Types of user configurations

It is helpful to think of integrated Windows users as fitting into three basic types:

Traditional user (password managed by i5/OS™)
By default users are set to this type. This user works in both Windows and i5/OS. The i5/OS password and Windows password will be synchronized. Each time that the integrated Windows server is restarted, the user's password will be reset to the i5/OS password. Password changes can only be made in i5/OS. This user type is recommended for running File Level Backup and remote Windows commands. To set a Windows user to this configuration, use WRKUSRPRF to set the user profile attribute LCLPWDMGT to *YES.
Windows password-managed user
This person does all or most of their work in Windows and may never, or rarely, sign-on to i5/OS. If the user signs-on to i5/OS, they must use an authentication method such as Kerberos to access i5/OS. This is discussed in the next section: Windows user with Enterprise Identity Mapping (EIM) configured.
When the user profile attribute LCLPWDMGT(*NO) is defined for an i5/OS user, the i5/OS user profile password is set to *NONE. The i5/OS enrollment password is saved until Windows enrollment is successfully completed. After the i5/OS user is enrolled to Windows, the Windows user may change and manage their password in Windows without i5/OS overwriting their password. Using this method allows for a more secure environment because there are fewer passwords being managed. To read how to create a user of this type, see Changing the LCLPWDMGT user profile attribute.
Windows user with Enterprise Identity Mapping (EIM) associations automatically configured
Specifying the user profile attribute of EIMASSOC to be *TGT, TGTSRC, or *ALL allows the integrated server to automatically define EIM Windows source associations. Using the automatic definitions of associations makes configuring EIM easier. To read how to create a user of this type, see Enterprise Identity Mapping (EIM).
Windows user with Enterprise Identity Mapping (EIM) associations manually configured
The user may choose to manually define EIM Windows source associations. This method may be used to set the i5/OS user profile to be enrolled to a different Windows user profile name. The user must manually define an i5/OS target association for the i5/OS user profile and also a Windows source association for the same EIM identifier.

Table 1. Types of user configurations
User type	Function provided	User profile definition
Traditional	Both i5/OS and Windows fully functional. Easy to configure. Password is changed from i5/OS. i5/OS and Windows user ID and passwords will be identical. Recommended for system administrators, users who frequently use i5/OS, or for systems which use i5/OS for back up and restoration of user profiles.	LCLPWDMGT(*YES) and no EIM Windows source associations defined.
Windows password-managed user	Password can be changed from Windows. Simple configuration. Windows password administration makes this configuration more secure because the i5/OS password is *NONE. i5/OS sign-on requires an authentication method such as iSeries™ Navigator provides with their support of i5/OS sign-on using Kerberos.	LCLPWDMGT(*NO)
Windows user with Enterprise Identity Mapping (EIM) associations auto configured	Automatic creation of Windows source associations makes it easier to set up and configure to use Kerberos enabled applications.	For example: EIMASSOC(CHG TARGET ADD CRTEIMID)
Windows user with Enterprise Identity Mapping (EIM) associations manually configured	Allows the user to define EIM associations for enrolled i5/OS user profiles to be different user profiles in Windows.	Use iSeries Navigator to manually define EIM i5/OS target associations and Windows source associations.