If necessary, use this procedure to enlarge the access control database:
1. Switch to another MS OS/2 session or exit the LAN Manager screen.
2. Move to the Lanman\Accounts directory.
3. Use the GROW ACC command with the following option at the OS/2 prompt:
growacc N
N is the number of accounts you want the access control database to be able to handle. The maximum is 1048.
Make room for more accounts than you expect to have; filling up the database can hurt perfonnance. Ideally, you should fill 60% of the database.
The more accounts the database can handle, the larger the NET.ACC file is, so keep an eye on available disk space.
4. Return to the LAN Manager screen.
You can now continue with the procedure for adding a user account.
Example
A new user, John OlClare, needs to be able to use the mis server. Mary Sullivan must set up an account for him.
U semame list box and selects [NEW]. She then chooses the Add command button.
In the Add User Account dialog box, Mary begins fuling in infonnation. She types the user name johnoc in accordance with company policy on fonning user names from people's real names. Moving to the Password text box, she types the
password she gives to every new user: newuser. She will later tell John to change his password to something personal.
In the Directory text box, Marytypes the name of a home directory for John to use on mis. By established convention, she gives home directories the same name as the user account, so she types johnoc, which creates the directory
30pen\U sers\Johnoc.
The next text box is Script. Mary has created a logon script for new employees that establishes some basic connections to printers and central servers. The script is in the 30PEN\USERS~CRIPTS\NEWUSER.CMD file, so she types
scripts\newuser.cmd in this text box.
In the Comment text box, Mary types a remark for this account. Following the pattern of other mis accounts, she types in John O'Clare's full name and telephone extension. Pressing the [Tab] key, she moves to the column of option buttons defining privilege level. Since John is a junior accounting clerk with a limited need to access resources, she marks the Guest option button. This bars johnoc from membership in the users group; in the list boxes below, the users group name moves from the Member of to the Not a member of list box.
Mary then moves to the Use script check box. Since mis is a central logon
validator, she marks this check box. When John logs on, LAN Manager will run a logon script for him at his netstation.
The next check box is Disabled. Since this is to be an active account, Mary leaves this box unmarked.
Managing User-Level Security
8
8-23
Finally, Mary moves to the two list boxes at the bottom of the dialog box. Because of the guest privilege level, johnoc cannot be a member of the users group.
However, he should be a member of the accounting group so that he can reach the appropriate resources for his job. She moves the accounting group name from the Not a member of list box to the Member of list box.
The information in this dialog box is now complete; Mary chooses the OK
command button, and a confirmation dialog box appears, asking if it is all right to create the home directory forjohnoc in the lanman\accounts\userdirs directory.
Mary chooses the OK command button to create the directory.
Since LAN Manager is creating a new directory on mis, it brings up the Edit File Permissions dialog box. Mary sees that johnoc is in the Pennitted list box and has full permission (RWCXDAP). This means that John can do whatever he wants in this directory, even change the permissions of other users to access this directory.
When Mary chooses the OK command button, she is done with adding this user account.
Mary has two responsibilities after this:
• To give John information about his user name, password, and home directory.
She should also tell him about changing his password and about the
connections that are automatically made for him by the newuser.cmd logon script.
• To assign access permissions for John to specific resources. Since johnoc is a member of the accounting group, John already has access to some resources. If he needs to use other resources, Mary must give him additional group
memberships or modify the permissions on the relevant resources.
NET USER
/add /delete
/priv:pri vilege
/remark:text /scriptpath: \path
Figure 8-2. NET USER Command
username is the name of the new account.
password is the user's password. If you leave this out, the user can access the server without supplying a password.
ladd is the option that tells LAN Manager to add this account.
Managing User-Level
8
Security
8-25
/priv:privilege is the user's privilege level: type user, guest, or admin.
Ihome:homedir is the home directory for the user on this server. If you leave this out, it does not affect the user's ability to access other resources on this server. If you establish a home directory, remember that you must assign permissions for that directory with the NET ACCESS command. See the "Managing Resources"
section later in this chapter.
remark is a descriptive comment about this user. If you leave this out, it does not affect the account in any way. Remember to enclose the remark in quotes.
NOTE: Figure 8-2 shows the NET USER command with all the command options.
You may wish to refer back to this figure when the different options of the command are discussed in succeeding sections.