CHGNWSUSRA (Change Network Server User Attributes)

CHGNWSUSRA Command syntax diagram

 

Purpose

The Change Network Server User Attributes (CHGNWSUSRA) command is used to change network server attributes for an OS/400 user or group profile that operate in a networking environment. This command can be used to do the following:

1. Set network server attributes for a specific OS/400 user or group profile. For example, the default NetWare Directory Services (NDS) tree name could be set for a specific user profile.
   
2. For NetWare networks, the network server attributes can be set so that this user or group profile will be enrolled into the NetWare network. Where the profile is enrolled depends on the values specified by the NDSTREELST and NTW3SVRLST parameters.
   
3. For Windows networks, the network server attributes can be set so that a user or group profile will be enrolled into one or more Windows domains or local servers. When enrolling into a Windows local server, the server must be associated with a locally attached integrated Netfinity server. Where the profile is enrolled depends on the values specified by the WNTDMNLST and WNTLCLSVRL parameters.

   When an OS/400 user is enrolled, a matching Windows user identity is created in the Windows domain or on the Windows local server.

   When an OS/400 group profile is enrolled into a Windows domain or local server, a matching Windows group is created in the domain or local server. All OS/400 user profiles that are defined in the group are enrolled into the domain or local server and added to the Windows groups that are currently defined by the user account template.

Network server user attributes are saved by the Save System (SAVSYS) and Save Security Data (SAVSECDTA) commands. Network server user attributes are restored to the system when the user profile is restored. The Restore User Profile (RSTUSRPRF) command can be used to restore user profiles and the network server user attributes associated with them.

 

Restrictions

1. Only a user with *OBJMGT and *USE authorities to the user profile being changed can specify this command.
   
2. To make changes to the NDSTREELST, NTW3SVRLST, WNTDMNLST, or WNTLCLSVRL parameters, a user must have *SECADM special authority.
   
3. The Windows domain and server names specified in the WNTDMNLST and WNTLCLSVRL parameters must follow the naming conventions of Windows.

 

Optional Parameters

USRPRF

Specifies the name of an OS/400 user or group profile whose network server attributes are to be set.

The following IBM-supplied profile names are not valid on this parameter:

QAUTPRF         QNFSANON
QCOLSRV         QRJE
QDBSHR          QSNADS
QDBSHRDO        QSPL
QDFTOWN         QSPLJOB
QDOC            QSYS
QDSNX           QTCP
QEJB            QTFTP
QFNC            QTSTRQS
QGATE
QLPAUTO
QLPINSTALL
QMSF
QNETSPLF
QNETWARE

Note: QNETWARE is valid when enrolling a profile to a NetWare tree or server. Any other use of QNETWARE is not supported.

The following profile names are not valid on this parameter when enrolling to a Windows domain or server.

GUEST                                                             
GUESTS                                                            
REPLICATOR                                                        
USERS                                                             

Note that QAUTPRF and QNFSANON were not disallowed in versions earlier than V4R1. Also, profiles QPRJOWN, QSRV, QSRVBAS, QSVSM, QTMPLPD, and QUMB were disallowed in pre-V4R1 versions, but are now legal to enroll. The change was made in order to keep in sync with the list OS/400 security uses for some of their commands.

*CURRENT: The user profile attributes for the current user profile are changed.

user-name: Specify the name of an OS/400 user or group profile.

PRFTYPE

Specifies whether the user or group attributes for a profile are to be changed.

*USER: The user profile attributes are changed.

*GROUP: The group profile attributes are changed.

PMTCTL

Specifies which network server attributes should be prompted for on the command.

*ALL: All parameters are prompted.

*NETWARE: Only those parameters that apply to *NETWARE servers are prompted.

*WINDOWSNT: Only those parameters that apply to *WINDOWSNT domains and servers are prompted.

PRPGRPMBR

Specifies how an OS/400 group and it's users are to be enrolled. There are two different ways that an OS/400 group and its users can be enrolled.

1. The OS/400 group is enrolled in the network. All of the members of the group are also enrolled in the network and added to the newly created group.
   
2. Only the members of OS/400 group are enrolled in the network. The group itself is not enrolled in the network.

The possible values are:

*SAME: The PRPGRPMBR value does not change. If the PRPGRPMBR parameter has never been set, it is defaulted to *ALL.

*ALL: The OS/400 group and all members of the group are enrolled. Any user profiles added to this group at a later time are also enrolled into the network.

*MBRONLY: Only the members of the group are enrolled. The group itself is not enrolled. Any user profiles added to this group at a later time are also enrolled into the network.

DFTSVRTYPE

Specifies the default server type for this user. This attribute is used primarily as a default for those OS/400 commands that support multiple network server types.

*SAME: The default server type does not change. If the DFTSVRTYPE parameter has never been set, it is defaulted to *NWSA.

*NWSA: The default server type from the system network server attributes is used.

*NETWARE: The default server type for the user is set to *NETWARE.

*WINDOWSNT: The default server type for the user is set to *WINDOWSNT.

NDSTREE

Specifies the name of the default NetWare Directory Services tree used by this user. The tree specified should be the one most often used by this OS/400 user when accessing the network.

*SAME: The NetWare Directory Services tree name does not change. If the NDSTREE parameter has never been set, it is defaulted to *NWSA.

*NWSA: The NetWare Directory Services tree specified in the system network server attributes is used.

*NONE: No default NetWare Directory Services tree is specified.

'NDS-tree-name': Specify the name of the default NetWare Directory Services tree.

NDSCTX

Specifies the distinguised name of a default NetWare Directory Services context to be used when this user issues OS/400 commands that use NDS objects. This becomes the current context when the OS/400 user signs on.

*SAME: The default NDS context name does not change. If the NDSCTX parameter has never been set, it is defaulted to *NWSA.

*NWSA: The NetWare Directory Services context specified in the system network server attributes is used.

*ROOT: The NetWare Directory Services default context is the root of the NDS tree.

'NDS-context': Specify the complete path name of the default NDS context name to be used.

NDSTREELST

Specifies a list of NetWare Directory Services (NDS) trees that will be used by the OS/400 user enrollment support when enrolling this OS/400 user or group. Each entry in the list will contain an NDS tree name and a list of attributes associated with that tree.

Up to 10 entries can be specified for this parameter. An entry consists of a value from each of the following elements. A value must be specified for each of the 4 elements for each entry.

*SAME: The NDS tree list entries do not change. If the NDSTREELST parameter has never been set, it is defaulted to *NONE.

*NWSA: When *NWSA is specified, the NDS tree list from the system network server attributes is used.

*NONE: When *NONE is specified, this profile will not be enrolled to any NDS trees.

NDS Tree List Entry

Element 1: NDS Tree Name

'NDS-tree-name': Specify the name of the NetWare Directory Services tree where the OS/400 user enrollment support will enroll this OS/400 profile. The remaining elements describe the attributes associated with this NDS tree.

Element 2: Default NDS User Object Context

Specifies the location in the NDS tree where NDS user and group objects are created when enrolling this OS/400 user or group profile into the NDS tree. Changing the default user object context will cause the user or group NDS object to be moved from the old context to the new one specified. The NetWare distinguished name must be specified for this element.

'user-object-context': Specify the NDS context where this OS/400 user will be enrolled into the NDS tree.

Element 3: Default NDS Server Name

Specifies the default NetWare server to be used by the system when enrolling this OS/400 user into the NDS tree.

*ANY: The system selects any active server to use when accessing the NDS tree.

'default-server-name': Specify the name of the default NDS server to be used by the system when enrolling this OS/400 user into the NDS tree. If this server is unavailable at the time the request is handled, the system will attempt to find an active server that is available to handle the request.

Element 4: Default NDS Profile Object Name

Specifies a default NetWare Directory Services profile object that contains the profile login script to be used by the user when logging into the network. The NetWare distinguished name must be specified for this element.

*NONE: No profile login script is used by the NetWare user.

'profile-object-name': Specify the distinguished name of the default NDS profile object containing the profile login script to be used by this user when logging into the network.

NTW3SVRLST

Specifies a list of up to 100 NetWare 3.12 servers into which this OS/400 user profile is enrolled.

*SAME: The list of NetWare 3.12 servers does not change. If the NTW3SVRLST parameter has never been set, it is defaulted to *NONE.

*NWSA: The NetWare 3.12 server list specified in the system network server attributes is used.

*NONE: When *NONE is specified, the profile will not be enrolled to any NetWare 3.12 servers.

'NetWare 3.12-server-name': Specify the name of a NetWare 3.12 server into which the OS/400 profile will be enrolled.

WNTDMNLST

Specifies a list of Windows domains that will be used by the OS/400 user enrollment support to determine into which Windows domains this OS/400 profile is enrolled.

Each entry in the list will contain a domain, a user account template name, and a group type. The user account template name is the name of a Windows user identity that is to be used when creating new Windows users.

Up to 64 entries can be specified for this parameter. An entry consists of a value from each of the following elements. A domain name must be entered for each entry and must be unique within the list.

*SAME: The Windows domain list entries do not change. If the WNTDMNLST parameter has never been set, it is defaulted to *NONE.

*NWSA: When *NWSA is specified, the Windows domain list from the system network server attributes is used.

*NONE: When *NONE is specified, this profile will not be enrolled into any Windows domains.

Windows Domain List Entry

Element 1: Domain Name

'domain-name': Specify the name of the Windows domain where the OS/400 user enrollment support will enroll this OS/400 profile.

Element 2: Windows User Account Template Name

Specifies the name of a Windows user that can be used as a template when creating new Windows users in the Windows domain.

Note: Changing this value will not affect Windows users that are already enrolled in the domain.

*NONE: No Windows user account template is used when creating a new user identity in the Windows domain.

'User-account-template-name': Specifies the name of a Windows user account to be used when creating new Windows user identities in the domain.

Element 3: Windows Group Type

Specifies the type of group to be created in the Windows domain. This element is ignored when PRFTYPE(*USER) is specified.

*GLOBAL: A global group is created in the Windows NT domain.

*LOCAL: A local group is created in the Windows NT domain.

WNTLCLSVRL

Specifies a list of Windows local servers that will be used by the OS/400 user enrollment support to determine into which Windows local server the OS/400 profile is enrolled. Only those server names associated with locally configured integrated Netfinity servers can be specified in this list.

Each entry in the list will contain a server name and associated user account template name. The user account template name is the Windows user account to be used when creating new Windows user identities on the server.

Up to 64 entries can be specified for this parameter. An entry consists of a value from each of the following elements. A server name must be entered for each entry and must be unique within the list.

*SAME: The Windows local server list entries do not change. If the WNTLCLSVRL parameter has never been set, it is defaulted to *NONE.

*NWSA: When *NWSA is specified, the Windows local server list from the system network server attributes is used.

*NONE: When *NONE is specified, this profile will not be enrolled into any Windows local servers.

Windows Local Server List Entry

Element 1: Server Name

'server-name': Specify the name of a Windows local server where the OS/400 user enrollment support will enroll this OS/400 profile. This server must be a locally configured integrated Netfinity server.

Element 2: Windows User Account Template Name

Specifies the name of a Windows user that can be used as a template when creating new Windows users on the local server.

Note: Changing this value will not affect Windows users that are already enrolled on the server.

*NONE: No Windows user account template is used when creating a new user identity on the Windows local server.

'User-account-template-name': Specifies the name of a Windows user account to be used when creating new Windows user identities on the local server.

Examples for CHGNWSUSRA

Example 1: Enrolling a user into a NetWare network

CHGNWSUSRA   USRPRF(DENNIS)  NDSTREE(NWTREE1)
  NDSCTX(.MARKETING.HDQTRS.IBM)
  NDSTREELST(*NWSA)
  NTW3SVRLST(NTW3SVR2 NTW3SVR3)

The above command will change the network server user attributes for user profile DENNIS. The default NDS tree will be set to NWTREE1 and the default context to MARKETING.HDQTRS.IBM.

The NDS tree list from the system network server attributes is used. The OS/400 user enrollment support will enroll user DENNIS into each tree specified in the tree list. The NetWare 3.12 server list is set to include servers NTW3SVR2 and NTW3SVR3. User DENNIS will also be enrolled into both of these servers.

Example 2: Enrolling a user into a Windows network

CHGNWSUSRA   USRPRF(BOB)   DFTSVRTYPE(*WINDOWSNT)
  WNTDMNLST((DMN01 USRTMP1) (DMN02  *NONE))
  WNTLCLSVRL((LCLSVR1 TMPL1) (LCLSRV2  *NONE))

The above command will change the network server user attributes for user profile BOB. BOB's default server type is set to *WINDOWSNT.

The OS/400 user enrollment support will enroll user BOB into domain DMN01 using user account template USRTMP1 and also into domain DMN02.

The OS/400 user enrollment support will also enroll user BOB into local server LCLSVR1 using user account template TMPL1 and also into local server LCLSRV2.

Error messages for CHGNWSUSRA

*ESCAPE Messages

CPFA450

Network server user attributes for user profile &1 not changed. See previous messages.