ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqusrmgmtcpts.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>User and group concepts</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahqusrmgmtcpts"></a>
<h2 id="rzahqusrmgmtcpts">User and group concepts</h2>
<p>One of the main advantages of using Windows environment on iSeries&trade; is the user
administration function for i5/OS&trade; and Windows user profiles. The user administration
function allows administrators to enroll existing i5/OS user and group profiles to Microsoft&reg; Windows.
This section will explain the function in more detail.</p>
<p><span class="bold">Enrollment</span></p>
<p>Enrollment is the process by which an i5/OS user or group profile is registered with
the integration software.</p>
<p>The enrollment process happens automatically when triggered by an event
such as running the CHGNWSUSRA command to enroll a user or group, an enrolled
Windows user updating their i5/OS user profile password or user attributes,
or restarting the integrated server. If the integrated Windows server is active,
the changes are made immediately. If the integrated server is varied off,
the changes occur the next time the server is started.</p>
<p><span class="bold">Windows domains and local servers</span></p>
<p>Enrollment can be made to either a Windows domain or a local server. A
Windows domain is a set of resources (applications, computers, printers) which
are networked together. A user has one account across the domain and needs
only to log onto the domain to gain access to all the resources. An integrated
server can be a member server of a Windows domain and integrate i5/OS user accounts
into the Windows domain.</p>
<p>On the other hand, if you enroll i5/OS users to an integrated server which is
not part of a domain, it is called a <span class="bold">local server</span>, and
user accounts will only be created on that integrated server.</p>
<p><span class="bold">Note:</span> In Windows networking, groups of local servers
can be loosely affiliated by using Windows workgroups. For example, if you
open My Network Places and click Computers Near Me, you will see a list of
the computers in the same workgroup as you.</p>
<p><span class="bold">Microsoft Windows i5/OS groups</span></p>
<p>Two groups of users are created in Microsoft Windows as part of the installation
to an integrated server.</p>
<ul>
<li><span class="bold">AS400_Users</span> Every i5/OS user, when first enrolled to the Windows
environment, is placed in the AS400_Users group.  You can remove a user from
this group in the Windows environment, however, the next time an update occurs
from the iSeries server, the user will be replaced. This group is a useful place
to check which i5/OS user profiles are enrolled to the Windows environment.</li>
<li><span class="bold">AS400_Permanent_Users</span> Users in this group cannot
be removed from the Windows environment by the iSeries server. It is provided as a way to
prevent Windows users from being accidentally deleted by actions taken within i5/OS. Even if the user profile is deleted from i5/OS, the user will continue to exist in the
Windows environment. Membership in this group is controlled from the Windows
environment, unlike the AS400_Users group.  If  you delete a user from this
group, it will not be replaced when an i5/OS update is performed.</li></ul>
<p><span class="bold">Using the i5/OS user profile LCLPWDMGT attribute</span></p>
<p>There are two ways to manage user profile passwords. </p>
<ul>
<li><span class="bold">Traditional user</span> You may choose to have i5/OS passwords and
Windows passwords be the same. Keeping the i5/OS and Windows passwords the same is done
by specifying the i5/OS user profile attribute value to be LCLPWDMGT(*YES).
With LCLPWDMGT(*YES), enrolled Windows users manage their passwords in i5/OS. The LCLPWDMGT attribute is specified using the i5/OS Create or Change
user profile (CRTUSRPRF or CHGUSRPRF) commands.</li>
<li><span class="bold">Windows user</span> You may choose to manage enrolled Windows
profile passwords in Windows. Specifying LCLPWDMGT(*NO) sets the i5/OS user profile
password to *NONE. This setting allows enrolled Windows users to manage their
password in Windows without i5/OS overwriting their password.</li></ul><p class="indatacontent">    See <a href="rzahqencco.htm#rzahqencco">Types of user configurations</a>.</p>
<p><span class="bold">Using i5/OS Enterprise Identity Mapping (EIM)</span></p>
<p><img src="delta.gif" alt="Start of change" />There are two ways to take advantage of the i5/OS EIM support.
You can automatically create an EIM association using functions in the EIM
Windows registry. Defining EIM associations allows i5/OS to support Windows single sign-on using
an authentication method such as Kerberos. Auto-creation and deletion of Windows
EIM source associations are done when the i5/OS Create, Change, or Delete user profile
(CRTUSRPRF, CHGUSRPRF, or DLTUSRPRF) commands are used specifying the EIMASSOC
parameter values of *TARGET, *TGTSRC, or *ALL.<img src="deltaend.gif" alt="End of change" /></p>
<p>You may manually define EIM associations in the EIM Windows registry. When
an EIM i5/OS target association and Windows source association is defined for
an i5/OS user profile, the enrolled i5/OS user profile may be defined as a different
user profile name in Windows. </p>
<a name="wq31"></a>
<div class="notetitle" id="wq31">Note:</div><img src="delta.gif" alt="Start of change" />
<div class="notebody">SBMNWSCMD, QNTC,
and File Level Backup operations only work with EIM Kerberos associations. i5/OS user profiles mapped to different windows user names using an EIM Windows
registry are not recognized. Those operations still attempt to use equivalent
names.</div><img src="deltaend.gif" alt="End of change" /><p class="indatacontent">For more information see <a href="rzahqeim.htm#rzahqeim">Enterprise Identity Mapping (EIM)</a>.</p>
<p><span class="bold">Enrolling existing Windows user profiles</span></p>
<p>You can also enroll a user who already exists in the Windows environment.
The password for the user must be the same on i5/OS as for the already existing Windows user
or group. See <a href="rzahqpasswdconsids.htm#rzahqpasswdconsids">Password considerations</a>.</p>
<p><span class="bold">User enrollment templates</span></p>
<p>You can customize the authorities and properties a user receives during
enrollment through the use of user enrollment templates. See <a href="rzahqtmcco.htm#rzahqtmcco">User enrollment templates</a>.
If you do not use a template when you enroll users, they receive the following
default settings:</p>
<ul>
<li>Users become members of the AS400_Users group and either the Users group
on a local integrated Windows server or the Domain Users group on a Windows
domain.</li>
<li>i5/OS keeps track of the user's i5/OS password, password expiration date, description,
and enabled or disabled status.</li></ul>
<p><span class="bold">Enrolling i5/OS groups</span></p>
<p><img src="delta.gif" alt="Start of change" />Up to this point, only the enrollment of individual i5/OS user profiles
to the Windows environment has been discussed. You can also enroll entire i5/OS groups. Then, when you add users to those i5/OS groups that have been enrolled to the
Windows environment, you automatically create and enroll those users in the
Windows environment as well.<img src="deltaend.gif" alt="End of change" /></p>
<p><span class="bold">Enrolling to multiple domains</span></p>
<p>You may enroll users and groups to multiple domains, but typically this
is unnecessary. In most Windows environments, multiple domains set up trust
relationships with each other. In such cases, you only need to enroll the
user in one domain because trust relationships automatically give the user
access to other domains. See your Windows documentation for additional information
about trust relationships.</p>
<p><span class="bold">Saving and Restoring enrollment information</span></p>
<p>Once you have defined your user and group enrollments, you need to save
the enrollment definitions. You may save the enrollment information using
options 21 or 23 on the GO SAVE menu, by using the SAVSECDTA command, or by
using the QSRSAVO API. Restoring the user profiles is done using the RSTUSRPRF
command and specifying USRPRF(*ALL) or SECDTA(*PWDGRP) values.</p>
<p><span class="bold">Using the PRPDMNUSR parameter</span></p>
<p>If you have multiple servers which are members of the same domain, you
may prevent duplicate domain enrollment from occuring on each member server.
Use the Propagate Domain User (PRPDMNUSR) parameter in the Change Network
Server Despcription (CHGNWD) or Create Network Server Description (CRTNWSD)
commands. See <a href="rzahqsuepi.htm#rzahqsuepi">The QAS400NT user</a> for more information.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>