3. From the list of orphaned drives, select the drive or drives that you want to expose, then choose <OK>. The ftsetup screen appears. When you restart the computer, the selected partition is exposed. 4. Choose the Exit menu. 5. Restart the computer. Deleting a Partition You can use the ftsetup utility to delete any partitions that aren't mirrored, except for the boot volume (drive C). Deleting a partition frees hard-disk space for use as secondary partitions. The procedure for deleting a partition is similar to the use of the MS OS/2 fdisk command. To delete a partition: 1. At the MS OS/2 prompt, type ftsetup The ftsetup screen displays two menus, Config and Exit. 2. From the Config menu, choose Delete drive(s). The following dialog box appears: (This figure may be found in the printed book). This dialog box lists the partitions that can be deleted. 3. From the list of partitions, select the partition or partitions to delete, then choose <OK>. The ftsetup screen appears. When you restart the computer, the selected partition is deleted. 4. Choose the Exit menu. 5. Restart the computer. Using the ftadmin Screen The ftadmin utility, which manages fault-tolerance disk maintenance, is a full-screen MS OS/2 application that runs in a Presentation Manager window. You can start ftadmin on any computer that has the fault-tolerance system installed and is running version 1.2 of MS OS/2. You can use this utility to manage fault tolerance on a server for which you have administrative privileges. Using the ftadmin screen, you can ■ Manage fault tolerance on a local or remote server ■ View drive statistics ■ View error information for logical drives ■ Adjust ftmonit settings ■ Verify and resynchronize mirrored drives and duplexed drives ■ View and correct disk faults Online help is available through the ftadmin screen's Help menu. The commands on the Help menu work the same as those for other Presentation Manager applications. For details, see your operating system manual(s). LAN Manager does not have to be running to use ftadmin. However, if the workstation or server is not started, you can only monitor errors on the local computer. If the workstation or server is started, an administrator can monitor and correct errors on local and remote servers. When you start ftadmin, you see a screen similar to the one in Figure 15.1. (This figure may be found in the printed book). The elements of the ftadmin screen are ■ The title bar, which shows the server of current focus for the ftadmin utility. ■ The menu bar, which shows the five menus (View, Verify, Correct, Options, and Help) available with ftadmin. ■ The drive information line, which shows an icon for each of the computer's logical drives. Floppy-disk and redirected drives are not shown. Drives C, D, G, and H in Figure 15.1 are represented by the standard icon for a drive that isn't mirrored or duplexed. The icon is "doubled" for mirrored or duplexed drives E and F. A "cracked" icon, such as the ones for drives E and F, indicates errors have occurred. For drives containing critical errors, color monitors show a red icon. The ? drive icon identifies an orphaned drive. ■ The error information window, which shows information about disk errors on the selected drive. On color monitors, critical errors are red. For each error, five columns of information appear: Drive Tells the logical drive on which the error occurred. Code Displays a numerical code that identifies the error. Level Tells the error's severity (Critical, Error, and Warning, in order of decreasing severity). Disk Block Tells which disk block had the error. Date/Time Tells when the error occurred. From menus on the ftadmin screen, you can perform the following tasks: View menu Available servers Select the server for ftadmin to administer. Drive statistics Display fault-tolerance information such as read, write, and fault statistics about drives, and information on mirroring. FTMONIT settings Turn alerting for the ftmonit fault-monitoring utility on or off. Exit Exit the ftadmin screen. Verify menu Selected drive Verify the selected mirrored or duplexed drive. All drives Verify all of the server's mirrored or duplexed drives. Correct menu Selected error Correct the selected error. All errors on selected drive Correct all errors on the selected logical drive. All errors on all drives Correct all errors on all displayed logical drives. Options menu Show full drive information Replace the drive information line with a window that gives information about mirroring, errors, and when the drive was verified. Sort errors by time Display the errors in the error information window from oldest to most recent. Sort errors by severity Display the errors in the error information window in order of decreasing severity. Help menu Help for help See how to display help information and how to use the help window. Extended help Display general help information. Keys help See how to use the keyboard with the ftadmin utility. Help index Display an index of topics for which online help is available. About FTADMIN Display the version number of the ftadmin utility. The following sections describe the tasks that are performed using ftadmin. Focusing ftadmin on a Remote Server The ftadmin utility can be used to monitor and correct errors locally and remotely. To set the ftadmin focus on a remote computer, use the View menu's Available servers command. You can view the servers in any domain in which the workstation participates. To focus the ftadmin screen on a remote server: 1. From the View menu, choose Available servers. The following dialog box appears: (This figure may be found in the printed book). 2. In the list box, select the server that you want to monitor or, in the "Set server to" text box, type the server's computername. 3. Choose Choose. 4. If you are prompted to supply a password, in the "Enter password" text box, type the password, then choose OK. The ftadmin screen (Figure 15.1) returns, displaying drive information for the server you specified. Viewing Drive Statistics Drive statistics are available for each drive, whether it is mirrored, duplexed, or neither. These are fault-monitoring statistics that tell you whether the drive is mirrored, and how many reads and writes, recovered and unrecovered faults, and hotfixed faults have occurred. To view or clear the statistics for a drive: 1. If you want to monitor a remote server, use the View menu's Available servers command to change the ftadmin focus. Follow the steps in the "Focusing ftadmin on a Remote Server" section, earlier in this chapter. 2. In the ftadmin screen's drive information line, select the drive of interest. 3. From the View menu, choose Drive statistics. The following dialog box appears: (This figure may be found in the printed book). These statistics have the following meanings: Status Tells whether or not errors have been detected. Primary partition Tells whether the primary partition is enabled or disabled. When a partition is enabled, the system can perform reads and writes from it. A disabled partition has critical errors that must be corrected, and it cannot accommodate reads and writes. Secondary partition Tells whether the secondary partition is enabled or disabled. This line appears shaded if the drive is not mirrored. Mirror status Tells whether or not the drive is mirrored. Reads from primary Tells the number of successful reads from the primary partition. Reads from secondary Tells the number of successful reads from the secondary partition in a mirrored or duplexed pair. This line appears shaded if the drive is not mirrored. Writes to primary Tells the number of successful writes to the primary partition. Writes to secondary Tells the number of successful writes to the secondary partition in a mirrored or duplexed pair. This line appears shaded if the drive is not mirrored. Recovered faults Tells the number of read faults that were recovered from a mirrored or duplexed drive. Unrecovered faults Tells the number of faults for which recovery was not possible. Hotfixed faults Tells the number of read or write requests that failed, but were hotfixed. The hotfixed faults may have occurred on a drive that was mirrored or duplexed, or one that was not. 1. Choose OK. Viewing Information about Logical Drives To view information about a server's logical drives, from the Options menu, choose Show full drive information. The information window shown in Figure 15.2 replaces the drive information line (as shown in Figure 15.1). Error information moves to the bottom of the window. (This figure may be found in the printed book). For each logical drive, the window reports whether the drive is mirrored, the severity of the worst error on the drive (under "Status"), the physical disks associated with the logical drive, and the time when the drive was last verified. To remove the logical drive display, from the Options menu, choose the Show full drive information command (it works as a toggle switch). Changing the Error Information Display Two Options menu commands control the order in which the information in the error information window appears. To sort errors by time of occurrence, from oldest to most recent, choose Sort errors by time. To sort errors by severity, with the most severe errors first, choose Sort errors by severity. Turning Disk Alerts On and Off By default, ftmonit issues an alert when disk errors occur. The users who receive alerts are specified by the alertnames entry in the [server] section of the LANMAN.INI file. If the workstation is not started when a disk error occurs, ftadmin starts the workstation and then sends the alert (this allows the alert to be displayed). Three classes of fault-tolerance alert indicate different levels of error severity: Warning Informs the user that a bad read or write operation failed or that a hotfix was performed. No alert is sent, but an error message appears in the error information window of the ftadmin screen. The drive icon appears cracked. Error Informs the user of more severe disk errors, such as excessive disk failures or verification failures. An alert is sent, and an error message appears in the error information window. The drive icon appears cracked. Critical error Informs the user of critical disk errors, such as a complete disk failure or an orphaned drive. An alert is sent, and an error message appears in the error information window. The drive icon appears cracked. On color monitors, the error message and drive icon are red. When run=ftmonit.exe in CONFIG.SYS, and you change ftmonit settings, you are notified when you exit the ftadmin utility that CONFIG.SYS has been modified. When the ftmonit utility is running, any changes you make take effect immediately. If the ftmonit utility is not running, and run=ftmonit.exe is in CONFIG.SYS, changes will take effect the next time you restart the computer. To turn disk error alerts on or off: 1. From the View menu, choose FTMONIT settings. The following dialog box appears: (This figure may be found in the printed book). 2. To turn disk error alerting on, mark the "Send alerts to administrators" check box. To cancel disk error alerting, unmark the check box. 3. Choose Set. Verifying Drives The commands on the Verify menu check one or all pairs of mirrored or duplexed drives on the server to ensure that the data on the primary and secondary partitions is identical. Verification also synchronizes mirrored or duplexed drive pairs that are not exact duplicates of each other as the result of disk errors or power loss. Verify drives when you restart the computer after a power interruption (if the UPS service is not in effect), but not before first correcting all errors on the drive. ──────────────────────────────────────────────────────────────────────────── CAUTION Always correct errors before verifying a drive. If you verify a drive before correcting the errors, you may duplicate an error onto a mirrored drive. ──────────────────────────────────────────────────────────────────────────── The verification process is automatic when you choose a Verify menu command. Two commands control whether you verify a single drive or all drives. To verify a single drive, choose Selected drive. To verify all drives, choose All drives. If you choose to verify all drives, you are prompted that the process will take awhile. Correcting Disk Errors Most disk errors that the disk fault-tolerance system detects can be corrected. As part of fault recovery, the fault-tolerance system prompts you about the type of error detected and provides information about the best way to correct the error. For purposes of fault recovery, four types of error are monitored: ■ Self-correcting and ftadmin-corrected errors ■ Mirrored or duplexed drives with partitions containing dissimilar information (referred to as cracked mirrors) ■ Repeated drive failures ■ Complete hard-disk failures During error correction, you can correct selected errors, all errors on a drive, or all errors on all drives. Some errors are self-correcting and don't require your intervention. More serious errors require that you perform an action as part of the error correction. For a complete list of errors and corresponding corrective actions for disk errors found by the fault tolerance system, see the "Disk Error Correction Codes" section, later in this chapter. To perform error correction: 1. In the ftadmin screen's error information window, select the error or drive on which you want to perform error correction. 2. From the Correct menu, choose one of the following commands: ■ If you selected an error, choose Selected error. ■ If you selected a drive, choose All errors on selected drive. ■ If you want to correct all drives, choose All errors on all drives. NOTE Using the mouse to double-click an error message has the same effect as selecting that drive and choosing Selected error. Double-clicking a drive icon on the drive information line has the same effect as selecting that drive and choosing All errors on selected drive. If you choose All errors on all drives, the following dialog box appears: (This figure may be found in the printed book). 3. If you want to correct all errors automatically, choose No. To confirm each correction, choose Yes. 4. If you choose No, the following dialog box appears: (This figure may be found in the printed book). The ftadmin utility will correct all errors on the selected drive. If any errors cannot be corrected, the following dialog box appears: (This figure may be found in the printed book). These errors will be listed in the "Error Information" field of the ftadmin screen. 5. To correct these remaining errors, correct each error individually, or correct all errors and, when prompted "Confirm each corrective action before taken," choose Yes. If you choose Yes, a message box appears, describing each error and the corrective action to be taken. The following sections describe the types of errors that can occur, and the corrective steps taken to recover from the errors. Included are the dialog boxes displayed when you perform and confirm error correction. Automatically Corrected Errors In the course of normal system operation, bad disk sectors might be found. In most instances, these are self-correcting, and the fault-tolerance system hotfixes them without losing or corrupting data. A message in the error information window informs you of the error, but no alert is sent. For a hotfix, the correction procedure is automatic. When you select the error to correct, the following dialog box appears: (This figure may be found in the printed book). Choose Continue to move to the next error, or choose Cancel to return to the ftadmin screen, ending the correction session. When the error can be corrected by the ftadmin utility, administrative intervention is nominal. For example: (This figure may be found in the printed book). Choose Yes to correct the error, No to leave the error uncorrected, or Cancel to cancel the error correction session. Correcting Cracked Mirrored Drives When partitions in a mirrored or duplexed pair contain dissimilar information, the drive is called a cracked mirror. The drive icon on the ftadmin screen appears cracked, and the fault-tolerance system sends an error alert. Actions such as powering off or restarting the system without using the Presentation Manager Shutdown procedure can cause cracked mirrors. In most cases, you can correct the error that caused the cracked mirror by verifying the drive and remirroring disk sectors. In some cases, drive verification won't correct the error, and you need to back up the drive, reformat it, and restore it. The ftadmin utility cannot completely correct a cracked mirror automatically. It recommends a course of action that requires administrative intervention. For example: (This figure may be found in the printed book). Choose Yes to correct the error. Repeated Disk Failures Occasional failures on a hard disk are usually no problem. However, repeated failures can indicate that a hard disk is going to completely fail. The fault-tolerance system sends an error alert when a disk's failure rate gets excessive. When you choose corrective action for excessive disk failures, you see a dialog box similar to the following one: (This figure may be found in the printed book). Excessive failures can indicate that the disk should be reformatted or replaced. When you get an excessive-failure alert, make a backup copy of all drives that have a primary or secondary partition on the failing disk. Next, run the diagnostics for the hard disk (supplied by the disk manufacturer) to determine whether the disk needs reformatting. If the diagnostics require a low-level format of the disk, the reformatting may remove or destroy all disk partitions. If a secondary partition is destroyed, the system marks the primary partition as unmirrored. If the primary partition is destroyed, leaving just the secondary (an orphaned drive), the secondary partition is represented by a ? drive icon. You can expose the orphaned drive, making it visible to the operating system. You can then make the exposed drive the primary partition, mirroring or duplexing it using the ftsetup utility. Complete Disk Failure Even if a disk fails completely, data on mirrored drives is not lost. Recovery steps vary, depending on whether the failed disk contains the boot drive (drive C). When a hard disk fails completely, a dialog box similar to the following one appears: (This figure may be found in the printed book). Choose Continue or Cancel, and then follow one of the next two procedures to replace the disk and recover its data. To recover from a failed disk that doesn't contain the boot drive (drive C): 1. Expose all orphaned drives. (Use the ftsetup utility, following the steps in the "Exposing a Drive" section, earlier in this chapter.) 2. Back up all drives that lost primary or secondary partitions on the damaged disk. 3. Install the replacement hard disk. 4. Run ftsetup to mirror or duplex all drives that were previously mirrored or duplexed. This makes partitions on the new disk secondary partitions. To recover from a failed disk that contains the boot drive (drive C): 1. Replace the disk that failed. 2. Restart the computer using the MS OS/2 installation disk. 3. Use the MS OS/2 fdisk utility to format the boot volume. 4. Restart the computer and restore data such as MS OS/2 and LAN Manager to the boot volume. 5. Expose all orphaned drives. (Use the ftsetup utility, following the steps in the "Exposing a Drive" section, earlier in this chapter.) 6. Back up all drives that need to be remirrored. 7. Run ftsetup to mirror or duplex all drives that were previously mirrored or duplexed. This makes partitions on the new disk secondary partitions. Disk Error Correction Codes This section describes the errors and corresponding corrective actions for disk errors found by the fault-tolerance system. Table 15.1 lists the error codes and describes the disk error. Table 15.2 lists the correction code and corrective action necessary to correct disk errors. The correction codes correspond to the error correction code. Table 15.1 Error Codes ──────────────────────────────────────────────────────────────────────────── ERR001 Write to primary partition failed; write to secondary partition succeeded. ERR002 Write to primary partition succeeded; write to secondary partition failed. ERR003 Read from primary partition failed; read recovered from secondary partition. ERR004 Read from secondary partition failed; read recovered from primary partition. ERR005 Write to primary partition and secondary partition failed. ERR006 Write to unmirrored drive failed. Table 15.1 Error Codes (continued) ERR101 Read from unmirrored drive failed. ERR102 Read from primary partition and secondary partition failed. ERR103 Excessive failure rate detected on primary partition; read requests routed to secondary partition. ERR104 Excessive failure rate detected on secondary partition; read requests routed to primary partition. ERR105 Primary partition shut down due to complete failure; all requests routed to secondary partition. ERR106 Secondary partition shut down due to complete failure; all requests routed to primary partition. ERR107 Low-confidence compare of mirrored partitions failed; all read requests routed to primary partition. ERR108 Complete compare of mirrored partitions failed; all read requests routed to primary partition. ERR201 Excessive error rate detected on unmirrored drive. ERR202 Complete failure detected; alternate partition not available. ERR209 Secondary partition of mirrored drive not found. ERR210 Secondary partition found with no matching primary. ERR212 Error buffer was overrun; one or more errors may not have been logged. ──────────────────────────────────────────────────────────────────────────── Table 15.2 lists the correction codes that correspond to the error codes listed in Table 15.1. Some of the disk errors have two corresponding correction codes (labeled a and b). The corrective action for these errors is dependent on the cause of the disk error. Table 15.2 Correction Codes ──────────────────────────────────────────────────────────────────────────── COR001 Self correcting (by HPFS). No administrator action required. COR002 Self correcting (by HPFS). No administrator action required. COR003a Self correcting (by HPFS386). No administrator action required. COR003b Copy file to new location on disk, delete old copy and mark disk block as bad. COR004a Self correcting (by HPFS386). No administrator action required. COR004b Read file and write it back sequentially, forcing a hotfix to occur in the file system. COR005 Self correcting (by HPFS). No administrator action required. COR006 Self correcting (by HPFS). No administrator action required. COR101 Run RECOVER on the offending file. COR102 Run RECOVER on the offending file. COR103 It is strongly recommended that you back up the drive. The physical disk on which the primary partition resides may need to be replaced. COR104 It is strongly recommended that you back up the drive. The physical disk on which the secondary partition resides may need to be replaced. COR105 It is strongly recommended that you back up the drive. The physical disk on which the primary partition resides may need to be replaced. Table 15.2 Correction Codes (continued) COR106 It is strongly recommended that you back up the drive. The physical disk on which the secondary partition resides may need to be replaced. COR107 Verify the drive. If verification fails, back up the drive, reformat, and restore it. COR108 Verify the drive. If verification fails, back up the drive, reformat, and restore it. COR201 It is strongly recommended that you back up the drive immediately, as it may fail soon. COR202 No error recovery is possible. The drive may need to be replaced, and data may be lost. COR209 Change the drive to nonmirrored. In order to remirror the drive, back it up, then run FTSETUP. COR210 Expose the secondary partition as a nonmirrored drive. Note that this may cause drive letters to change. COR212 Verify the drive. If verification fails, back up the drive, reformat, and restore it. ──────────────────────────────────────────────────────────────────────────── Using an Uninterruptible Power Supply An uninterruptible power supply (UPS) is a battery connected to a server that keeps the server running during a power failure. If power to the server is interrupted, this battery keeps the server running until the UPS service can manage a safe shutdown, or until an administrator stops the server. The UPS battery must be connected to a serial port. See the battery's manufacturing instructions for information about how to install a UPS. Using the UPS Service During a power failure, the UPS service immediately pauses the Server service to prevent any new connections. It then sends out an alert that a power failure has occurred. The UPS service then waits an interval of time specified by the messdelay entry in the [ups] section of LANMAN.INI. If power is restored during this interval, another alert is sent, informing the administrator that power has been restored. ──────────────────────────────────────────────────────────────────────────── NOTE The Messenger and Netpopup services must be running for UPS-based alerts to be displayed as soon as they are sent. If these services are not started, you may not be aware of power failures at the server. ──────────────────────────────────────────────────────────────────────────── If power is not restored during this interval, the UPS service warns users who have sessions with the server to end their sessions, and displays a message at the server advising that all sessions be closed. The UPS service notifies users and administrators that a shutdown is imminent. The service repeats this alert at intervals specified by the messtime entry in the [ups] section of LANMAN.INI. These alerts continue until power is restored, the server receives a low-battery signal from the battery (the battery is about to run out of power), or the battery timer expires. If power is restored, all users are sent an alert that power is back, and normal operations are resumed. If the server receives a low-battery signal or the battery timer expires, the UPS service informs all users that the server is about to shut down. The UPS service then runs the net stop server and net stop workstation commands. Before the UPS service stops the server and workstation, LAN Manager allows 30 seconds in which to run a .CMD batch program. For example, you can set up a .CMD batch program to close any open application files. The .CMD path and file are specified by the UPS service cmdfile option in LANMAN.INI. Configuring the UPS Service If a server has a UPS battery installed, the UPS service should be one of the services that starts with the Server service. This way, the UPS service will be running should there be a power failure at the server. To arrange for this, add ups to the list of services in the srvservices entry in the [server] section of LANMAN.INI. All time intervals and options that the UPS service uses are configurable. These options are listed in Table 15.3. Table 15.3 Configuration Options for the UPS Service ──────────────────────────────────────────────────────────────────────────── batterytime Sets the number of seconds the server can run on a battery before the UPS service initiates shutdown. This optional entry is used only if no low battery signal is available. The range is 0-28800; the default is 60 seconds. cmdfile Specifies a .CMD batch program of commands to be run before the server shuts down. The pathname can be either absolute or relative to the LAN Manager root directory (LANMAN). The batch program has only 30 seconds to complete before the UPS service ends the program. messdelay Sets the number of seconds between initial power failure and the first message sent to users. No messages are sent if power is restored within this interval. The range is 0-120; the default is 5 seconds. messtime Sets the number of seconds between messages sent to users notifying them of a power failure. The range is 30-300; the default is 120 seconds. recharge Specifies the number of minutes of recharge time required for each minute of battery runtime. This entry is optional. The range is 5-250; the default is 100 minutes. signals Specifies the signals available from the battery. The value is a three-digit binary number. For information about the signals the battery sends and receives, see the manual supplied with the battery. ■ The first digit is 1 if the battery can signal the UPS service upon power failure, or 0 if it cannot. The default is 1. ■ The second digit is 1 if the battery signals the UPS service of a low battery condition (2 minutes of power remaining), or 0 if it cannot. The default is 0. ■ The third digit is 1 if the battery can accept a shut-off signal from the UPS service, or 0 if it cannot. The default is 0. If the third digit is 1, the UPS service conducts an orderly shutdown of the LAN Manager software, and the battery stops providing backup power. When the battery detects power restoration, it restarts the computer. ──────────────────────────────────────────────────────────────────────────── NOTE If neither of the first two digits of signals is set to 1, the UPS service will not start.─────────────────────────────────────────────────────────────────────── Table 15.3 Configuration Options for the UPS Service (continued) voltlevels Specifies the voltage levels for the signals listed in the signals option. The value is a three-digit binary number. For information about signal voltage, see the manual supplied with the battery. ■ The first digit is 0 if the battery uses negative voltage, and 1 if it uses positive voltage to signal the UPS service of a power failure. The default is 1. ■ The second digit is 0 if the battery uses negative voltage, and 1 if it uses positive voltage to signal the UPS service there is less than 2 minutes of power remaining. The default is 0. ■ The third digit is 0 if the battery recognizes negative voltage as the shutoff signal, and 1 if it recognizes positive voltage as the shutoff signal. The default is 0. ──────────────────────────────────────────────────────────────────────────── NOTE If the low battery voltage level is not set correctly, the Server service will not start. ───────────────────────────────────────────────────────────────────────────── Starting the UPS Service If the UPS service isn't started automatically with the Server service, you can start the service from the LAN Manager Screen or from the command line. Both methods allow you to make temporary changes to the service configuration at startup. To start the UPS service: 1. From the Config menu, choose Control services. The following dialog box appears: (This figure may be found in the printed book). 2. In the list of services, select "UPS." 3. Choose <Start>. The following dialog box appears: (This figure may be found in the printed book). You can use this dialog box to override five of the UPS service's configuration values. The list box shows the values for entries in the [ups] section of LANMAN.INI that can be overridden when the UPS service starts. These options are described in Table 15.3. 4. To override any UPS service values, in the list box, select the entry or, in the "Option" text box, type the entry. 5. In the "Value" text box, type the new value. 6. Choose <Set>. If you want to go back to the LANMAN.INI value, choose <Reset> to display the initial value for the selected entry. Or choose <Reset all> to display LANMAN.INI values for all entries. 7. To change additional values, repeat steps 4, 5, and 6. 8. Choose <OK>. 9. Choose <Done>. The values that you specified apply until the UPS service stops. When the service restarts, the LANMAN.INI values are used unless alternative values are specified. Command Line To start the UPS service, type net start ups [/messdelay:seconds] [/messtime:seconds] [/batterytime:seconds] [/cmdfile:pathname] [/recharge:minutes] [/signals:###] [/voltlevels:###] See Net Start UPS, Microsoft LAN Manager Administrator's Reference. Chapter 16 Monitoring the Network ──────────────────────────────────────────────────────────────────────────── LAN Manager keeps records of events that occur on the network. These records are stored in audit trail, statistic, and error log files. You can use these records to help isolate problems and work out solutions. This chapter describes how to set up and use LAN Manager's record-keeping system to set up automatic alerts, display server statistics, control sessions to a server, and synchronize network clocks. Auditing a Server on the Network LAN Manager audits by recording network events such as valid and invalid logon attempts, and events related to resource use, such as the opening of files in shared directories. When auditing is enabled, audit messages are created whenever a network event or resource use occurs, and are logged in the server's audit trail. The audit trail is useful for examining how often a resource is used and whether access permissions set for the resources are appropriate. Entries in the [server] section of the LANMAN.INI file determine when auditing is enabled and what is audited. By default, auditing is disabled. Establishing Audited Events in LANMAN.INI Auditing is available for servers with either user-level or share-level security. You can audit events for individual resources, such as opening and using files, or you can audit network-related events such as logon attempts and shared resource access. For information about setting audit events for each resource (such as directories, files, and printers), see Part 3, "Sharing Resources." Which network events are audited is controlled by the auditing and noauditing entries in the [server] section of the LANMAN.INI file. The auditing entry can have a value of yes or no, and you can list events to be audited. Listing audited events configures auditing for the special needs of the server. For example, to audit only logon attempts, in LANMAN.INI, set auditing=logon. Another way to audit only particular events is to set auditing=yes and list events that are not to be audited in the noauditing entry. All events except the noauditing events are audited. For example, to audit all events except each logon attempt and each time a service starts or stops, set auditing=yes and noauditing=logon,service. If both auditing and noauditing have events listed, the same event cannot be listed under each entry. When there is a list for each entry, the events to be audited are determined by the auditing entry. When you modify audited events in LANMAN.INI, you must restart the Server service for the changes to take effect. The events that can be audited for servers with user-level and share-level security are different. Because you don't set resource permissions for each user or group in share-level security, audited events are limited. With share-level security, you can only audit when a user starts or stops a service, starts or ends a session at a server, or uses a resource. Table 16.1 lists the type of security with which the audited event can be specified, and gives the meaning of each event that can be audited. Table 16.1 Audited Events ──────────────────────────────────────────────────────────────────────────── User- and Share-Level Security service Records each time a user starts or stops one of the server's services. sesslogon Records each time an attempt is made to start or end a session with the server. badsesslogon Records each time a user fails to start a session with the server. goodsesslogon Records each time a user starts a session with the server. use Records each time a person uses a shared resource. baduse Records each time a user fails in an attempt to use a shared resource. gooduse Records each time a user successfully uses a shared resource. However, gooduse will not be audited if a shared resource allows for an unlimited number of users. Table 16.1 Audited Events (continued) User-Level Security logon Records each time a user attempts to log on. logonlimit Records each time a user exceeds logon hours for the user account. netlogon Records each time a user logs on to the network. goodnetlogon Records each time a user successfully logs on to the network. permissions Records each time a user makes changes to the list of permissions for a file. resource Records each time a user accesses a resource in a way that is defined in the auditing options for the resource. userlist Records each time a user makes changes to the user accounts database. ──────────────────────────────────────────────────────────────────────────── Additionally, you can set the size of the audit trail with the maxauditlog entry in the [server] section of LANMAN.INI, or with the /maxauditlog:n option of the net start server and net config server commands. For example, reduce the size of the trail if you don't need extensive audit information. The range is 0-65535 kilobytes; the default is 100 kilobytes. Modifying Audited Events The values for the auditing and noauditing entries can be modified temporarily as you start the server by using either the Config menu's Control services command or Server options command. For information about changing the server's configuration options using the Control services command, see Chapter 2, "Getting Started." The following procedure describes how to modify audited events using the Config menu's Server options command. If the server has share-level security, not all events shown on the LAN Manager Screen can be modified. Those events that can't be audited appear as shaded in the "Auditing the Server \\server" dialog box. Changes made in this way remain in effect until the server is restarted. To modify audited events when you start the server: 1. Be sure the Server service is stopped. 2. From the Config menu, choose Server options. The dialog box shown in Figure 16.1 appears. (This figure may be found in the printed book). If the server has share-level security, the "User security" check box will not be marked. 3. Choose <Auditing>. The following dialog box appears: (This figure may be found in the printed book). The last three events in the "Audited events" list are shaded and not available for a server with share-level security. 4. Mark the "Auditing enabled" check box. 5. From the "Audited events" check boxes, mark the events you want to audit. 6. Choose <OK>. The "Set Configuration for Server \\server" dialog box (Figure 16.1) appears. 7. To restart the Server service, from the "Start server services" check boxes, mark "Server." 8. Choose <OK>. Command Line To modify audited events when you start the server: 1. Be sure the Server service is stopped. 2. Specify audited events by typing net start server /auditing:{yes | no | event[,...]} /noauditing:event[,...] See Net Start Server, Microsoft LAN Manager Administrator's Reference. Viewing, Saving, and Clearing the Audit Trail The audit trail records the events you have specified to be audited, including network events and resource use. The audit trail is stored as a file with the filename NET.AUD in the LANMAN\LOGS directory─the default directory for audit files. The audit trail can be viewed, saved, and cleared using the Status menu's Audit trail command. The audit trail can be viewed and cleared (not saved) with the net audit command. You can save the audit trail to the file AUDIT.SAV at any time. This does not clear the audit trail. AUDIT.SAV is overwritten each time the audit trail is saved. To keep a permanent record, copy AUDIT.SAV to another file. When you clear the audit trail, the information is moved to the file AUDIT.BAK. This file is overwritten each time the audit trail is cleared. For servers with share-level security, the audit trail displays information about when a service has been started or stopped, when a user has started or ended a session at the server, and when a resource has been accessed. For servers with user-level security, more detailed records are available. A range of actions related to access and logon attempts can be reported, with users identified. The audit trail for user-level servers provides the following information: ■ The username of the person who performed the audited event. Asterisks appear if no username is available. ■ The type of audited event. These types of events are as follows: Server Audits actions such as starting and stopping the server. Session Audits sessions started with the server. Share Audits actions such as starting and stopping the sharing of resources. Access Audits resource access. Access Denied Audits failed attempts to access a resource. ■ The date and time of the audited event. To view, save, and clear the audit trail: 1. To view the audit trail, from the Status menu, choose Audit trail. The following dialog box appears: (This figure may be found in the printed book). 2. To save the contents of the audit trail in the AUDIT.SAV file, choose >. 3. When prompted for confirmation, choose <OK>. 4. To clear the audit trail and start a new audit record, choose <Clear>. 5. When prompted for confirmation, choose <OK>. 6. Choose <Done>. Command Line To view and clear the audit trail: 1. View the audit trail by typing net audit [/count:number] [/reverse] 2. Clear the audit trail by typing net audit /delete See Net Audit, Microsoft LAN Manager Administrator's Reference. The Alert System LAN Manager sends messages called alerts under certain conditions ─for example, when a user's quota of disk space is almost reached, or when the printer is out of paper. The Alerter service sends these alerts. The receiving computer must be running the Messenger service to receive alerts. If the Netpopup service is running, the alert is displayed on the screen. There are three classes of alerts: ■ Error alerts are messages about network or system errors. These messages are stored in the error log. For more information about the error log, see "The Error Log" section, later in this chapter. ■ Print alerts relate to printer events, such as when a print job is completed, or the printer is out of paper. A print alert is sent only to the user who submitted the print job. ■ Admin alerts are messages about server and resource use, which are sent only to those users specified by the alertnames entry in the [server] section of LANMAN.INI. For instance, an admin alert is sent when a maximum number of users are using a resource, or too many logon violations have occurred. The sizalertbuf entry in the [alerter] section of LANMAN.INI controls the size of the alert buffer for a server. You can also modify this entry temporarily when you start the server. You may want to increase the size of the buffer if you will be sending a large amount of alerts. Starting the Alerter Service If you want alerts to always be sent, start the Alerter service along with the Server service by adding alerter to the srvservices entry in the [server] section of LANMAN.INI. You can also start the Alerter service from the Config menu's Server options command or Control services command. With the Server options command, you enable the "Admin alerter" option. With the Control services command, you can adjust the size of the alert buffer. The following procedure tells how to do this. To start the Alerter service: 1. From the Config menu, choose Control services. The dialog box shown in Figure 16.2 appears. (This figure may be found in the printed book). 2. In the list box, select Alerter, then choose <Start>. The dialog box shown in Figure 16.3 appears. (This figure may be found in the printed book). 3. To adjust the size of the alert buffer, in the "Value" text box, type the number (of kilobytes) that you want to use for the alert buffer. The range is 512-16384; the default is 3072 kilobytes. 4. Choose <Set>. 5. Choose <OK>. 6. Choose <Done>. Command Line To start the Alerter service, type net start alerter [/sizalertbuf:bytes] See Net Start Alerter, Microsoft LAN Manager Administrator's Reference. Configuring Alerts For some alert conditions, you can specify when LAN Manager should notify you. For example, you can have an alert sent when a user makes 10 unsuccessful attempts to log on. To control when and to whom LAN Manager sends alerts and the alert conditions to be checked, use the alert entries in the [server] section of LANMAN.INI file. The following entries determine how alerts work on the server: accessalert Sets the number of resource access violations within the alertsched interval that will trigger an alert. This entry only applies to servers with user-level security. The range is 0-65535; the default is 5 violations. alertnames Lists the users to receive admin alerts. alertsched Sets the number of minutes when the server checks for alert conditions and sends any needed messages. The range is 0-65535; the default is 5 minutes. diskalert Sets the amount of free disk space (in kilobytes) that triggers a full-disk alert. The range is 0-65535; the default is 300 kilobytes. erroralert Sets the number of errors that can occur within the time period specified by the alertsched entry. The range is 0-65535; the default is 5 errors. logonalert Sets the number of logon violations that can occur within the time period specified by the alertsched entry. The range is 0-65535; the default is 5 violations. netioalert Sets the number of network data transfer (I/O) errors that can occur within the time period specified by the alertsched entry. The range is 0-65535; the default is 5 errors. Changing Alert Conditions Alert conditions can be temporarily modified when you start the server either by using the Config menu's Control services command or by using the net start server command. For information about changing the server's configuration options when you start the Server service, see the "Controlling LAN Manager Services" section in Chapter 2, "Getting Started." Command Line To change alert conditions: 1. Stop the Server service by typing net stop server 2. Change alert conditions by typing net start server [/accessalert:n] [/alertnames:name] [/alertsched:time] [/diskalert:n] [/erroralert:n] [/logonalert:n] [/netioalert:n] The same options are available with the net config server command, which allows you to reconfigure the server without stopping the Server service. See Net Config Server and Net Start Server, Microsoft LAN Manager Administrator's Reference. Modifying the Alertnames List To change the list of usernames to receive alerts, you don't need to stop the Alerter or Server service. Any changes you make take effect immediately. To change the alertnames list: 1. From the Config menu, choose Server options. The "Set Configuration for Server \\server" dialog box (Figure 16.1) appears. 2. In the "Send alerts to" text box, type the username(s) to receive alerts. Use a comma to separate multiple usernames. 3. Choose <OK>. The Statistics Display LAN Manager maintains a record of statistics about server performance. These statistics can be used to evaluate how often the server is used, and how well it is performing. Statistics are cleared each time the server is turned off, and can't be saved. They can also be cleared using the Config menu's Server statistics command. Statistics are kept for both workstations and servers. Workstation statistics record network activity, network errors, volumes of information sent and received, sessions from the workstation to the server, connections to shared resources, and use of network buffers. Server statistics record information about how the server is being accessed. The following statistics are kept for LAN Manager servers: Statistics since Tells when this set of statistics began (either at the last server startup or the last time the statistics were cleared). Bytes received Tells how many bytes of data the server received. Bytes sent Tells how many bytes of data the server transmitted. Mean response time (msec) Tells the average response time for processing remote server requests. Sessions accepted Tells how many times users connected to the server. Sessions timed out Tells how many user sessions were closed because of inactivity. Sessions erroredout Tells how many sessions ended because of error. Files and pipes accessed Tells how many files and pipes were used. Comm devices accessed Tells how many communication devices were used. Print jobs spooled Tells how many print jobs were spooled to printer queues on the server. Network errors Tells the number of data transmission errors. System errors Tells the number of errors from MS OS/2 system calls. Times buffers exhausted Tells the number of shortages of big buffers and request buffers. Password violations Tells how many incorrect passwords were tried. Permission violations Tells when a user attempts to access resources without the required permissions. Viewing and Clearing Statistics To view and optionally clear server statistics: 1. To view the statistics for the server, from the Status menu, choose Server statistics. The following dialog box appears: (This figure may be found in the printed book). 2. To clear the statistics for the server, choose <Clear statistics>. 3. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To view and optionally clear server statistics: 1. View the statistics for the server by typing net statistics server 2. Clear the statistics for the server by typing net statistics server /clear See Net Statistics, Microsoft LAN Manager Administrator's Reference. The Error Log LAN Manager keeps records of workstation and server errors in a file called the error log. The error log is stored in the file NET.ERR in the LANMAN\LOGS directory. If the Messenger and Netpopup services are started on the computer, some errors also appear as alert messages on the screen. If you are searching for the cause of a problem and cannot find any relevant messages, you might look for evidence in the audit trail (see the "Auditing a Server on the Network" section, earlier in this chapter). For example, an incorrect password attempt is recorded in the audit trail rather than the error log. Viewing the Error Log The error log that is displayed on the LAN Manager Screen lists error entries from oldest to newest. When you view error information using the net error command, you have a choice of viewing in this order, or in the reverse order. The error log displays the following information: ■ The service error ■ The error number ■ The date and time when the error occurred To view the error log: 1. From the Status menu, choose Error log. The dialog box shown in Figure 16.4 appears. (This figure may be found in the printed book). 2. To get more information about an error, in the list box, select the error, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. Choose <Done>. 4. Choose <Done>. Command Line To view the error log, type net error [/count:number] [/reverse] See Net Error, Microsoft LAN Manager Administrator's Reference. Saving and Clearing the Error Log The error log can be saved and cleared using the Status menu's Error log command. The error log can be cleared with the net error command. You can save the error log to the file ERROR.SAV at any time. This does not clear the log. ERROR.SAV is overwritten each time the log is saved. To keep a permanent record, copy ERROR.SAV to another file. When you clear the error log, the information is moved to the file ERROR.BAK. This file is overwritten each time the error log is cleared. To save and clear the error log: 1. From the Status menu, choose Error log. The "Network Error Log" dialog box (Figure 16.4) appears. 2. To save the contents of the error log in a file, choose >. When prompted for confirmation, choose <OK>. 3. To clear the error log, choose <Clear>. When prompted for confirmation, choose <OK>. 4. Choose <Done>. Command Line To clear the error log, type net error /delete See Net Error, Microsoft LAN Manager Administrator's Reference. Using Session Information Each time that a workstation communicates with a server, a session is established with the server. A session starts when a user on a workstation successfully makes a connection to a server, such as with the net use command. For a server with user-level security, a session is established when the server's user accounts database validates the user's password and username. For a server with share-level security, a session is established when the user makes a connection to a resource on a server. An administrator can view and control these sessions and can close files opened through one of these sessions. Knowing information about sessions is useful for gauging the server's work load. The Status menu's Session status command is used to view information about all sessions with a server and to force a session or file closed. LAN Manager has an autodisconnect feature that lets you set a time limit for inactive sessions. If you find that connections to a resource are not being used for long periods, you can set the autodisconnect entry in the [server] section of LANMAN.INI to end these sessions after a specified interval to enable more server processing power. The session is automatically activated the next time that the user uses the server. The number of sessions that can be established at a server, and how long an inactive session stays connected, are determined by entries in the [server] section of LANMAN.INI. These entries are listed in Table 16.2. Some of these settings are dependent on the values set for other settings in the list. For more information about the LANMAN.INI file, see the Microsoft LAN Manager Administrator's Reference. Table 16.2 LANMAN.INI Session Entries ──────────────────────────────────────────────────────────────────────────── autodisconnect Sets the number of minutes that the server waits before disconnecting an inactive session. The range is -1-65535; the default is -1 (never). maxchdevjob Sets the maximum number of simultaneous requests that the server accepts for all communication-device queues. The range is 0-65535; the default is 6 requests. maxconnections Sets the maximum number of simultaneous connections workstations can have with the server. The range is maxusers to 2000; the default is 128 connections. maxopens Sets the maximum number of files, named pipes, and devices that can be open on the server at one time. The range is 1-8000; the default is 64 opens. Table 16.2 LANMAN.INI Session Entries (continued) maxsessopens Sets the maximum number of files, named pipes, and devices one workstation can have open on the server. The range is 1 to maxopens; the default is 50 opens. maxsessreqs Sets the number of resource requests that one workstation can have pending on the server. The range is 1-65535; the default is 50 requests. maxsessvcs Sets the maximum number of virtual circuits the server can accept from a workstation. This value must be set to 1. maxusers Sets the maximum number of users who can use the server simultaneously. This is actually the number of sessions with the server. The range is 1-1000; the default is 32 sessions. The total number of users should include the number allowed by Additional User Paks plus the number of users accessing the server through IPC connections (named pipes, which are used by network application programs such as the net run command or Microsoft SQL Server). ──────────────────────────────────────────────────────────────────────────── NOTE Changing maxusers affects the maxconnections, numbigbuf, and numreqbuf entries. Use the Setup program to change the value of maxusers and automatically adjust these other entries. For information about using the Setup program, see the Microsoft LAN Manager Installation Guide. ──────────────────────────────────────────────────────────────────────────── ──────────────────────────────────────────────────────────────────────────── Modifying Session Entries The values for the session entries in LANMAN.INI can be temporarily modified when you start the server either by using the Config menu's Control services command, or by using the net start server command. For information about changing the server's configuration options when you start the Server service, see the "Controlling LAN Manager Services" section in Chapter 2, "Getting Started." Command Line To change session values: 1. Stop the Server service by typing net stop server 2. Change session values by typing net start server [/autodisconnect:time] [/maxchdevjob:n] [/maxconnections:n] [/maxopens:n] [/maxsessopens:n] [/maxsessreqs:n] [/maxsessvcs:n] [/maxusers:n] See Net Start Server, Microsoft LAN Manager Administrator's Reference. Viewing Session Information You can view the following types of information about a session with a server: ■ The computername and username for each user with an established session ■ The type of networking software (such as LAN Manager) making the connection (the "Client Type") ■ Whether or not the user is logged on as guest ■ How many open files a user has ■ How long the session has been inactive To view session information: 1. From the Status menu, choose Session status. The dialog box shown in Figure 16.5 appears. (This figure may be found in the printed book). 2. To get more information about a session, in the list box, select the session, then choose <Zoom>. The following dialog box appears: (This figure may be found in the printed book). 3. Choose <Done>. 4. Choose <Done>. Command Line To view session information, type net session [\\computername] See Net Session, Microsoft LAN Manager Administrator's Reference. Closing Sessions If you need to do something at a server that requires you to disconnect one or more sessions─for example, you need to restore data in a directory─you can close sessions from the server. If the Alerter service is running, the workstation with the session is automatically notified that the session is to be disconnected. Closing a user's session does not prevent the user from connecting to a resource. In fact, LAN Manager automatically starts a new session the next time the person uses a resource. If a session is inactive when it's forced closed, the user can start a new session without knowing the first session was closed. To prevent new sessions from being connected, pause the Server service. To end individual sessions, use the LAN Manager Screen. To end all sessions at once, use the command line. To close a session: 1. From the Status menu, choose Session status. The "Sessions to This Server" dialog box (Figure 16.5) appears. 2. In the list box, select the session that you want to end. 3. Choose <Disconnect>. 4. When prompted for confirmation, choose <OK>. 5. Choose <Done>. Command Line To close a session, type net session [\\computername] /delete See Net Session, Microsoft LAN Manager Administrator's Reference. Closing Files Turning off the server without using the Presentation Manager Shutdown procedure, as well as some types of program errors, sometimes leaves a file open─perhaps even locked. You can close these files to make them available again. To close a file: 1. From the Status menu, choose Opened files. The following dialog box appears: (This figure may be found in the printed book). 2. In the list box, select the file that you want to close. 3. Choose <Close>. 4. When prompted for confirmation, choose <OK>. 5. Choose <Done>. Command Line To close a file: 1. Find the identification number by typing net file 2. Close the file by typing net file id /close See Net File, Microsoft LAN Manager Administrator's Reference. Synchronizing Network Clocks Using the Timesource service, you can designate a LAN Manager server as the network time server, with which other computers on the network synchronize. The Timesource service runs only on the time server. The Timesource service does not keep time; it only provides the means for other computers on the network to identify a reliable clock. The clock must be maintained by some other mechanism, typically special hardware and/or software. The Timesource service is useful for synchronizing network events on all computers. For example, if you have a batch program to be run at the same time every day on all computers on the network, use the Timesource service to designate a time server so that the computers are synchronized and run the command at the same time. If you will be routinely using the Timesource service, you can add it to the srvservices list in the [server] section of the LANMAN.INI file in order to start the Timesource service each time the Server service is started. To start the Timesource service on the time server: 1. From the Config menu, choose Control services. The "LAN Manager Services" dialog box (Figure 16.2) appears. 2. In the list box, select Timesource, then choose <Start>. The following dialog box appears: (This figure may be found in the printed book). There are no options or values to set for the Timesource service. 3. Choose <OK>. 4. Choose <Done>. Command Line To start the Timesource service on the time server, type net start timesource See Net Start Timesource, Microsoft LAN Manager Administrator's Reference. Synchronizing with the Time Server After starting the Timesource service, you can synchronize other computers with the time server. Command Line To synchronize a computer with the time server, type net time \\computername /set See Net Time, Microsoft LAN Manager User's Guide. Appendix A The LANMAN.INI File ──────────────────────────────────────────────────────────────────────────── Summary Tables These tables provide the range and default values for entries in the LANMAN.INI file. A value of 65535 for an entry means "forever," or "no limit." For more information, see the Microsoft LAN Manager Administrator's Reference and the Microsoft LAN Manager Installation Guide. Workstation ╓┌─────────────────┌────────────────────┌────────────────────┌─────────────── Entry Units Range/Value Default Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── charcount bytes 0-65535 16 chartime milliseconds 0-65535000 250 charwait seconds 0-65535 3600 {128} computername characters 1-15 ─ domain characters 1-15 DOMAIN himem string yes/no/optional NO keepapis string yes/no YES keepconn seconds 1-65535 600 keepsearch seconds 1-65535 600 lanroot pathname ─ C:\LANMAN.DOS Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── lanroot pathname ─ C:\LANMAN.DOS lim string yes/no YES mailslots ─ yes/no YES maxcmds integer 5-255 16 {11} minimum = (5 * # of wrknets) maxerrorlog kilobytes 2 to total disk 100 size maxthreads integer 10-254 10 maxwrkcache kilobytes 0-640 64 numalerts integer 3-200 12 Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── numbigbuf integer 0-255 0 numcharbuf integer 0-15 10 {2} numdgrambuf integer 8-112 {3-112} 14 {3} nummailslots integer 0-255 2 numresources integer 1-255 9 numservers integer 1-255 9 numservices integer 4-256 {1-255} 8 {5} numviewedservers integer 0-255 50 numworkbuf integer 3-50 15 {5} Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── othdomains domain names as many as 4 ─ other domains printbuftime seconds 0-65535 90 sesstimeout seconds 10-65535 45 sizbigbuf bytes 0-65535 4096 sizcharbuf bytes 64-4096 512 {128} sizerror bytes 256-4096 1024 sizworkbuf bytes 1024-16384 4096 {1024} {64-4096} wrkheuristics ─ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── wrknets names from net1 to list from [ NET1 {0} [networks] networks] {LANA numbers} {0-254} wrkservices service names no value to list MESSENGER, NETPOP from [services] ──────────────────────────────────────────────────────────────────────────── Braces ({ }) indicate defaults or ranges that are different for MS-DOS. The entry is only for an MS-DOS LANMAN.INI file. The entry is only for an MS OS/2 LANMAN.INI file. See the Microsoft LAN Manager Administrator's Reference. Messenger ╓┌─────────────┌─────────┌────────────┌──────────────────────────────────────╖ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── logfile pathname ─ MESSAGES.LOG nummsgnames integer 1-10 2 sizmessbuf bytes 512-62000 4096 {256} {128-62000} ──────────────────────────────────────────────────────────────────────────── Braces ({ }) indicate defaults or ranges that are different for MS-DOS. The entry is only for an MS-DOS LANMAN.INI file. Netshell ╓┌─────────┌─────────────┌────────────┌──────────────────────────────────────╖ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── refresh seconds 0-65535 15 remote computername ─ ─ username characters 1-20 USER ──────────────────────────────────────────────────────────────────────────── The entry is only for an MS OS/2 LANMAN.INI file. Server ╓┌───────────────┌─────────────────────┌─────────────────────┌─────────────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── accessalert integer 0-65535 5 alertnames usernames no value to name ─ list alertsched minutes 0-65535 5 auditing string yes/no/event NO autodisconnect minutes -1-65535 -1 autopath pathname ─ SRVAUTO.PRO autoprofile string LOAD diskalert kilobytes 0-65535 300 Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── erroralert integer 0-65535 5 guestacct name as many as 20 GUEST characters logonalert integer 0-65535 5 maxauditlog kilobytes 0-65535 100 maxchdevjob integer 0-65535 6 maxchdevq integer 0-65535 2 maxchdevs integer 0-16 2 maxconnections integer maxusers to 2000 128 maxlocks integer 1-8000 64 Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── maxlocks integer 1-8000 64 maxopens integer 1-8000 64 maxsearches integer 0-1927 50 maxsessopens integer 1 to maxopens 50 maxsessreqs integer 1-65535 50 maxsessvcs integer 1 1 maxshares integer 2-500 16 maxusers integer 1-1000 32 netioalert integer 0-65535 5 noauditing string ─ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── noauditing string ─ numadmin integer 0-65535 2 numbigbuf integer 0-80 3 numfiletasks integer 1-8 1 numreqbuf integer 5-300 15 security string share/user USER sizreqbuf bytes 1024-32768 4096 srvanndelta milliseconds 0-65535 3000 srvannounce seconds 0-65535 60 srvcomment characters no value to 48 ─ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── srvcomment characters no value to 48 ─ srvheuristics ─ srvhidden string yes/no NO srvnets names from net1 to list from [ NET1 [networks] networks] srvservices service names no value to list ALERTER from [services] userpath pathname ─ ACCOUNTS\USERDIRS ──────────────────────────────────────────────────────────────────────────── See the Microsoft LAN Manager Administrator's Reference. Alerter Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── sizalertbuf bytes 512-16384 3072 ──────────────────────────────────────────────────────────────────────────── Netrun ╓┌────────┌─────────┌────────────┌───────────────────────────────────────────╖ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── maxruns integer 1-10 3 runpath pathname ─ ─ ──────────────────────────────────────────────────────────────────────────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── Replicator ╓┌───────────┌────────────┌───────────────────────────────────────┌────────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── exportlist names 0-32 0 exportpath pathname ─ REPL\EXPORT guardtime minutes 0 to (interval/2) 2 importlist servernames 0-32 0 importpath pathname ─ REPL\IMPORT Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── interval minutes 1-60 5 logon username ─ ─ password password ─ ─ pulse integer 1-10 3 random seconds 1-120 60 replicate ─ import/export/both IMPORT tryuser ─ yes/no YES ──────────────────────────────────────────────────────────────────────────── UPS ╓┌────────────┌─────────┌────────────┌───────────────────────────────────────╖ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── batterytime seconds 0-28800 60 cmdfile pathname ─ ─ messdelay seconds 0-120 5 messtime seconds 30-300 120 recharge minutes 5-250 100 signals ─ 100 voltlevels ─ 100 ──────────────────────────────────────────────────────────────────────────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── ──────────────────────────────────────────────────────────────────────────── See the Microsoft LAN Manager Administrator's Reference. Netlogon ╓┌──────────┌─────────┌────────────┌───────────────────────────────────────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── pulse seconds 60-3600 300 randomize seconds 5-120 30 scripts pathname ─ REPL\IMPORT\SCRIPTS update ─ yes/no YES Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── update ─ yes/no YES ──────────────────────────────────────────────────────────────────────────── Remoteboot ╓┌───────────┌─────────────────────────────────────────┌────────────┌──────── Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── configfile filename or pathname ─ DOSBB.CNF maxthreads integer 10 rpldir pathname ─ RPL rpln RPL1-RPL12 ─ Entry Units Range/Value Default ──────────────────────────────────────────────────────────────────────────── rpln RPL1-RPL12 ─ ──────────────────────────────────────────────────────────────────────────── See the Microsoft LAN Manager Administrator's Reference. Appendix B Menu Commands ──────────────────────────────────────────────────────────────────────────── This appendix gives a brief tour of the LAN Manager Screen. It describes information displayed on the screen and explains what you can do with each menu command. The LAN Manager Screen for Administrators After you log on to the network as an administrator, the LAN Manager Screen for administrators appears, as shown in Figure B.1. (This figure may be found in the printed book). The fields of the LAN Manager Screen provide the following information: Menu bar Displays the names of menus from which you can choose menu commands. Current focus Shows the computername of your workstation or of the server that is the focus of activity when using LAN Manager Screen commands. Workstation information Provides the following information about your workstation: Your username The username specified when you logged on to the network. Your computername The computername specified when the workstation was started. Your domain The name of your logon domain. This is the domain name specified when you logged on to the network. If you didn't specify a domain name, you automatically logged on in the workstation domain, which is specified in the LANMAN.INI file. Note that the workstation domain and the logon domain are the same if you logged on in the workstation domain. Servers visible at the workstation Lists the servers in the logon and workstation domains. Scroll bar Lets you use a mouse to scroll through servers in the list box. Message line Provides a brief statement about the current menu, command, or task. View Menu The View menu commands let you view and control resources for local and remote servers, view usernames logged on to the network, and exit the LAN Manager Screen. (This figure may be found in the printed book). The following list describes the View menu commands: Available resources Displays the different types of resources available on the server of current focus. These resources include shared directories, printers, communication devices, and reserved administrative resources. Printer queues Displays the printer queues on the server of current focus and the print jobs in each queue. You can control the printer queues and the print jobs in each printer queue, and modify the queue settings. Comm-device queues Displays the communication-device queues (comm queues) on the server of current focus and the number of jobs waiting in each queue. You can control the jobs and modify the queue settings. Shared resources Displays the shared resources on the server of current focus. You can stop and start sharing administrative resources, directories, printer queues, and comm queues. Used resources Displays the resources your workstation is using on the server of current focus. You can connect your workstation to resources shared on servers other than the server of current focus and on non-LAN Manager servers. Users on a server Displays the users who are logged on at the server of current focus. Users on a domain Displays the users who are logged on in a domain. Exit Removes the LAN Manager Screen. Message Menu The Message menu commands let you send messages, control the message log, enable or disable message popups, and manage message aliases. (This figure may be found in the printed book). The following list describes the Message menu commands: Send a typed message Lets you send a message to one or more users on the network. Send a file as a message Lets you send a file as a message to one or more users on the network. Log messages to file Lets you select the log file that stores your messages, pause and continue message logging, and enable or disable message popup. Read message log file Displays the messages in your log file. Aliases Displays the message aliases on the workstation. You can add message aliases to your workstation, delete message aliases from your workstation, and forward your messages to another user's alias. Config Menu The Config menu commands let you log on to and off from the network, load and save profiles, view the workstation configuration, set the server configuration, and check or change the status of LAN Manager services. (This figure may be found in the printed book). The following list describes the Config menu commands: Log on to LAN Lets you log on to the network. Log off from LAN Lets you log off from the network. Load profile Displays the profiles you can load to automatically share resources and connect to shared resources. Save profile Lets you save the server's shared resources, and connections to shared resources, as a profile. Workstation options Displays information about your workstation's configuration, and stops and starts the Messenger and Netpopup services. Server options Displays the configuration for the server. Control services Displays information about LAN Manager services. You can start, stop, pause, and continue services. Stop LAN Manager services Disconnects your workstation from shared resources, logs you off from the network, and stops all services. Status Menu The Status menu commands let you check the status of shared resources, view workstation and server statistics, and read the audit trail and error log. (This figure may be found in the printed book). The following list describes the Status menu commands: Device status Displays information about shared devices on the server of current focus. You can cancel a print job, and pause and continue a printer or communication device. Session status Displays information about current sessions with the server of current focus. You can view the connections in a session and close a session. Opened files Displays the open files on the server of current focus. You can close a file. Workstation statistics Displays information about workstation activities on the network. Server statistics Displays the server statistics. Audit trail Displays the audit trail for the server. Error log Displays error messages received at the server. Accounts Menu The Accounts menu commands let you modify user and group accounts, view and set permissions for shared resources, and view or change security settings. (This figure may be found in the printed book). The following list describes the Accounts menu commands: Your account Displays information about your account. Change your password Lets you change your password at a server. Users Displays the user accounts on the server. You can create, modify, disable, and delete a user's account. Groups Displays the groups of users on a server. You can create, change the membership of, and remove a group. File permissions Displays the files and directories on the server of current focus. You can set permissions and auditing guidelines for these files and directories. Other permissions Displays the non-disk resources on the server of current focus. You can set permissions and auditing guidelines for these queues and named pipes. Security settings Displays the security settings on the server of current focus. You can change the settings for the server. Help Menu The Help menu commands let you access different types of online help. (This figure may be found in the printed book). The following list describes the Help menu commands: General help Describes the LAN Manager Screen and how to use it. Keyboard Explains how to use the LAN Manager Screen with the keyboard. Mouse Explains how to use the LAN Manager Screen with the mouse. Table of contents Displays a list of tasks you can perform with the LAN Manager Screen. Glossary of terms Displays an alphabetical list of terms and definitions used with LAN Manager. Using Help Explains how to use help. About LAN Manager Provides a brief description of LAN Manager. Console Version of the LAN Manager Screen The console version of the LAN Manager Screen gives users control over their own print jobs, while limiting access to the server (if the server has user-level security). It shows the status of printer and communication devices the server is sharing. Administrators can use this screen to monitor and control the status of the server's queues and to control print jobs in local printer queues. After you log on to the console version of the LAN Manager Screen, the screen in Figure B.2 appears. (This figure may be found in the printed book). View Menu The View menu commands let you view and control shared printer and comm queues on the server of current focus, and exit the LAN Manager Screen. (This figure may be found in the printed book). The following list describes the View menu commands in the console version of the LAN Manager Screen: Printer queues Displays the printer queues on the server of current focus and the print jobs in each queue. With user-level security, users can control their own print jobs. Administrators can reconfigure and control the queue, and can control jobs in a queue. Comm-device queues Displays the comm queues on the server of current focus and the number of jobs waiting in each queue. Exit Removes the console screen. Message Menu The Message menu command lets you send messages. (This figure may be found in the printed book). The following describes the Message menu command in the console version of the LAN Manager Screen: Send a typed message Lets you send a message to one or more users on the network. Status Menu The Status menu command lets you view and change the status of a printer or communication device. (This figure may be found in the printed book). The following describes the Status menu command in the console version of the LAN Manager Screen: Device status Displays information about shared devices on the server of current focus. Administrators can change the status of a device. Accounts Menu The Accounts menu command lets users change their passwords. (This figure may be found in the printed book). The following describes the Accounts menu command in the console version of the LAN Manager Screen: Change your password If the server has user-level security, lets users change their passwords. Help Menu The Help menu commands let you access different types of online help. (This figure may be found in the printed book). The following list describes the Help menu commands in the console version of the LAN Manager Screen: General help Describes the LAN Manager Screen and how to use it. Keyboard Explains how to use the LAN Manager Screen with the keyboard. Mouse Explains how to use the LAN Manager Screen with the mouse. Table of contents Displays a list of tasks you can perform with the LAN Manager Screen. Glossary of terms Displays an alphabetical list of the terms and definitions used with LAN Manager. Using Help Explains how to use help. About LAN Manager Provides a brief description of LAN Manager. Appendix C Country Codes ──────────────────────────────────────────────────────────────────────────── A country code in a user account defines the language in which messages are sent from a server to a user. Messages such as print notifications and alerts are sent from a server to a user's workstation. The country code does not affect the language of error messages and explanation messages generated by the workstation itself. The following table lists available country codes. The default value for the country code is 0. If the default value is specified, messages are sent in the language used in the LANMAN\NETPROG\NET.MSG file. ╓┌──────────┌─────┌───────────────┌──────────────────────────────────────────╖ Country Code Country Code ──────────────────────────────────────────────────────────────────────────── Asia 099 Latin America 003 Australia 061 Netherlands 031 Belgium 032 Norway 047 Country Code Country Code ──────────────────────────────────────────────────────────────────────────── Belgium 032 Norway 047 Canada 002 Portugal 351 Denmark 045 Spain 034 Finland 358 Sweden 046 France 033 Switzerland 041 Germany 049 United Kingdom 044 Italy 039 United States 001 Japan 081 ──────────────────────────────────────────────────────────────────────────── Appendix D Using the MS OS/2 Print Manager with LAN Manager ──────────────────────────────────────────────────────────────────────────── With LAN Manager installed on your computer, several features designed for use with the local-area network are added to the MS OS/2 Print Manager. These features do not appear if LAN Manager is not installed.If LAN Manager is installed on IBM OS/2 1.2, LAN Manager may replace the OS/2 Print Manager with the MS OS/2 1.2 Print Manager described in this appendix. When the Workstation service is running and you are logged on to the network, Print Manager lets you view and work with printers and queues on the network as well as on your computer. Print Manager is used the same in both cases, but with LAN Manager, you can also ■ Remotely set up and change printers and queues. ■ View and control print jobs in shared printer queues connected to your workstation. ■ Browse shared printers and queues in your workstation domain and other domains. ■ Specify whether information for network queues is refreshed in the Print Manager window and specify a time interval for refreshing. If you have admin privilege or print operator privilege at a server, you can remotely control shared queues and printers, and jobs in shared queues, with Print Manager. This appendix explains the Print Manager features that are available when LAN Manager is installed on your computer. For information about using Print Manager, see your MS OS/2 manual(s). The MS OS/2 Print Manager Window With LAN Manager installed, the Print Manager window looks almost the same as it does on a computer without LAN Manager. (This figure may be found in the printed book). The Print Manager window shows information about all shared printer queues to which your workstation is connected, as well as any local queues and printers. A shared queue is represented by its network path rather than a printer name. Note that if you connect to a shared queue without assigning a devicename to the connection, the queue is still displayed in the Print Manager window. When you print a file, you can select a shared queue for printing just as you select a local queue or printer. You can also control a shared queue in the same way you control a local queue, provided you have the necessary privilege at the server sharing the queue. With LAN Manager installed, some of the Print Manager menus are slightly different from those on a computer without LAN Manager.The following list shows the menus and commands for the Print Manager with LAN Manager installed. Queue menu Hold queue Suspends printing of all jobs from the queue(s) selected in the Print Manager window. Release queue Reactivates printing for the selected held queue(s). Cancel all jobs Removes all jobs currently in the selected queue(s). Job menu Job details Shows information, such as job name and priority, for the selected job(s). Cancel job Removes the selected job(s) from the queue. Print job next Puts the selected job(s) first in the queue. Start job again Stops the selected job(s) and repeats printing from the beginning. Hold job Changes the status of the selected job(s) so that printing is delayed until the job is released. Release job Releases the selected held job(s). Setup menu Spooler Path Changes the directory in which spooled print jobs are stored. Printers Adds, changes, or deletes a printer. You can also select a port, or one or more printer drivers, and you can set the options for the printer. You must be logged on at the workstation to use this command. Queues Adds, changes, or deletes a queue. You can also enter other settings that the printer driver will use, choose a queue driver, choose one or more printers, and choose a printer driver for the queue. You must be logged on at the workstation to use this command. Application defaults Identifies a default queue and a default printer for your applications. Refresh menu Refresh now F5 Immediately updates the list of queues and jobs. Refresh interval Determines how often information for network queues in the Print Manager window is refreshed. Help menu Help for help Tells how to display help information and how to use the help window. Extended help Displays general help information. Keys help Tells how to use the keyboard with Print Manager. Help index Displays an index of topics for which online help is available. About Displays the version number of Print Manager. Using MS OS/2 Print Manager with Network Printers The following sections describe how to view, set up, and change settings for printers and queues using Print Manager. Viewing Printers Print Manager lets you see which printers are currently set up on your computer or on a remote server. It also lets you add a printer to the list, or change settings for a printer. To view printers: 1. From the Setup menu, choose Printers. The dialog box shown in Figure D.1 appears. (This figure may be found in the printed book). This dialog box shows the names and descriptions of printers set up on your computer. The computername of your workstation is displayed in the "On Server" field. 2. To view printers on remote servers, choose Browse. NOTE The Browse command button is active only when a user is logged on at the workstation. The dialog box shown in Figure D.2 appears. (This figure may be found in the printed book). The computername displayed in the "On Server" text box is from the "Printers" dialog box. The servers in the workstation domain and the workstation's other domains are displayed in the list box. 3. In the "On Server" text box, type the server's computername or, in the list box, select the server. 4. Choose OK. You may need to supply a password to gain access to the server if your logon password is different from the password in your account at the server, or if the server is running share-level security. If a new password is needed, the dialog box shown in Figure D.3 appears. (This figure may be found in the printed book). If a new password is needed, in the "Enter Password" text box, type the password for the server you selected, then choose OK. The "Printers" dialog box (Figure D.1) appears, displaying printer information about the server you selected. From here, you can add, change, or delete printers at the server (provided you have the appropriate privilege), or browse other servers. 5. Choose OK. Setting Up a Printer Print Manager lets you set up printers to which you can send print jobs. Once you set up a printer, you create a printer queue for it. The queue can then be shared using LAN Manager. The next two sections show how to set up a new printer and change existing printer settings. To set up a new printer: 1. From the Setup menu, choose Printers. The "Printers" dialog box (Figure D.1) appears. It lists the printers that are currently set up on the server. 2. Choose Add. NOTE The Add and Delete command buttons are shaded (unavailable) if you have neither print operator privilege nor admin privilege. The following dialog box appears: (This figure may be found in the printed book). 3. In the "Name" text box, type a name for the printer. The name can have as many as 255 characters. When users send jobs to the queue, the server sends a message telling when the job has printed. LAN Manager includes the printer's name in the message. 4. In the "Description" text box, type a descriptive comment. The comment can have as many as 48 characters. 5. In the "Device" text box, type the name of the port, or select it from the drop-down list. To display the drop-down list, click on the arrow to the right of this text box, or press ALT+DOWN (the down direction key). ──────────────────────────────────────────────────────────────────────────── NOTE If you want to use a COM port, be sure you first set up the port via the Options menu of the MS OS/2 Control Panel. (From the Options menu, choose Communications port to display the "Communications Port" dialog box. From there, select the COM port and its options, then choose Set.)──────────────────────────────────────────────────────────────────────── 6. From the printer drivers list box, select one or more printer drivers that can be used with the printer, then choose Add. The last driver you select becomes the default driver (shown in the display field below the list box). 7. Choose OK. For more information about adding printers, see your MS OS/2 manual(s). Changing the Settings for a Printer The procedure for changing a printer's settings is similar to adding a new printer to your computer. If you want to change a printer's settings, such as its description or printer driver, use the following procedure. To change settings for a printer: 1. From the Setup menu, choose Printers. The "Printers" dialog box (Figure D.1) appears. 2. From the list box, select the printer, then choose Change. The following dialog box appears: (This figure may be found in the printed book). 3. Follow steps 3-6 from the preceding procedure. 4. Choose Change. 5. Choose OK. Viewing Queues Print Manager lets you see which printer queues are currently set up on your computer or on a remote server. It also lets you add a queue and update queue settings. However, you cannot share a printer queue from Print Manager─use the LAN Manager Screen or the net share command to share a queue. To view printer queues: 1. From the Setup menu, choose Queues. The dialog box shown in Figure D.4 appears. (This figure may be found in the printed book). This dialog box shows the names and descriptions of queues set up on your computer. The computername of your workstation is displayed in the "On Server" field. 2. To view queues on remote servers, choose Browse. NOTE The Browse command button is active only when a user is logged on at the workstation. The "Browsing Servers" dialog box (Figure D.2) appears. The computername displayed in the "On Server" text box is from the "Queues" dialog box. The servers in the workstation domain and the workstation's other domains are displayed in the list box. 3. In the "On Server" text box, type the server's computername or, in the list box, select the server. 4. Choose OK. You may need to supply a password to gain access to the server if your logon password is different from the password in your account at the server, or if the server is running share-level security. If a new password is needed, the "Administrating Server" dialog box (Figure D.3) appears. If a new password is needed, in the "Enter Password" text box, type the password for the server you selected, then choose OK. The "Queues" dialog box (Figure D.4) appears, displaying information about queues on the server you selected. From here, you can add, change, or delete queues on the server (provided you have the appropriate privilege), or browse other servers. 5. Choose OK. Adding a Queue To create a printer queue, you can use either the LAN Manager Screen (or command-line equivalent) or Print Manager. Using Print Manager gives you more control over the queue─you can use the Job Properties command button to define more details about how the queue prints, specifying options such as font and paper size. After you create a printer queue with Print Manager, you can share the queue with the network using the LAN Manager Screen or the net share command. The shared queue retains all the options and properties you defined for it with Print Manager. ──────────────────────────────────────────────────────────────────────────── NOTE Be sure to set up printers for your computer before creating the corresponding queues. ──────────────────────────────────────────────────────────────────────────── To create a new printer queue: 1. From the Setup menu, choose Queues. The "Queues" dialog box (Figure D.4) appears. 2. Choose Add. NOTE The Add and Delete command buttons are shaded (unavailable) if you have neither print operator privilege nor admin privilege. The following dialog box appears: (This figure may be found in the printed book). ──────────────────────────────────────────────────────────────────────────── NOTE The Setup command button is shaded (unavailable) if the queue is on a remote server (accessed via the Browse command button).───────────────────────────────────────────────────────────────────── 3. In the "Name" text box, type a name for the queue. The name for the queue can have as many as 8 characters with an optional 3-character extension. If the computer is using the high-performance file system (HPFS), the name can have as many as 255 characters. However, if you want to share the queue, you should limit this name to 8 characters with an optional 3-character extension. 4. In the "Description" text box, type a descriptive comment. The comment can have as many as 48 characters. 5. In the "Queue driver" text box, type the name of the driver, or select it from the drop-down list. ("Queue driver" is another name for print processor.) To display the drop-down list, click on the arrow to the right of this text box, or press ALT+DOWN (the down direction key). For more information about installing new queue drivers through the MS OS/2 Control Panel, see your MS OS/2 manual(s). 6. In the "Separator" text box, type the name of the separator page file, if any. You can type DEFAULT.SEP to use LAN Manager's default separator page. Unless you specify a different path, LAN Manager assumes the separator file is in the C:\SPOOL directory. 7. In the "Priority" text box, type the priority for the queue. The range is 1-9; the default is 5. To set the highest priority for the queue, use 1. 8. In the "Scheduling" text boxes, if appropriate, type the hours during which jobs in the queue will be printed. By default, the text boxes are empty and jobs are printed on a 24-hour basis. If you want to limit the hours that print jobs are printed, type the times in the "from" and "to" boxes. The time format depends on the country setting for your computer. 9. In the list box, select one or more printers that can be used with the new queue. 10. In the "Printer Driver" text box, specify the default printer driver. Print Manager offers a default name. This is the first printer driver supporting the first printer for the queue. Select from the drop-down list if you want another default driver. To display the drop-down list, click on the arrow to the right of this text box, or press ALT+DOWN (the down direction key). If the selected printers have no drivers in common, the drop-down list is empty. 11. Choose Job Properties if you want to customize settings for the default print driver. A dialog box specific to your default print driver appears. 12. Choose Setup if you want to customize settings for the default queue driver. Another dialog box appears, allowing you to choose from among options, if any, for that specific driver. 13. Choose Add. 14. Choose OK. Changing Options for a Queue You can use Print Manager to change an existing queue's options, such as the name of a driver or separator page used with the queue. To change options for a printer queue: 1. From the Setup menu, choose Queues. The "Queues" dialog box (Figure D.4) appears. 2. From the list box, select a queue, then choose Change. The following dialog box appears: (This figure may be found in the printed book). 3. Follow steps 3-12 from the preceding procedure. 4. Choose Change. 5. Choose OK. Updating Information in the MS OS/2 Print Manager Window The Print Manager window shows activity on local and network printers and queues. You can choose whether to refresh information about network queues and, if so, how often. Information on local queues is refreshed regardless of network queues. To set how often information is updated: 1. From the Refresh menu, choose Refresh interval. The following dialog box appears: (This figure may be found in the printed book). 2. In the "Refresh interval" text box, type the number of seconds. 3. Choose Set. To update network information: 1. From the Refresh menu, choose Refresh interval. 2. Mark the "Refresh for network queues" check box. 3. Choose Set. Entries for network queues and jobs are updated each time the list is refreshed. Glossary ──────────────────────────────────────────────────────────────────────────── 10 User Pak See Additional User Pak. Absolute path A pathname whose reference to a file or directory does not depend on the current drive or directory. An absolute path must start with a drive letter, a colon, and a backslash ( \ ). Use the format n:\directory[[\subdirectory][\filename]...]. See also Network path, Path, Pathname, and Relative path. Access permissions See Permissions. Account See User account. Accounts database See User accounts database. Accounts operator An operator privilege that allows a user (with user privilege) to create, remove, and modify user accounts (except those with admin privilege) and groups. See also Admin privilege, Comm operator, Operator privilege, Print operator, and Server operator. Additional User Pak An optional server modification that expands the number of users that can connect to a server. A server without Additional User Paks has a limit of five users. A 10 User Pak adds 10 users to the server's capacity. An Unlimited User Pak allows an unlimited number of users to access the server. Six 10 User Paks are equivalent to an Unlimited User Pak. ADMIN$ An administrative resource that enables remote administration on servers. A server's ADMIN$ must be shared for the server to be remotely administered. See also IPC$. Admin alert A message from LAN Manager about server and resource use. See also Alerts. Admin privilege The privilege level that allows a user at a server to issue all types of administrative commands and use all the resources shared by that server, regardless of the access permissions for the user. User accounts with admin privilege are part of the special user group admins. See also Administrator, Permissions, and Privilege level. Administrative privilege See Admin privilege. Administrative resources The resources used when network users and administrators perform certain tasks on the server, including viewing the resources the server is sharing, administering the server remotely, using the Netrun service, and running distributed applications. Administrative resources include ADMIN$, IPC$, and the disk administrative resources. How these resources are shared determines how users can perform tasks. See also ADMIN$, Disk administrative resources, and IPC$. Administrator The individual responsible for managing the local-area network. This person typically configures the network, maintains the network's shared resources and security, assigns passwords and privileges, and helps users. See also Operator privilege. Alerter service A LAN Manager service that enables a server to send error messages and special alert messages to a designated list of users. Alerts Messages that LAN Manager sends under certain conditions. The three classes of alerts are admin alerts, error alerts, and printer alerts. A computer must be running the Messenger service to receive alerts. See also Admin alert, Error alert, and Printer alert. Alias A username, computername, or other name that can receive messages. Each workstation's computername is automatically added to its list of aliases. Other aliases can be added with the net name command. An alias is not the same as a username, although a username can be added as an alias. Audit The process in which LAN Manager records an entry in the audit trail whenever a user accesses a resource in a certain way or logs on to the network. See also Audit trail. Audit trail A file that contains audit entries. See also Audit and Log. Backup domain controller A server in a domain that keeps and uses a copy of the domain's user accounts database to validate logon requests. See also Member server, Netlogon service, and Primary domain controller. Batch file See Batch program. Batch program A file containing commands that are carried out when the file runs. MS OS/2 batch programs have the filename extension .CMD. MS-DOS batch programs have the filename extension .BAT. Broadcast message A message you can send to all users on the local-area network. You can also send a message to all users within a domain. See also Messenger service. Check box A field in a LAN Manager Screen dialog box that lets you enable or disable one or more options. Click To position the mouse pointer on a character, and then press and release the left mouse button. See also Double-click and Drag. Clone To use an existing user account or group as a template for a new user account or group. Comm device See Communication device. Comm operator An operator privilege that allows a user (with user privilege) to create, share, and modify communication-device queues and requests. See also Accounts operator, Operator privilege, Print operator, and Server operator. Comm queue See Communication-device queue. Command button A command name, enclosed in angle brackets, at the bottom of a LAN Manager Screen dialog box (for example, <Zoom>>). Choosing a command button carries out a task or leads to another dialog box. Comm-device queue See Communication-device queue. Communication device A piece of hardware attached to one of the serial ports of a computer. Communication devices include modems, image scanners, and serial printers. Communication-device queue A queue that stores communication-device requests, and then sends them one by one to one or more communication devices. See also Pool and Unspooled. Communication-device request A request to use a shared communication device. To use a shared communication device, a user sends a communication-device request to the appropriate communication-device queue. Computername The name by which the local-area network identifies a server or a workstation. Each computername must be unique on the network. Connection The software link between a workstation and a shared resource on a server. A connection can be made by assigning a local devicename on the workstation to a resource shared on a server. A connection also can be made when the resource is accessed by using a network pathname with a command-line command or from an application. See also Devicename, Network path, and Session. Console version of the LAN Manager Screen A version of the LAN Manager Screen that allows users to monitor and control printers and other devices at a server, and prevents other uses of the server. Continue To restart a LAN Manager service that was paused. See also Pause. Country code A code in the user's account that specifies the language in which the server sends messages. Cracked mirror A mirrored or duplexed drive for which the primary and secondary partitions contain dissimilar information. See also Drive duplexing, Drive mirroring, Primary partition, and Secondary partition. CTRL key The key used in combination with other keys to control the running of LAN Manager and MS OS/2 commands. For example, CTRL+C tells MS OS/2 to stop the current command. Current focus The server or workstation that is the focus of activity when using the LAN Manager Screen or the ftadmin screen. Default A value coded into the LAN Manager software. For LANMAN.INI entries, the default value of an entry is assumed when the entry is missing from LANMAN.INI. Default permissions The permissions assigned to the parent directory or drive if no permissions are assigned for a directory or file. If no permissions are assigned for a communication-device queue, named pipe, or printer queue, the default permissions are the permissions assigned to the \COMM, \PIPE, or \PRINT resource. Device A piece of hardware that is attached to a computer, for example, a disk drive, printer, or communication device. Devicename The name by which a computer identifies a printer, disk, or other device. Disk devices are identified by a drive letter followed by a colon (for example, C:). Printers, modems, and other devices are identified by the port to which they are attached (for example, LPT1 or COM2). Dialog box A box that appears on the LAN Manager Screen when you choose a menu command (except Exit). Dialog boxes typically present a number of options from which to choose. Sometimes selecting an option or choosing a command button in one dialog box causes another dialog box to appear. Disk administrative resources Administrative resources that represent each of a server's disk drives. Administrative resources have names such as A$ and C$. An administrator performing remote administration can use each of these resources to access all the files on the corresponding disk drive of the server. Only administrators can connect to disk administrative resources. See also ADMIN$, Administrative resources, and IPC$. Disk resource A shared disk device. With LAN Manager, a drive, a partition, a directory tree, or a single directory can be shared as a disk resource. See also Devicename. Distributed application A program that is designed to run on a local-area network. Different computers run different parts of the program, which fit together to make the entire program. LAN Manager does not control a distributed application. Domain A combination of servers and workstations that are grouped to create an administrative unit. See also Logon security. Domain controller See Backup domain controller and Primary domain controller. Double-click To position the mouse pointer on a field or character, and then press and release the left mouse button twice with a quick motion. See also Click and Drag. Drag To select text with a mouse. Position the mouse pointer on the character that will begin or end the selection; press and hold down the left mouse button while moving the pointer to the other end of the desired selection; release the left mouse button. See also Click and Double-click. Drive duplexing A fault-tolerance feature that sets up a primary partition and a secondary partition with identical data using separate disk controllers. Drive duplexing provides protection against errors caused by a faulty controller. Drive duplexing is available only for computers with the high-performance file system (HPFS). See also Drive mirroring, Drive verification, Primary partition, and Secondary partition. Drive mirroring A fault-tolerance feature that sets up a primary partition and a secondary partition on two disks using the same disk controller. The operating system treats these partitions as a single logical drive. Data lost from one partition is recovered from the other. Drive mirroring is available only for computers with the high-performance file system (HPFS). See also Drive duplexing, Drive verification, Primary partition, and Secondary partition. Drive verification In drive mirroring and duplexing, the process of ensuring that data on a primary partition and a secondary partition is identical. See also Drive duplexing, Drive mirroring, Primary partition, and Secondary partition. Entry An item in the LANMAN.INI file. See also Option. Error alert A message from LAN Manager about local-area network or system errors. These messages are stored in the error log. See also Alerts and Log. Error log A file that stores error messages. See also Log. Error message A message that appears on the computer screen after LAN Manager or the operating system detects a problem while trying to process an operation or command. Escape code An instruction sent from a computer to a printer. In LAN Manager, escape codes are used to define separator page formats. Each escape code begins with an escape character. FAT file system See File allocation table (FAT). Fault monitoring A fault-tolerance feature that detects disk errors, logs them, and alerts administrators when errors occur. Fault-tolerance system A LAN Manager system that uses drive duplication and monitoring to prevent the corruption or loss of a computer's data. See also Drive duplexing, Drive mirroring, and Fault monitoring. Field One of five types of areas within a LAN Manager Screen dialog box. See also Check box, Command button, Dialog box, List box, Option button, and Text box. File allocation table (FAT) An MS OS/2 and MS-DOS file system that tracks the location of files in directories. The file allocation table also allocates free space on disks to ensure space is available for new files. MS OS/2 1.2 can replace the FAT file system with an installable file system (IFS), such as the high-performance file system (HPFS). Filename A unique name for a file. Under the FAT file system, a filename can have as many as eight characters, followed by a filename extension. The filename extension consists of a period (.) and as many as three characters. Under MS OS/2 1.2 high-performance file system (HPFS), a filename can have as many as 254 characters. See also Filename extension. Filename extension A unit of as many as three characters, preceded by a period, that sometimes is appended to a filename by an application or other program, and is at other times required. For example, MS OS/2 batch programs must always have the filename extension .CMD. In LAN Manager, profiles are assumed to have the .PRO extension. See also Filename. Ftadmin A LAN Manager utility that starts the fault-tolerance system. See also Fault-tolerance system. Ftmonit A LAN Manager utility that controls the fault-tolerance system's error-monitoring feature. See also Fault monitoring and Fault-tolerance system. Ftsetup A LAN Manager utility that installs the fault-tolerance system and configures drive mirroring and drive duplexing. See also Drive duplexing, Drive mirroring, Fault monitoring, and Fault-tolerance system. Group With user-level security, a set of users (with user accounts) who share common permissions for one or more resources. A group is used like a username when assigning permissions for resources. Individually assigned user permissions take precedence over those assigned through groups. Guest account An account on a server with user-level security that allows users with no account of their own to access the server's resources. Guest privilege A privilege level that allows a user to use local-area network resources, view information about a server's shared resources and the status of printer and communication-device queues, and send and receive messages. See also Permissions and Privilege level. Hidden server A server that is part of a domain, but does not appear in the list of servers. High-performance file system (HPFS) An MS OS/2 file system that has faster input/output (I/O) than the FAT file system, does not restrict file naming to eight characters with a three-character extension, and is compatible with the file allocation table (FAT) file system. When you install LAN Manager server software on an HPFS partition, it becomes an HPFS386 partition. See also File allocation table (FAT). High-performance file system 386 (HPFS386) An enhanced version of the high-performance file system designed to work with a 386 computer. HPFS386 includes an enhanced disk cache for servers and provides local security. See also High-performance file system (HPFS). Home directory A directory assigned to a user on a server with user-level security. Hotfixing An MS OS/2 high-performance file system (HPFS) feature that detects bad sectors on a hard disk and reroutes data to a good sector in a reserved area. Hotfixing is available only for computers using HPFS. HPFS See High-performance file system (HPFS). HPFS386 See High-performance file system 386 (HPFS386). Inherited permissions Permissions that can be assigned to an entire directory tree within a shared disk resource. To use inherited permissions, you set permissions for a directory, and then specify those permissions to be copied down through the directory tree to all subdirectories and files that exist at that time. See also Permissions. Interprocess communication (IPC) The communication between different processes of a program, between different computers running parts of a single program, or between two programs working together. IPC$ An administrative resource that controls how interprocess communication works on servers. A server's IPC$ must be shared before the resources shared by the server can be viewed on the network, before the server can be administered remotely, and before users can use the Netrun service or distributed applications on the server. See also ADMIN$ and Named pipe. LAN See Local-area network (LAN). LAN Manager A software program from Microsoft that expands the features of MS OS/2 and MS-DOS to enable computers to become part of a local-area network. LAN Manager Screen LAN Manager's menu-oriented interface. Three screens are provided: the LAN Manager Screen for users, the LAN Manager Screen for administrators, and the console version of the LAN Manager Screen. LAN Manager service See Services. LANMAN.INI The LAN Manager initialization file. The values in this file determine the option settings for computers on the local-area network, although the net start and net config command options can temporarily override LANMAN.INI values. These values can be modified to suit the network requirements. See also Default. List box A box within a LAN Manager Screen dialog box that contains a list of items from which you can select. Local A workstation or server at which the user or administrator is currently working, or a device or resource located at that workstation or server. See also Remote. Local computer The workstation or server at which the user or administrator is currently working. See also Remote computer. Local file security See Local security. Local security A security method available for 386 servers running the high-performance file system (HPFS386). This method extends LAN Manager security measures to protect the files on a server by restricting access for the users working at the server. With local security, a user must be assigned permissions to access any file or directory in an HPFS386 volume, whether or not the resource is shared as part of a LAN Manager resource. Local user The user or administrator working at that computer's keyboard. Local-area network (LAN) A group of computers, linked by cable or other physical media, that lets users share information and equipment. Log A history file. LAN Manager, by default, maintains an error log, a message log, and an audit trail. See also Audit trail, Error log, and Message log. Log off To remove the username and password from a workstation, breaking connections to local-area network resources, but not stopping LAN Manager services. Log on To provide a username and password to gain access to the local-area network. When connecting to resources, LAN Manager validates the username and password before granting access. If a domain has logon security, the username and password must match a valid user account on the primary domain controller. See also Primary domain controller. Logical drive Anything given a drive designation (for example, D:). This can be a disk partition; a workstation's redirected drive, which makes a connection to a remote disk resource; or a primary and secondary partition pair for a mirrored or duplexed drive. Logon domain The domain specified when logging on to the local-area network. Logon hours The days and times during which a user can access and use a server's resources. Logon restrictions The logon hours during which a user can access a server's resources, and the workstations from which the user can access a server's resources. See also Logon hours. Logon script A batch program containing LAN Manager and operating system commands used to configure workstations. Logon scripts can be written for one or more users. When the user logs on, the logon script runs at the user's workstation. Logon security A means of verifying the identities of users when they log on to the local-area network, and of unifying the user accounts database for a domain into one user accounts database, copies of which are kept on servers throughout the domain. See also Netlogon service. Logon server For a domain, the primary domain controller and the backup domain controllers. For a user, the server that processes the user's logon request. See also Netlogon service. Member server A server in a domain that keeps and uses a copy of the domain's user accounts database but does not validate logon requests. See also Backup domain controller and Primary domain controller. Menu A set of related LAN Manager commands accessible from the LAN Manager Screen. Menu bar The horizontal bar across the top of the LAN Manager Screen that contains menus. See also Menu. Menu command A command you can choose from a menu on the LAN Manager Screen. See also LAN Manager Screen, Menu, and Menu bar. Message alias See Alias. Message box A box that LAN Manager displays, in certain cases, providing information to the user and sometimes requesting the user to make a choice. Message forwarding To use aliases to reroute messages from one workstation or server to another. Message line A line that appears at the bottom of the LAN Manager Screen, providing information about the current menu, command, dialog box, or task. See also LAN Manager Screen. Message log A file that stores messages. See also Log. Message logging To save messages received by a workstation in a file or to print them on a local device. Message popup A box that displays messages received from other network users, when the Messenger and Netpopup services are running. See also Messenger service and Netpopup service. Messenger service A LAN Manager service that enables a workstation or server to receive messages from other local-area network users. This service can also store messages in a log file. Mirrored drive A hard disk drive partition whose data has been copied to another hard disk through the fault-tolerance system. A mirrored drive consists of a pair of partitions (a primary and secondary partition) that appear as a single logical drive to the operating system. See also Drive duplexing and Drive mirroring. MS OS/2 Microsoft Operating System/2. The operating system that supports LAN Manager servers and some LAN Manager workstations. See also Operating system. MS-DOS Microsoft Disk Operating System. The operating system that supports some LAN Manager workstations. See also Operating system. Named pipe A connection used to transfer data between separate processes, usually on separate computers. Named pipes are the foundation of interprocess communication (IPC). An administrator can set permissions on named pipes, but only LAN Manager and network applications can create them. See also Interprocess communication (IPC) and IPC$. Netlogon service A LAN Manager service that implements logon security. When a server in a domain runs the Netlogon service, the username and password supplied by each user who attempts to log on in the domain are checked. All servers participating in logon security run the Netlogon service; the Netlogon service replicates the user accounts database to these servers. See also Backup domain controller, Logon security, Member server, Primary domain controller, and Standalone server. Netpopup service A LAN Manager service that displays messages on the computer screen when they arrive from other local-area network users or from LAN Manager. Netrun service A LAN Manager service that lets users, from their own workstations, run programs on a server. Network path The computername of a server followed by the sharename of a shared resource. A server's computername is preceded by two backslashes (\\) and a sharename is preceded by one backslash (for example, \\SALES\REPORT). See also Computername, Resource, and Sharename. Network resource See Resource and Shared resource. Network security See Security. Operating system A program that coordinates all parts of a computer system. Network software extends the operating system, coordinating the interactions of workstations and servers. LAN Manager server software works with MS OS/2. LAN Manager workstations work with either MS OS/2 or MS-DOS. Operator privilege A privilege granted to a user that allows the user to perform certain administrative tasks. See also Accounts operator, Comm operator, Print operator, and Server operator. Operator rights See Operator privilege. Option Part of a command that determines how the command or service works; it is not required. See also Entry. Option button One of a set of options in a LAN Manager Screen dialog box. You can select only one option from the set. Orphaned drive In a mirrored or duplexed pair, a secondary partition for which the primary partition is missing. See also Drive duplexing, Drive mirroring, Primary partition, and Secondary partition. Password A word used to access the network or one or more shared resources. See also Logon security, Share-level security, User password, and User-level security. Path A set of directory names that defines a directory's location. A backslash (\) precedes each directory name except the top-level one. (For example, the path REPORTS\ACCT\NORTH indicates that the NORTH directory is in the ACCT subdirectory of the REPORTS directory.) An initial backslash indicates that the path begins at the drive's root directory. When the path begins with a drive letter, it is an absolute path. See also Absolute path, Network path, Pathname, and Relative path. Pathname A path that ends in a filename. A path specifies a directory; a pathname specifies a file. A pathname, like a path, can be absolute (containing a drive letter), or relative to the current drive and directory. See also Absolute path, Network path, Path, and Relative path. Pause To suspend a LAN Manager service. When a service is paused, current requests are not stopped, but new requests are not allowed. See also Continue. Peer service A LAN Manager service that enables an MS OS/2 workstation to share directories, one printer queue, and one communication-device queue with one other user at a time. The Peer service performs most of the same services as the Server service, but on a smaller scale. See also Server service. Permissions Settings that define the type(s) of action a user can take with a shared resource. With user-level security, each user is assigned permissions for each resource. With share-level security, each resource is assigned permissions, and all users who access the resource have these permissions. Pool A group of printers or communication devices that receive requests from the same queue. Primary domain controller The server at which the master copy of a domain's user accounts database is maintained. The primary domain controller also validates logon requests. See also Backup domain controller and Member server. Primary partition In drive mirroring or drive duplexing, the main partition in a mirrored or duplexed pair. Only the primary partition is visible to the operating system. See also Drive duplexing, Drive mirroring, and Secondary partition. Print job A document waiting in a printer queue. Print operator An operator privilege that allows a user to create, share, and modify printer queues and control print jobs. See also Accounts operator, Comm operator, Operator privilege, and Server operator. Print processor A program that readies a document for printing. Print request See Print job. Printer alert A message sent from LAN Manager about printer events. See also Alerts. Printer driver A program that controls printing and sets options such as print quality and paper size for a particular printer. In LAN Manager, each printer queue has a single printer driver associated with it. Printer queue A queue that stores print jobs, and then sends them one by one to a printer or pool. See also Pool and Spooled. Priority level A level assigned to each communication-device queue and printer queue that determines which job is processed first when several queues are trying to access the same communication device or printer at the same time. Privilege See Privilege level. Privilege level With user-level security, one of three settings─user, admin, or guest─assigned for each user account. The privilege level defines the range of actions a user can perform on the network. See also Admin privilege, Guest account, Guest privilege, Operator privilege, Permissions, and User privilege. Profile A file containing LAN Manager commands that share resources, establish connections to shared resources, and set printer queue and communication-device queue options. Queue See Communication-device queue and Printer queue. Redirect To change the default path of data traffic. Relative path A path relative to the current drive and directory. For example, from the C:\LANMAN directory, a relative path to the directory C:\LANMAN\ACCOUNTS is simply ACCOUNTS. See also Absolute path, Network path, Path, and Pathname. Remote Any server, workstation, or shared resource that is not located where the user or administrator is currently working. See also Local. Remote administration To perform administrative tasks on a server that is not located where the administrator is currently working. Remote computer A server or workstation that is not located where the user or administrator is currently working. See also Local computer. Remoteboot service A LAN Manager service that provides software support for starting MS OS/2 and MS-DOS workstations over the local-area network. Replicator service A LAN Manager service that maintains identical sets of files and directories on different servers and on MS OS/2 workstations running the Peer service. Resource Any disk drive or directory, printer, modem, image scanner, or other equipment that a server can share over a local-area network. LAN Manager also has administrative resources, which govern how certain processes work on each server. See also Administrative resources, Communication-device queue, Disk resource, Printer queue, Shared resource, and Sharing. Run path The list of directories containing programs available for use with the Netrun service on a particular server. For a program to be used with the Netrun service, it must be in a directory in the server's run path. See also Netrun service. Script See Logon script. Scroll bar The shaded bar that appears at the right of some LAN Manager list boxes. Use the scroll bar and the mouse to scroll through a list box that contains more information than can be shown in one screen. See also Scroll box. Scroll box The small box superimposed on a scroll bar in a LAN Manager list box. The scroll box reflects the position of the information within the list box in relation to the total contents of the list. See also Scroll bar. Secondary partition In drive mirroring or drive duplexing, the drive that duplicates data on the primary partition. The secondary partition is invisible to the operating system, which sees the primary and secondary partitions as a single logical drive. See also Drive duplexing, Drive mirroring, Drive verification, Fault-tolerance system, and Primary partition. Security A variety of methods that enables an administrator to control access to network resources. See also Local security, Logon security, Share-level security, and User-level security. Security settings Settings that determine how user account passwords can be changed and what action occurs when users violate their logon hours. There are five security settings: minimum password length, minimum password age, maximum password age, password uniqueness, and force logoff. See also Logon hours and Logon restrictions. Separator page One or more cover sheets that are printed before a print job. LAN Manager provides a default separator page, DEFAULT.SEP, for use with shared printer queues. Custom separator pages can also be used. Serial printer A printer attached to a computer's COM port. See also Communication device, Communication-device queue, Devicename, and Unspooled. Server A computer that manages and shares the data and equipment on a local-area network. Server operator An operator privilege that allows a user (with user privilege) to start and stop services, share resources, use the server's error log, and close users' sessions. See also Accounts operator, Comm operator, Operator privilege, and Print operator. Server service A LAN Manager service that enables a computer to share resources on the network and provides administrators with tools for controlling and monitoring resource use. See also Peer service. Services The main components of the LAN Manager software. The basic service is the Workstation service, which lets a computer use local-area network resources. The Server service enables a computer to share resources over the network. Other services include the Alerter, Messenger, Netlogon, Netpopup, Netrun, Peer, Remoteboot, Replicator, Timesource, and UPS services. Session A link between a workstation and a server. A session consists of one or more connections to shared resources. See also Connection. Setup program The program that installs LAN Manager software on a workstation or server. During installation, the Setup program is copied to the computer's hard disk for later use in managing the computer's configuration. Shared resource A resource on a server that has been made available to network users. See also Resource. Share-level security A type of security that limits access to each shared resource by requiring a password. Permissions are assigned to the resource (rather than to the user). All users who know the password can use the resource within the bounds of the permissions assigned for the resource. See also Password, Permissions, and User-level security. Sharename The name given to a resource when it is shared on the local-area network. Each shared resource is identified by its sharename. No two resources on a server can have the same sharename. See also Computername and Network path. Sharing The act of making a server's resources available to local-area network users. The procedure for sharing a resource differs depending on the type of resource and whether user-level or share-level security is used. See also Resource. Spooled The type of queue used with printers configured with a parallel interface. See also Devicename and Printer queue. Spooled queue See Spooled. Standalone logon A logon request that is not validated by a logon server. In domains without logon security, each logon request is granted as standalone logon. In domains with logon security, a logon request with a username not found in the domain's user accounts database is granted standalone logon. See also Logon security and Logon server. Standalone server A server with user-level security that has its own user accounts database and does not participate in logon security. Statistics A record of server and workstation performance, kept by LAN Manager. Statistics are cleared each time the server or workstation is turned off; they cannot be saved. Server statistics provide information about how the server is being accessed. Workstation statistics provide information about how the workstation is being used. Statistics report A detailed list of server access and workstation use provided by the net statistics command. See also Statistics. Text box An area in which information can be typed in a LAN Manager Screen dialog box. The text box may or may not contain text. Time server With the Timesource service, the server designated as the local-area network time source. The time server is the computer with which other computers on the network synchronize. See also Timesource service. Timesource service A LAN Manager service that identifies a server as the time source for a domain. Other computers can synchronize their clocks with the time source. Uninterruptible power supply (UPS) A battery, attached to a server's serial port, that provides backup power for conducting an orderly shutdown if the server's normal power supply fails. See also UPS service. Unlimited User Pak See Additional User Pak. Unspooled A queue used with communication devices and printers configured with a serial interface. See also Communication-device queue and Devicename. UPS service A LAN Manager service that enables a server to use an uninterruptible power supply (UPS). The UPS service protects the server from data loss during a power failure. See also Uninterruptible power supply (UPS). User Someone who uses the local-area network. User account A record on a server or in a domain that contains information about the user and identifies the user to LAN Manager. User accounts database The NET.ACC file stored in the LANMAN\ACCOUNTS directory. This file contains the user accounts and groups that have been established. See also Group and User account. User group See Group. User Pak See Additional User Pak. User password A special word used with user-level security to gain access to the local-area network. See also Password and User-level security. User privilege A privilege that allows a person to use local-area network resources, view information about a server's shared resources and the status of printer and communication-device queues, and send and receive messages. See also Permissions and Privilege level. User-level security A type of security in which a user account is set up for each user. Permissions are granted to each user for specific resources, defining exactly what actions each user can take with each resource. See also Logon security, Password, and Share-level security. Username With user-level security, the name by which the local-area network identifies a user. The name is part of a user account; the user supplies a password for the user account. The username and password are required to access resources shared on a server. With logon security, the username and password are required for the user to gain access to the network. Workstation A computer from which a person uses word processing, spreadsheet, database, and other types of applications to accomplish work, taking advantage of resources shared on the local-area network. Workstation domain The domain in which a workstation is a member, specified when the Workstation service is started. See also Logon domain. Workstation service A LAN Manager service that enables a computer to use local-area network resources and services. The Workstation service must be running for any other service to run. INDEX ────────────────────────────────────────────────────────────────────────── ? icon see also Ftadmin utility 286 computers adding a device driver 386 servers and local security A A (Change Attributes) permission Accessalert entry (LANMAN.INI) Accounts menu (console screen) Change your password command Accounts menu Change your password command File permissions command setting auditing setting permissions Groups command changing group membership cloning a group creating a group deleting a group Other permissions command setting auditing setting permissions for a named pipe setting permissions Security settings command changing security settings changing server role Users command adding an account changing account information cloning an account deleting an account disabling an account viewing account information Your account command Accounts operator privilege Accounts, user account expiration assigning a user a logon server assigning a user's home directory assigning groups through changing settings changing your password cloning contents creating defined deleting disabling for Replicator service guest home directories logon restrictions assigning a logon server limiting logon hours restricting workstation access Admin account see Administrative account Admin alerts Admin privilege and console screen and Netrun service defined ADMIN$ resource see Administrative resources Administration, remote see Remote administration Administrative account Administrative resources ADMIN$ fault tolerance, use with remote administration, use with share-level security, use with sharing disk administrative resources ADMIN$ requirement sharing displaying effect of profiles IPC$ distributed applications, use with fault tolerance, use with Netrun service, use with printer queues, use with share-level security, use with sharing sharing stop sharing of use in remote administration Administrative resourcesNetrun service see also Remote administration Admins group Alerter service see also Alerts adjusting buffer size at startup through LANMAN.INI configuring LANMAN.INI values modifying alert conditions modifying who gets alerts starting Alertnames entry (LANMAN.INI) Alerts see also Alerter service classes of alerts defined disk home directories modifying UPS requirements Alertsched entry (LANMAN.INI) Application Program Interfaces (API) Audit trail see also Auditing the server contents defined disk resource entries files involved in user-level security viewing, saving, and clearing AUDIT.BAK file AUDIT.SAV file Auditing entry (LANMAN.INI) Auditing the server network activity network events effects of security choice events that can be audited modifying audited events resource use auditing a disk resource auditing a file or directory auditing a named pipe auditing a queue or named pipe auditing communication-device queues communication-device queue defaults explained in share-level security Auditing see Auditing the server Autodisconnect entry (LANMAN.INI) Autodisconnect feature AUTOEXEC.BAT file for remoteboot Automatic profiles see Profiles Autopath entry (LANMAN.INI) Autoprofile entry (LANMAN.INI) B Background processes Backup domain controller see also Logon security, server roles Basic for MS-DOS see Workstations Batterytime entry (LANMAN.INI) Boot image files creating customizing adding device drivers C C (Create) permission Clocks, computer synchronizing .CMD files use with UPS service Cmdfile entry (LANMAN.INI) .COM files use in batch files with remoteboot Comm operator privilege Comm queues see Communication-device queues \COMM resource see also Communication-device queues Communication devices changing their status limiting open devices on the server setting up using shared devices viewing their status (console screen) Communication requests Communication-device queues advantages changing queue options limiting communication requests on the server options changing the priority level and route described priority levels routing communication requests setting pooling devices priority levels purging queue requests setting audited events setting permissions setting up sharing stop sharing of viewing (console screen) viewing Communication-device requests limiting purging viewing Config menu Control services command adjusting service performance continuing a service pausing a service starting a service stopping a service description Load profile command loading a profile Log off from LAN command logging off Log on to LAN command Save profile command saving a profile Server options command changing audited events changing the alertnames list controlling administrative services starting the Netrun service stopping the Netrun service Stop LAN Manager services command stopping services Workstation options command controlling Messenger service controlling Netpopup service CONFIG.SYS file for Remoteboot adding device drivers swappath entry ftmonit changes Connections connecting to a resource limiting connections to the server logon script Console screen Accounts menu Change your password command administrative password and user passwords description exit password exiting the screen Help menu instructions for users Message menu Send a typed message command print jobs changing position changing status viewing printer queues changing status viewing their options removing sending messages starting Status menu Device status command View menu Comm-device queues command Printer queues command viewing and changing device status viewing communication-device queues viewing printer queues Contents of manual Control Panel see MS OS/2 Country codes Cracked mirror see also Fault-tolerance system correcting defined Critical Error alert (ftadmin) Current focus and profiles of ftadmin screen CUSTOM directory (for remoteboot) CUSTOM.DEF file (for remoteboot) CUSTOM.IMG file (for remoteboot) CUSTOM.SYS file (for remoteboot) D D (Delete) permission Data loss guarding against .DEF file remoteboot adjustments for alternate MS-DOS versions DEFAULT.FIT file DEFAULT.SEP Default administrative account logon scripts permissions for a communication-device queue for a directory or file for a named pipe for a printer queue for Netrun pipe print processor printer driver profile for a server for a workstation REPL.INI file replication group security type separator page (printer queues) Deleting partitions Device drivers adding drivers to a remoteboot workstation under MS OS/2 under MS-DOS Dialog boxes see LAN Manager Screen Directories, shared see Disk resources Disk administrative resources see Administrative resources Disk controllers role in drive mirroring and duplexing Disk errors (ftadmin) classes of alerts correcting cracked mirrors self-correcting four types repeated failures viewing adjusting the display Disk resources in share-level security sharing stopping sharing of in user-level security auditing a file or directory permissions setting permissions sharing Diskalert entry (LANMAN.INI) Distributed applications and IPC$ communication mode defined use of named pipes Domains and Replicator service exporting to a domain assigning users logon servers broadcasting messages to (console screen) defined logon domain planning user accounts users' roles setting up single-server domains workstation domain DOS directory for Remoteboot for remoteboot DOSxxx directory for remoteboot DOS401.DEF file (for remoteboot) Drive duplexing see Fault-tolerance system Drive mirroring see Fault-tolerance system Drive statistics (ftadmin) viewing and clearing Drive verification see also Fault-tolerance system and ftadmin Verify menu defined verifying one or all drives Duplexing a drive see Fault-tolerance system E Enhanced for MS-DOS see Workstations Error alerts (ftadmin) Error alerts Error correction (ftadmin) see also Fault-tolerance system and drive verification defined Error log defined error alerts server viewing, saving, and clearing Error messages see Error log ERROR.BAK file ERROR.SAV file Erroralert entry (LANMAN.INI) Errors see Disk errors Escape characters and codes for separator pages Events, network defined .EXE file use in batch files under remoteboot .EXE files, Netrun compatibility .EXE files and Netrun service Exit passwords see also Console screen Exiting the LAN Manager Screen Export directories see Replicator service Export server see Replicator service Exportlist entry (LANMAN.INI) Exportpath entry (LANMAN.INI) Extent entry (REPL.INI) F F1 key FAT file system default permissions Fault monitoring see Fault-tolerance system Fault-tolerance system drive fault monitoring drive mirroring and duplexing canceling drive mirroring or duplexing defined exposing an orphaned drive freeing disk space error correction complete disk failure correcting cracked mirrors correcting disk-errors repeated disk failures verifying drives hotfixing defined utilities Faults viewing statistics Fdisk utility (MS OS/2) File extent see REPL.INI files File flags and A permission File handling in replication File integrity REPL.INI file File locks Files forcing a file closed limiting open files on the server .FIT files for Remoteboot for remoteboot FITS directory, for Remoteboot FITS directory for remoteboot Ftadmin utility see also Fault-tolerance system using the screen getting help menus and menu commands screen elements setting the focus Ftmonit utility see also Fault-tolerance system turning alerts on and off Ftsetup utility see also Fault-tolerance system defined deleting a drive exposing an orphaned drive mirroring or duplexing a drive unmirroring a drive G Groupnames requirements restrictions Groups Groups, standard rpl Groups adding and removing members admins group assigning permissions for assigning through a user's account cloning creating deleting effect of permissions guests group local group servers group special groups admins guests local rep (Replicator service) servers users users group Guardtime entry (LANMAN.INI) Guest account monitoring its use Guest privilege Guestacct entry (LANMAN.INI) Guests group H Hard disks enabling a workstation's for Remoteboot Help menu (console screen) Help menu About LAN Manager command description General help command Glossary of terms command Keyboard command Mouse command Table of contents command Using Help command Help system command line, using error messages F1 key for the ftadmin screen for the LAN Manager Screen console version message boxes removing Hidden servers security advantages Hidden shares see Administrative resources Hiding servers see Servers Home directory assigning a user's automation of limiting their size Hotfixing see Fault-tolerance system HPFS386 and local security HPFS and A permission and fault tolerance I IBM4201 printer driver Icons and mouse use (ftadmin) drive icons for ftadmin screen Image scanners see Communication-device queues, sharing Import directories see Replicator service Import server see Replicator service Importlist entry (LANMAN.INI) Importpath entry (LANMAN.INI) Integrity entry (REPL.INI) Interprocess communication (IPC) Interval entry (LANMAN.INI) IPC$ see Administrative resources IPC see Interprocess communication K Keyboard movements with the LAN Manager Screen see LAN Manager Screen L \laGroups\ra button \laLogon\ra button LAN Manager Screen see also Ftadmin utility console version. See Console screen current focus in share-level security dialog boxes check boxes command buttons list boxes option buttons removing text boxes elements exiting getting help keyboard movements menus Accounts menu Config menu Help menu Message menu Status menu using View menu mouse movements Print Manager changes using drop-down lists using the mouse help using the screen screen elements LAN Manager quitting starting Langroup entry (LANMAN.INI) LANMAN directory ACCOUNTS subdirectory FITS subdirectory LOGS subdirectory PROFILES subdirectory PROFILES subdirectory. See also Profiles LANMAN.INI FILE profile settings LANMAN.INI file {alerter} section {messenger} section {netlogon} section {netrun} section {netshell} section {remoteboot} section {replicator} section {server} section {ups} section {workstation} section \laPaths\ra button Licensing and Netrun service Local group see also Local security Local security and background processes and CONFIG.SYS and privileged processes and SECURESH.EXE definition and requirements local group on 386 servers permissions setting up the server Locks, file Logging off from the network Logging on at the first server on the network to an existing network using the default administrative account without accessing the network Logical drives and fault tolerance viewing information about viewing statistics Logoff forced logoff and account expiration Logon command Logon domain see Domains Logon entry (LANMAN.INI) Logon scripts and Replicator service assigning defined filename extensions for 1.x workstations for 2.0 workstations NETLOGON resource permissions planning SCRIPTS directory USERDIRS directory Logon security advantages and share-level servers server roles changing a role promoting a member or backup setting up the primary Logon servers assigning one for a user Logon restrictions standalone validation expediting processing under logon security Logonalert entry (LANMAN.INI) LOGS directory M MACHINES directory for Remoteboot Makeimg utility Manuals contents of this manual notational conventions other manuals in this set Maxauditlog entry (LANMAN.INI) Maxchdevjob entry (LANMAN.INI) Maxconnections entry (LANMAN.INI) Maxopens entry (LANMAN.INI) Maxruns entry (LANMAN.INI) Maxsessopens entry (LANMAN.INI) Maxsessreqs entry (LANMAN.INI) Maxsessvcs entry (LANMAN.INI) Maxusers entry (LANMAN.INI) Member server see also Logon security, server roles Memory swapping on remoteboot workstations using the local hard disk using the server Menus see also Console screen LAN Manager Screen using Message log file designating Message menu (console screen) Send a typed message command Message menu Aliases command description Log messages to file command Read message log file command Send a file as a message command Send a typed message command Messages adding and deleting aliases broadcasting (console screen) logging network assigning a language for a user reading sending (console screen) sending the Message menu Messdelay entry (LANMAN.INI) Messenger service and UPS effect on alerts effect on error logging LANMAN.INI entries pausing starting and stopping Messtime entry (LANMAN.INI) Mirroring a drive see Fault-tolerance system Modems see Communication-device queues Monitoring performance see Auditing the server Mouse movements with the LAN Manager Screen see LAN Manager Screen MS OS/2 and Presentation Manager Control Panel Print Manager changes setting up printers N N (No) permission Named pipes limiting open named pipes on the server setting permissions for sharing use by Netrun and distributed applications Names groupname printer names requirements sharename requirements (disk) username Net comm and profiles Net print and profiles Net share and profiles Net stop server and UPS service Net stop workstation and UPS service Net use and profiles NET.ACC file see User accounts database NET.AUD file see also Audit trail NET.ERR file see also Error log Netioalert entry (LANMAN.INI) NETLOGON resource Netlogon service and domains compatibility with earlier versions in single-server domains LANMAN.INI values NETLOGON resource NETLOGON.BAT see also Logon scripts NETLOGON.CMD see also Logon scripts NETLOGON.PRO file Netpopup service and UPS effect on alerts effect on error logging pausing starting and stopping Netrun service advantages and IPC$ checking whether it's in use controlling access to programs defined LANMAN.INI values making programs available program requirements setting up starting automatically starting stopping the runpath Noaudit entry (LANMAN.INI) Non-disk resource auditing setting permissions Notational conventions NO_MASTR.RP$ NO_SYNC.RP$ O OK.RP$ Operator privileges accounts operator privilege assigning comm operator privilege print operator privilege server operator privilege Orphaned drive see also Fault-tolerance system defined OS2 directory entry (LANMAN.INI) for Remoteboot P P permission Admin only Change Permissions in share-level security Parent directory Partitions see also Fault-tolerance system deleting with ftsetup fault-tolerance limit Password entry (LANMAN.INI) Passwords changing from the console screen console screen exit password default administrative password for remote administration (share-level security) guest accounts in share-level security ADMIN$ for communication-device queues for disk resources for printer queues IPC$ requirements in user-level security assigning a user's placing requirements on requirements Peer service and profiles user limit Permissions for home directories for logon scripts for Replicator service in local security in share-level security defined for communication-device queues for disk resources for queues recommended uses in user-level security assigning queue permissions with net access default communication-device queue permissions default file and directory permissions defined for communication-device queues for files or directories for named pipes for Netrun pipe for printer queues for queues or named pipes inherited disk resource permissions securing programs run with the Netrun service user and group interactions preventing a user's access to a resource protecting Netrun programs Pipes, named see Named pipes PIPE\LANMAN\NETRUN setting permissions PMPRINT print processor Pools of communication devices. See Communication-device queues of printers. See Printer queues Postscript printers Presentation Manager and the Netrun service assigning printer names shutdown procedure cracked mirrors, preventing using the ftadmin screen Primary domain controller see also Logon security, server roles setting up Primary partition see also Fault-tolerance system defined drive verification viewing information about Print alerts Print jobs canceling deleting a queued job killing the current job controlling from the console screen holding and releasing managing priority through LAN Manager queues purging a queue repositioning from the console screen restarting viewing a queue's from the console screen the server's Print Manager cloning a printer queue creating a printer queue menus and commands with LAN Manager Refresh menu Refresh interval command Setup menu Printers command Queues command Print operator privilege Print processor see also Printer queues use with printer queues Printer driver see also Printer queues Printer queues advantages and non-ASCII files audited events setting cloning with Print Manager controlling from the console screen purging releasing creating with Print Manager including local and remote printers limiting printing hours options changing customizing separator pages holding print processors printer drivers priority levels scheduling printing times setting permissions setting pooling printers Print Manager print processors printer driver defined priority levels queue setups resharing a queue routing jobs scheduling printing times security separator pages setting up printers sharing remote printers serial printers stop sharing of viewing a queue the server's Printer setting up Printers see also Printer queues changing their status (console screen) continuing limiting open devices on the server managing name requirement pausing pooling print alerts serial sharing setting up viewing status (console screen) Priority levels for communication-device queues for printer queues Priority levelsCommunication-device queues see also Printer queues Privilege see also Operator privileges admin administering the console screen fault tolerance, use with resource access assigning a user's privilege guest guest account levels defined planning users' roles in domains user Privileged processes PRIVINIT.CMD .PRO files see also Profiles Process background privileged Processing power, shared see Netrun service PROFILES directory Profiles and administrative resources and LANMAN.INI automatic loading PUBLIC resource saving commands in defined in share-level security loading appending or replacing configurations procedure saving a local profile a profile remotely permissions, in share-level security server commands in passwords, use with use as logon scripts Workstation commands in under Peer service Programs local security permissions requirements Protshell entry (CONFIG.SYS) PUBLIC directory Pulse entry (LANMAN.INI) Q QueuesCommunication-device queues see Printer queues Quitting LAN Manager see LAN Manager R R (Read) permission Random entry (LANMAN.INI) Recharge entry (LANMAN.INI) Remote administration ADMIN$'s role as a security feature MS-DOS workstation limitations of fault tolerance of share-level servers preventing profile loading one remotely saving one remotely running several remote sessions starting a session Remote servers see Remote administration Remoteboot service customizing adding device drivers booting more than one MS-DOS version work directories, not on remoteboot server LANMAN.INI values preparing a workstation accounts and permissions (user-level security) adding it to the network creating configuration files (MS OS/2) disabling Remoteboot disabling the local hard disk RPLUSER directory tree setting up memory swapping on a remoteboot workstation REPL.INI files see also Replicator service creating default file extent entry integrity entry Replicate entry (LANMAN.INI) Replicating directories see Replicator service Replicating logon scripts Replicator service and logon scripts defined export server creating the export directory export directory setting up import server creating the import directory import directory importlist required permissions setting up signal files use of export directory LANMAN.INI values starting automatically suspending replication of a file or directory Reserved administrative resources see Administrative resources Resource, non-disk auditing setting permissions Rpl group RPL ROM chip RPL.MAP file workstation record enabling a new record workstation records adapting for alternate MS-DOS versions Rpldsabl utility Rplenabl utility RPLUSER directory (Remoteboot service) creating work directories Run path adding programs removing programs Runpath entry (LANMAN.INI) S Scanners see Communication-device queues Screen sessions preventing users from switching (console screen) SCRIPTS directory Scripts entry (LANMAN.INI) Scripts see Logon scripts Secondary partition see also Fault-tolerance system defined drive verification exposing free disk space for them viewing information about SECURESH.EXE Security settings Security settings@adjusting Security, local see Local security, on 386 servers Security changing the server's security default type other means of protection planning domain worksheet SecurityShare-level security see also User-level security Separator pages Serial printers see Printers Server operator privilege Server service LANMAN.INI values modifying use limits at startup pausing server profiles starting Server auditing network events configuration values error log saving and clearing viewing forcing files closed hiding a server replicating a server's directories roles in logon security sessions forcing sessions closed placing limits on viewing session information setting up alerts setting up for Netrun viewing and clearing statistics viewing its configuration viewing, saving, and clearing the audit trail Servers group Services see also the listing for the service adjusting controlling continuing pausing starting stopping defined descriptions Alerter Messenger Netlogon Netpopup Netrun Peer Remoteboot Replicator Server Timesource UPS Sessions automatically disconnecting inactive sessions closing defined forcing a session closed viewing one session the server's Share-level security and ADMIN$ and IPC$ and Netrun service available auditing defined effect on sessions gaining administrator status remote administration Sharename and permission in share-level security defined requirements (disk) Sharing server's memory see Netrun service Sharing in share-level security SharingAdministrative resources Communication-device queues Disk resources see also Printer queues Signal files (Replicator service) Signals entry (LANMAN.INI) Sizalertbuf entry (LANMAN.INI) Size limits home directory \SPOOL directory Spooled printer queues see Printer queues Spooler, LAN Manager Spooling SQL Server SRVAUTO.PRO file SRVAUTO.PRO see also Profiles Srvservices entry (LANMAN.INI) Standalone logon Standalone server see also Logon security, server roles Statistics drive server contents of the display monitoring sessions using viewing and clearing workstation viewing and clearing Status menu (console screen) Device status command changing a device's status viewing device status Status menu Audit trail command viewing the audit trail description Device status command deleting a print job printers, continuing printers, pausing Error log command saving and clearing the error log viewing and clearing the error log Opened files command checking Netrun use forcing a file closed Server statistics command clearing statistics viewing statistics Session status command forcing a session closed viewing sessions Workstation statistics command Swappath entry (CONFIG.SYS) see CONFIG.SYS Synchronizing computer clocks drives under fault tolerance T 286 computers adding a device driver 386 servers and local security Tasks getting help with Terms getting help with Time server Timesource service designating the time server starting synchronizing with the time server Tree extent see REPL.INI files Tree integrity see REPL.INI files Tryuser entry (LANMAN.INI) Typographic conventions U Unattended server see Console screen Uninterruptible power supply (UPS) defined UPS service and drive verification configuring LANMAN.INI values setting up starting User accounts database and logon security for member or backup servers for standalone servers in single-server domains planning User privilege and operator privileges defined User-level security advantages and ADMIN$ and IPC$ and local security and logon security and Netrun service available auditing defined effect on sessions password requirements advantages permissions for Netrun pipe security settings defined User-level securityLocal security see also Logon security USERDIRS directory USERLOCK files Replicator service Username defined requirements Users group Users limiting number of users using a server viewing users logged on Using resources V Validation of logon requests see Logon View menu (console screen) Comm-device queues command viewing queues Printer queues command changing a job's status changing queue status repositioning a queued job viewing a queue viewing job information View menu Available resources command Comm-device queues command changing a queue's priority purging requests viewing queues description Exit command Printer queues command changing queue options deleting a queue deleting a queued job holding and releasing a job holding and releasing a queue purging a queue repositioning a queued job restarting a printing viewing queues Shared resources command changing administrative resource options changing queue options sharing a directory sharing a queue sharing an administrative resource stop sharing a communication-device queue stop sharing a directory stop sharing a printer queue stop sharing an administrative resource viewing queues Used resources command Users on a domain command Users on a server command Viewing communication-device queues drive information drive statistics error information error log partition information printer queues on a server viewing one queue server configuration server statistics session information workstation configuration Virtual circuits Voltlevels entry (LANMAN.INI) W W (Write) permission Warning alert (ftadmin) Work directories (for Remoteboot) creating Work directories (for remoteboot) locating, not on remoteboot server Workstation domain see Domains Workstation service LANMAN.INI entries pausing starting Workstation remoteboot workstation adjusting memory swapping creating configuration files for MS OS/2 disabling the local hard disk returning to local boot Workstations adjusting configuration options and Netrun service limiting connections to the server MS OS/2 default logon script MS-DOS Basic default logon script Enhanced Enhanced, and remote administration remote administration limits remoteboot workstations adding device drivers alternate MS-DOS versions viewing and clearing statistics WRKFILES resource (Remoteboot service) X X (Execute) permission Y Y (Yes) permission Y+P (Yes+Change Permissions) permission