The QAS400NT user

You need to set up the QAS400NT user in order to successfully enroll an i5/OS™ user or group profile on a domain or local server in the following cases:

• You are enrolling on a domain through a member server.
• You are enrolling on a local server using a template which specifies a home directory path, as is discussed in the section Specify a home directory in a template).
• You are enrolling on a domain through an i5/OS partition which contains both domain controllers and member servers on the same domain.

You do not need to set up the QAS400NT user in order to successfully enroll an i5/OS user or group profile on a domain or local server in the following cases:

• You are enrolling on a domain through an i5/OS partition which contains a domain controller but no member servers on the same domain.
• You are enrolling on a local server (or locally on a member server) using a template which does not specify a home directory path.

If you need to set up the QAS400NT user, follow these steps:

1. Create the QAS400NT user profile on i5/OS with User class *USER. Take note of the password because you need it in the next step. Make sure that the password complies with the rules for Windows passwords if you are enrolling on a domain. See Password considerations.
2. Create the QAS400NT user account on the Windows console of the integrated Windows server you are enrolling through. Note that the i5/OS user profile password and Windows user account password must be the same for the QAS400NT user.
   1. Setting up QAS400NT on a domain controller

      On the domain controller of the domain you are setting up enrollment for, create the QAS400NT user account as follows:

      1. From the integrated server console
         1. • In Windows 2000 Server click Start –> Programs –> Administrative Tools –> Computer Management –> Local Users and Groups.
            • In Windows Server 2003 click Start –> Programs –> Administrative Tools –> Computer Management –> System Tools –> Local Users and Groups.
         2. Select System Tools –> Local Users and Groups.
      2. Right-click the Users folder (or the folder that the user belongs to), and select New —> User...
      3. Enter the following settings:

         Full name: qas400nt
         User logon name: qas400nt

      4. Click Next. Enter the following settings:

         Password: (the same password as you used for QAS400NT on i5/OS)
         Deselect: User must change password at next logon
         Select: User cannot change password
         Select: Password never expires

      5. Click Next, then Finish
      6. Right click the QAS400NT user icon and select Properties.
      7. Click the Member Of tab and then Add.
      8. Enter Domain Admins in the box and click OK, then OK again. This gives the QAS400NT user account sufficient rights to create users.
   2. Setting up QAS400NT on a local server

      On the local server (or member server if you are enrolling locally) you are setting up enrollment for, create the QAS400NT user account as follows:

      1. From the integrated server console
         • In Windows 2000 Server click Start —> Programs —> Administrative Tools —> Computer Management —> Local Users and Groups.
         • In Windows Server 2003 click Start —> Programs —> Administrative Tools —> Computer Management —> System Tools —> Local Users and Groups.
      2. Right-click the Users folder, and select New User....
      3. Enter the following settings:

         User name: qas400nt
         Full name: qas400nt
         Password: (the same password as you used for QAS400NT on i5/OS)
         Deselect: User must change password at next logon
         Select: User cannot change password
         Select: Password never expires

      4. Click Create, then Close.
      5. Right click the QAS400NT user icon and select Properties.
      6. Click the Member Of tab and then Add.
      7. Enter Administrators in the box and click OK, then OK again. This gives the QAS400NT user account rights to the User Administration Service.
3. Enroll the i5/OS QAS400NT user profile on the domain or local server using iSeries™ Navigator or the CHGNWSUSRA command. Refer to: Enroll a single i5/OS user to the Windows environment using iSeries Navigator, for a description of how to do this. Do not try to use a template when enrolling QAS400NT.
4. Use iSeries Navigator or the WRKNWSENR command to confirm that QAS400NT has been successfully enrolled. You may now enroll i5/OS user profiles through domain controllers or member servers on the domain.

Notes:

• You may change the QAS400NT password from i5/OS since it is now an enrolled user.
• If there are multiple integrated servers that belong to different domains on a single i5/OS partition, you must set up QAS400NT for each domain. All QAS400NT user accounts must have the same password as the i5/OS user profile. Alternatively, consider using Active Directory or trust relationships between domains, and enroll users on only a single domain.
• If you have multiple i5/OS partitions and multiple integrated servers, QAS400NT passwords on different i5/OS partitions can be different as long as each domain does not contain integrated servers on more than one i5/OS partition. The rule is, all i5/OS QAS400NT user profiles and corresponding Windows user accounts must have the same password for a single domain.
• Be sure not to delete the QAS400NT user profile on i5/OS, or let the password expire. To minimize the risk of the QAS400NT password expiring on one of multiple i5/OS partitions on the same Windows domain, it is recommended that you allow only one i5/OS partition to propagate changes to the QAS400NT user profile. Refer to Preventing enrollment and propagation to an integrated Windows server, for a description of how to do this.
• If you have multiple i5/OS partitions, each with an integrated Windows server on the same domain, failing to keep the QAS400NT password synchronized across all i5/OS partitions can cause enrollment problems. To minimize this problem, it is recommended that you limit propagation of changes to the QAS400NT password to just one i5/OS partition, but still allow other partitions to keep sufficient authority to enroll users. Then, failure to change a password on one of the other partitions prevents user enrollment from that partition only. Refer to Preventing enrollment and propagation to an integrated Windows server, for a description of how to do this.