User and group concepts

One of the main advantages of using Windows environment on iSeries™ is the user administration function for i5/OS™ and Windows user profiles. The user administration function allows administrators to enroll existing i5/OS user and group profiles to Microsoft® Windows. This section will explain the function in more detail.

Enrollment

Enrollment is the process by which an i5/OS user or group profile is registered with the integration software.

The enrollment process happens automatically when triggered by an event such as running the CHGNWSUSRA command to enroll a user or group, an enrolled Windows user updating their i5/OS user profile password or user attributes, or restarting the integrated server. If the integrated Windows server is active, the changes are made immediately. If the integrated server is varied off, the changes occur the next time the server is started.

Windows domains and local servers

Enrollment can be made to either a Windows domain or a local server. A Windows domain is a set of resources (applications, computers, printers) which are networked together. A user has one account across the domain and needs only to log onto the domain to gain access to all the resources. An integrated server can be a member server of a Windows domain and integrate i5/OS user accounts into the Windows domain.

On the other hand, if you enroll i5/OS users to an integrated server which is not part of a domain, it is called a local server, and user accounts will only be created on that integrated server.

Note: In Windows networking, groups of local servers can be loosely affiliated by using Windows workgroups. For example, if you open My Network Places and click Computers Near Me, you will see a list of the computers in the same workgroup as you.

Microsoft Windows i5/OS groups

Two groups of users are created in Microsoft Windows as part of the installation to an integrated server.

AS400_Users Every i5/OS user, when first enrolled to the Windows environment, is placed in the AS400_Users group. You can remove a user from this group in the Windows environment, however, the next time an update occurs from the iSeries server, the user will be replaced. This group is a useful place to check which i5/OS user profiles are enrolled to the Windows environment.
AS400_Permanent_Users Users in this group cannot be removed from the Windows environment by the iSeries server. It is provided as a way to prevent Windows users from being accidentally deleted by actions taken within i5/OS. Even if the user profile is deleted from i5/OS, the user will continue to exist in the Windows environment. Membership in this group is controlled from the Windows environment, unlike the AS400_Users group. If you delete a user from this group, it will not be replaced when an i5/OS update is performed.

Using the i5/OS user profile LCLPWDMGT attribute

There are two ways to manage user profile passwords.

Traditional user You may choose to have i5/OS passwords and Windows passwords be the same. Keeping the i5/OS and Windows passwords the same is done by specifying the i5/OS user profile attribute value to be LCLPWDMGT(*YES). With LCLPWDMGT(*YES), enrolled Windows users manage their passwords in i5/OS. The LCLPWDMGT attribute is specified using the i5/OS Create or Change user profile (CRTUSRPRF or CHGUSRPRF) commands.
Windows user You may choose to manage enrolled Windows profile passwords in Windows. Specifying LCLPWDMGT(*NO) sets the i5/OS user profile password to *NONE. This setting allows enrolled Windows users to manage their password in Windows without i5/OS overwriting their password.

See Types of user configurations.

Using i5/OS Enterprise Identity Mapping (EIM)

Start of change There are two ways to take advantage of the i5/OS EIM support. You can automatically create an EIM association using functions in the EIM Windows registry. Defining EIM associations allows i5/OS to support Windows single sign-on using an authentication method such as Kerberos. Auto-creation and deletion of Windows EIM source associations are done when the i5/OS Create, Change, or Delete user profile (CRTUSRPRF, CHGUSRPRF, or DLTUSRPRF) commands are used specifying the EIMASSOC parameter values of *TARGET, *TGTSRC, or *ALL. End of change

You may manually define EIM associations in the EIM Windows registry. When an EIM i5/OS target association and Windows source association is defined for an i5/OS user profile, the enrolled i5/OS user profile may be defined as a different user profile name in Windows.

Note:

SBMNWSCMD, QNTC, and File Level Backup operations only work with EIM Kerberos associations. i5/OS user profiles mapped to different windows user names using an EIM Windows registry are not recognized. Those operations still attempt to use equivalent names.

For more information see Enterprise Identity Mapping (EIM).

Enrolling existing Windows user profiles

You can also enroll a user who already exists in the Windows environment. The password for the user must be the same on i5/OS as for the already existing Windows user or group. See Password considerations.

User enrollment templates

You can customize the authorities and properties a user receives during enrollment through the use of user enrollment templates. See User enrollment templates. If you do not use a template when you enroll users, they receive the following default settings:

Users become members of the AS400_Users group and either the Users group on a local integrated Windows server or the Domain Users group on a Windows domain.
i5/OS keeps track of the user's i5/OS password, password expiration date, description, and enabled or disabled status.

Enrolling i5/OS groups

Start of change Up to this point, only the enrollment of individual i5/OS user profiles to the Windows environment has been discussed. You can also enroll entire i5/OS groups. Then, when you add users to those i5/OS groups that have been enrolled to the Windows environment, you automatically create and enroll those users in the Windows environment as well. End of change

Enrolling to multiple domains

You may enroll users and groups to multiple domains, but typically this is unnecessary. In most Windows environments, multiple domains set up trust relationships with each other. In such cases, you only need to enroll the user in one domain because trust relationships automatically give the user access to other domains. See your Windows documentation for additional information about trust relationships.

Saving and Restoring enrollment information

Once you have defined your user and group enrollments, you need to save the enrollment definitions. You may save the enrollment information using options 21 or 23 on the GO SAVE menu, by using the SAVSECDTA command, or by using the QSRSAVO API. Restoring the user profiles is done using the RSTUSRPRF command and specifying USRPRF(*ALL) or SECDTA(*PWDGRP) values.

Using the PRPDMNUSR parameter

If you have multiple servers which are members of the same domain, you may prevent duplicate domain enrollment from occuring on each member server. Use the Propagate Domain User (PRPDMNUSR) parameter in the Change Network Server Despcription (CHGNWD) or Create Network Server Description (CRTNWSD) commands. See The QAS400NT user for more information.