The Change Network Server User Attributes (CHGNWSUSRA) command is used to change network server attributes for an i5/OS user or group profile that operate in a networking environment. This command can be used to do the following:

1. Set network server attributes for a specific user or group profile. For example, the default NetWare Directory Services Tree name could be set for a specific user profile.
2. For NetWare networks, the network server attributes can be set up so that this user or group profile will be enrolled into the NetWare network. Where the profile is enrolled depends on the values specified by the NDSTREELST parameter.
3. For Windows networks, the network server attributes can be set so that a user or group profile will be enrolled into one or more Windows domains or local servers. When enrolling into a Windows local server, the server must be associated with a locally attached Integrated xSeries Server. Where the profile is enrolled depends on the values specified by the WNTDMNLST and WNTLCLSVRL parameters.

   When an i5/OS user is enrolled, a matching Windows user identity is created in the Windows domain or on the Windows local server.

   When an i5/OS group profile is enrolled into a Windows domain or local server, a matching Windows group is created in the domain or local server. All i5/OS user profiles that are defined in the group are enrolled into the domain or local server and added to the Windows groups that are currently defined by the user account template.

Network server user attributes are saved by the Save System (SAVSYS) and Save Security Data (SAVSECDTA) commands. Network server user attributes are restored to the system when the user profile is restored. The Restore User Profiles (RSTUSRPRF) command can be used to restore user profiles and the network server user attributes associated with them.

Restrictions:

1. Only a user with *OBJMGT and *USE authorities to the user profile being changed, can specify this command.
2. To make changes to the NDSTREELST, WNTDMNLST, or WNTLCLSVRL parameters, a user must have *SECADM special authority.
3. The Windows domain and server names specified in the WNTDMNLST and WNTLCLSVRL parameters must follow the naming conventions of Windows.

Parameters

Keyword	Description	Choices	Notes
USRPRF	User profile	Simple name, *CURRENT	Optional, Key, Positional 1
PRFTYPE	Profile type	*USER, *GROUP	Optional, Key, Positional 2
PMTCTL	Prompt control	*ALL, *WINDOWS, *NETWARE, *WINDOWSNT	Optional, Key, Positional 3
PRPGRPMBR	Propagate group members	*SAME, *NONE, *ALL, *MBRONLY	Optional
DFTSVRTYPE	Default server type	*SAME, *WINDOWS, *NWSA, *NETWARE, *WINDOWSNT	Optional
NDSTREE	NDS tree	Character value, *SAME, *NWSA, *NONE	Optional
NDSCTX	NDS context	Path name, *SAME, *NWSA, *ROOT	Optional
NDSTREELST	NDS tree list	Single values: *SAME, *NWSA, *NONE Other values (up to 10 repetitions): Element list	Optional
	Element 1: NDS tree	Character value
	Element 2: User object context	Path name
	Element 3: Default server	Character value, *ANY
	Element 4: Profile object	Path name, *NONE
WNTDMNLST	Windows server domain list	Single values: *SAME, *NWSA, *NONE Other values (up to 64 repetitions): Element list	Optional
	Element 1: Domain	Character value
	Element 2: User template	Character value, *NONE
	Element 3: Group type	*GLOBAL, *LOCAL
WNTLCLSVRL	Windows local server list	Single values: *SAME, *NWSA, *NONE Other values (up to 64 repetitions): Element list	Optional
	Element 1: Server	Character value
	Element 2: User template	Character value, *NONE

Top

User profile (USRPRF)

Specifies the name of an i5/OS user profile whose network server attributes are to be set.

The following IBM-supplied objects are not valid on this parameter:

QAUTPRF         QNFSANON       QYCMCIMOM
QCOLSRV         QRJE           QEJBSVR
QDBSHR          QSNADS         QSRVAGT
QDBSHRDO        QSPL           QANZAGENT
QDFTOWN         QSPLJOB        QIBMHELP
QDOC            QSYS
QDSNX           QTCP
QEJB            QTFTP
QFNC            QTSTRQS
QGATE           QCLUMGT
QLPAUTO         QTCM
QLPINSTALL      QIPP
QMSF            QPM400
QNETSPLF        QNTP
QYPSJSVR        QCLUSTER
QNETWARE *      QMGTC

* QNETWARE is legal to enroll if it is a user on a NetWare tree or server. Any other use of QNETWARE is not supported.

The following profile names are not valid on this parameter when enrolling to a Windows domain or server.

GUEST
GUESTS
REPLICATOR
USERS

Note that QAUTPRF and QNFSANON were not disallowed in versions earlier than V4R1. Also, profiles QPRJOWN, QSRV, QSRVBAS, QSVSM, QTMPLPD, and QUMB were disallowed in pre-V4R1 versions, but are now legal to enroll. The change was made in order to keep in sync with the list of objects that i5/OS security uses for some commands.

*CURRENT

The user profile attributes for the current user profile are changed.

user-name

Specify the name of an i5/OS user or group profile.

Profile type (PRFTYPE)

Specifies whether the user or group attributes for a profile are to be changed.

*USER

The user profile attributes are changed.

*GROUP

The group profile attributes are changed.

Prompt control (PMTCTL)

Specifies which network server attributes should be prompted for on the command.

*ALL

All parameters are prompted.

*WINDOWS or *WINDOWSNT

Only those parameters that apply to Windows domains and servers are prompted.

Note: *WINDOWS should be used in V5R4 and later releases. The *WINDOWSNT value is supported for compatibility with releases prior to V5R4.

*NETWARE

Only those parameters that apply to *NETWARE servers are prompted.

Propagate group members (PRPGRPMBR)

Specifies how an i5/OS group and its users are to be enrolled. There are two different ways that an i5/OS group and its users can be enrolled.

1. The i5/OS group is enrolled in the network. All of the members of the group are also enrolled in the network and added to the newly created group.
2. Only the members of the i5/OS group are enrolled in the network. The group itself is not enrolled in the network.

*SAME

The PRPGRPMBR value does not change. If the PRPGRPMBR parameter has never been set, it is defaulted to *ALL.

*ALL

The i5/OS group and all members of the group are enrolled. Any user profiles added to this group at a later time are also enrolled into the network.

*MBRONLY

Only the members of the group are enrolled. The group itself is not enrolled. Any user profiles added to this group at a later time are also enrolled into the network.

Default server type (DFTSVRTYPE)

Specifies the default server type for this user. This attribute is used primarily as a default for those i5/OS commands that support multiple network types.

*SAME

The default server type does not change.

*NWSA

The default server type from the system network server attributes is used.

*WINDOWS or *WINDOWSNT

The default server type for the user is set to *WINDOWS.

Note: *WINDOWS should be used in V5R4 and later releases. The *WINDOWSNT value is supported for compatibility with releases prior to V5R4.

*NETWARE

The default server type for the user is set to *NETWARE.

NDS tree (NDSTREE)

Specifies the name of the default NetWare Directory Services tree used by this user. The tree specified should be the one most often used by this i5/OS user when accessing the network.

*SAME

The NetWare Directory Services tree name does not change.

*NWSA

The NetWare Directory Services tree specified in the system network server attributes is used.

*NONE

No default NetWare Directory Services tree is specified.

'NDS-tree-name'

Specify the name of the default NetWare Directory Services tree.

NDS context (NDSCTX)

Specifies the complete path name of a default NetWare Directory Services context, associated with the tree specified by the NDSTREE parameter, to be used when this user issues i5/OS commands that use NDS objects. This becomes the current context when the i5/OS user signs on.

*SAME

The default NDS context name does not change.

*NWSA

The NetWare Directory Services context specified in the system network server attributes is used.

*ROOT

The NetWare Directory Services default context is the root of the NDS tree.

'NDS-context'

Specify the complete path name of the default NDS context name to be used.

NDS tree list (NDSTREELST)

Specifies a default list of NetWare Directory Services trees that will be used by the iSeries network administration support to determine which NetWare v4.x trees to enroll this i5/OS profile to. Each entry in the list will contain an NDS tree name and a list of default attributes associated with that tree.

Up to 10 entries can be specified for this parameter. An entry consists of a value from each of the following elements.

Single values

*SAME

The default NDS tree list entries do not change.

*NWSA

When *NWSA is specified, the NDS tree list from the network server attributes is used.

*NONE

When *NONE is specified, the default is to not enroll this profile to any NetWare v4.x trees.

Element 1: NDS tree

'NDS-tree-name'

Specify the name of the NetWare Directory Services tree where the iSeries network administration support will enroll i5/OS profiles into. The remaining elements describe the network server attributes that are associated with this NDS tree.

Element 2: User object context

Specifies the location in the NDS tree where newly created NDS user objects are created when enrolling profiles into the NDS tree. If the user object already exits in the NDS tree, it will be moved to this context the first time the iSeries administration support attempts to enroll the i5/OS profile. The NetWare complete name must be specified for this element.

'user-object-context'

Specify the NDS context where profiles will be enrolled into the NDS tree.

Element 3: Default server

Specifies the default NetWare Directory Services server to be used by the system when enrolling profiles into the NDS tree.

*ANY

The system selects any active server to use when accessing the NDS tree.

'server-name'

Specify the name of the default NDS server to be used by the system when enrolling profiles into the NDS tree. If this server is unavailable at the time the request is handled, the system attempts to find an active server that is available to handle the request.

Element 4: Profile object

Specifies a default NetWare Directory Services profile object that contains the profile login script to be used by the user when logging into the network. The NetWare distinguished name must be specified for this element.

*NONE

No profile login script is used by the NetWare user.

'profile-object-name'

Specify the distinguished name of the default NDS profile object containing the profile login script to be used by a user when logging into the network.

Windows server domain list (WNTDMNLST)

Specifies a list of Windows domains that will be used by the i5/OS user enrollment support to determine into which Windows domains this i5/OS profile is enrolled.

Each entry in the list will contain a domain, a user account template name, and a group type. The user account template name is the name of a Windows user identity that is to be used when creating new Windows users.

Up to 64 entries can be specified for this parameter. An entry consists of a value from each of the following elements. A domain name must be entered for each entry and must be unique within the list.

If the WNTDMNLST parameter has never been set, it is defaulted to *NONE.

Single values

*SAME

The Windows domain list entries do not change.

*NWSA

When *NWSA is specified, the Windows domain list from the system network server attributes is used.

*NONE

When *NONE is specified, this profile will not be enrolled into any Windows domains.

Element 1: Domain

'domain-name'

Specify the name of the Windows domain where the i5/OS user enrollment support will enroll this i5/OS profile.

Element 2: User template

Specifies the name of a Windows user that can be used as a template when creating new Windows users in the Windows domain.

Note: Changing this value will not affect Windows users that are already enrolled in the domain.

*NONE

No Windows user account template is used when creating a new user identity in the Windows domain.

'user-account-template-name'

Specifies the name of a Windows user account to be used when creating new Windows user identities in the domain.

Element 3: Group type

Specifies the type of group to be created in the Windows domain. This element is ignored when PRFTYPE(*USER) is specified.

*GLOBAL

A global group is created in the Windows domain.

*LOCAL

A local group is created in the Windows domain.

Windows local server list (WNTLCLSVRL)

Specifies a list of Windows local servers that will be used by the i5/OS user enrollment support to determine into which Windows local server the i5/OS profile is enrolled. Only those server names associated with locally configured Integrated xSeries Servers can be specified in this list.

Each entry in the list will contain a server name and associated user account template name. The user account template name is the Windows user account to be used when creating new Windows user identities on the server.

Up to 64 entries can be specified for this parameter. An entry consists of a value from each of the following elements. A server name must be entered for each entry and must be unique within the list.

If the WNTLCLSVRL parameter has never been set, it is defaulted to *NONE.

Single values

*SAME

The value does not change.

*NWSA

When *NWSA is specified, the Windows local server list from the system network server attributes is used.

*NONE

When *NONE is specified, this profile will not be enrolled into any Windows local servers.

Element 1: Server

'server-name'

Specify the name of a Windows local server where the i5/OS user enrollment support will enroll this i5/OS profile. This server must be a locally configured Integrated xSeries Server.

Element 2: User template

Specifies the name of a Windows user that can be used as a template when creating new Windows users on the local server.

Note: Changing this value will not affect Windows users that are already enrolled on the server.

*NONE

No Windows user account template is used when creating a new user identity on the Windows local server.

'user-account-template-name'

Specifies the name of a Windows user account to be used when creating new Windows user identities on the local server.

Examples

Example 1: Enrolling a user into a Windows network

CHGNWSUSRA   USRPRF(BOB)  DFTSVRTYPE(*WINDOWS)
             WNTDMNLST((DMN01 USRTMP1) (DMN02 *NONE))
             WNTLCLSVRL((LCLSVR1 TMPL1) (LCLSRV2 *NONE))

The above command will change the network server user attributes for user profile BOB. BOB's default server type is set to *WINDOWS.

The i5/OS user enrollment support will enroll user BOB into domain DMN01 using user account template USRTMP1 and also into domain DMN02.

The i5/OS user enrollment support will also enroll user BOB into local server LCLSVR1 using user account template TMPL1 and also into local server LCLSRV2.

Example 2: Enrolling a user into a NetWare network

CHGNWSUSRA   USRPRF(DENNIS)  NDSTREE(NWTREE1)
             NDSCTX(.MARKETING.HDQTRS.IBM)
             NDSTREELST(*NWSA)
             NTW3SVRLST(NTW3SVR2 NTW3SVR3)

The above command will change the network server user attributes for user profile DENNIS. The default NDS tree will be set to NWTREE1 and the default context to MARKETING.HDQTRS.IBM.

The NDS tree list from the system network server attributes is used. The i5/OS user enrollment support will enroll user DENNIS into each tree specified in the tree list. The NetWare 3.12 server list is set to include servers NTW3SVR2 and NTW3SVR3. User DENNIS will also be enrolled into both of these servers.

Error messages

*ESCAPE Messages

CPFA450

Network server user attributes for user profile &1 not changed. See previous messages.