OS400_Permanent_Users and AS400_Permanent_Users groups

The function of the OS400_Permanent_Users and AS400_Permanent_Users groups is the same.

In certain environments it may be important to prevent an OS/400 administrator from deleting a Windows account without realizing the potential consequences. To address this situation there is a special Windows group called the OS400_Permanent_Users group (in the case of a domain controller), or the AS400_Permanent_Users group (in the case of a member server or local server). Users in these groups cannot be deleted from the Windows environment by commands initiated from OS/400. You can manually add a user account to these groups or,

alternatively, you can specify the OS400_Permanent_Users group or the

AS400_Permanent_Users group in a template account so that OS/400 user profiles are automatically added to these groups when they are enrolled. Refer to 6.2, “Creating user enrollment templates” on page 135 for a description of templates.

The Windows Administrator must delete users manually from these groups; they cannot be deleted using OS/400 commands. However, if you delete an OS/400 user profile or end enrollment for it, synchronization of the user profile to Windows does stop, even though the user has not been completely removed from Windows.

In contrast to members of the OS400_Users and AS400_Users groups, if you remove a user from the OS400_Permanent_Users or AS400_Permanent_Users groups on Windows, the user is not automatically replaced in the groups by the OS/400 integration software. This applies even if you use the WRKNWSENR command and select option 6 (retry enrollment) against the user. (This operation would reinstate a user in the OS400_Users or AS400_Users groups.)

6.2 Creating user enrollment templates

When you create a user profile in OS/400, you designate a security level (*SECOFR, *USER,

*PGMR, and so on). When the user is enrolled in the Windows environment, these OS/400 security attributes are not carried across. The reason is that there is no direct mapping between the implementation of security on OS/400 and Windows. To work around this problem you can use a template, which is a normal Windows user account that has the characteristics that you want given to an OS/400 user profile when the profile is propagated to Windows. Each template is a Windows user account that defines user privileges such as group membership, folder or directory paths, and organizational unit containers. You can set up multiple templates, each of which corresponds to a different class of user under Windows.

You can use any Windows user account as a template, even an existing user. Templates save you the trouble of having to set up group memberships individually for each enrolled user.

They also keep the attributes of multiple enrolled users consistent.

Template accounts must be set up before you start enrollment. You can have as many templates as you want, although it is recommended that you keep the number within

manageable proportions. Typically, you need a template for each major type of Windows user.

If you do not use a template when you enroll OS/400 users, by default each user becomes a member of the Windows AS400_Users group and Users group if you enroll on a Windows member server or local server. They become members of the OS400_Users group and Domain Users group if you enroll on a Windows domain.

If you want Windows security to be part of the template that is used to create the Window user account, you must make sure that the template account is a member of groups that have the appropriate level of authority assigned to them for the users you want to enroll. Note that the template account does not pass on its rights and permissions to propagated users. The assignment of rights and permissions to users and groups is handled in the normal way on Windows by an administrator.

You can make a template account a member of any Windows group, whether or not the group has been enrolled from OS/400. When you enroll OS/400 user profiles using this template, the users also become members of any non-enrolled groups in the template. OS/400 does not know about Windows groups that were not enrolled from OS/400. Therefore, you must manually remove users from non-enrolled groups on the Windows domain or local server.

An Active Directory organizational unit provides a method to grant users access to resources.

If the template account is a user object in a Windows Active Directory organizational unit container, the newly created Windows user object is in the same organizational unit container.

The enrollment of a user on a domain or on a local server results in a user account that is created with the characteristics of the template, in addition to some of the settings in the OS/400 user profile. The following attributes of an OS/400 user profile are propagated to the corresponding Windows user account in real time, either at or following enrollment:

User or group profile name: USRPRF

Group profile of which the user profile is a member (if the group is enrolled).

Supplemental groups: SUPGRPPRF

Other groups of which the user profile is a member (if the groups are enrolled).

Templates are really only used when OS/400 user profiles are initially enrolled. Therefore, it is most important to ensure that the templates you use are an accurate reflection of the way you want the users who are enrolled in the Windows environment to be set up. Any subsequent changes to user profiles (except where noted above) must be made manually within the Windows environment, because after enrollment the template is not used again for that user.

Therefore, any changes to the template only affect users enrolled after the change. Changing an OS/400 user profile to use a different template after enrollment also has no effect. Note, however, that if you add an enrolled user profile to a different OS/400 group (also enrolled), the Windows user account is also added to the corresponding Windows group.

Following enrollment, the user should be treated as a normal Windows account for allocation to additional groups, setting of logon restrictions, and so on. These changes should be administered in the normal way using the Active Directory Users and Computers function on a domain controller or the Local Users and Groups function on a local server.

The OS400_Users and AS400_Users groups are maintained automatically and should not be changed. It is recommended that you do not remove users from these groups, although there is no harm in doing so. Remember that enrolled user accounts should not be deleted from the Windows environment unless you are really sure. This results in the loss of ownership of files in Windows because of the Security ID (SID) change. To be safe, you can add the

OS400_Permanent_Users or AS400_Permanent_Users group to your template accounts to ensure that every OS/400 user is a member of one of these groups and, therefore, cannot be deleted accidentally from Windows by an OS/400 user.

Generally speaking, you can make any changes you want to a Windows account that has been enrolled through OS/400, except for those settings that are propagated across from the

Note: OS/400 parameter names are shown in uppercase letters

corresponding OS/400 user profile. Any changes in Windows to these propagated settings is simply overwritten the next time propagation occurs.

Windows provides a Microsoft Management Console (MMC) snap-in utility called Security Templates and sample templates to use when you create your own template accounts.

Consult the Windows documentation for more information about Security Templates.

6.2.1 Example of template use

Table 6-1 shows examples of OS/400 group profiles and the templates used by them when enrolling users on a Windows domain. These are used to describe what happens when you modify a user from OS/400.

Table 6-1 Example of template use

The user profile STAGG is created on OS/400 and made a member of the OS/400 group USERGRP, which is enrolled on the Windows domain. Therefore, STAGG is automatically enrolled on the domain and becomes a member of the Windows groups USERGRP,

OS400_Users, and Domain Users. STAGG becomes a member of OS400_Users because all enrolled users become members of that group on the integrated Windows server. STAGG is included in the Domain Users group because this group is specified in the template account TEMPUSER.

If you add STAGG to the OS/400 group ADMNGRP (which is also enrolled on the domain), the only change you would see in Windows is that STAGG is added to the Windows group ADMNGRP, in addition to the other groups of which user STAGG is already a member.

STAGG does not become a member of the Administrators group because the template TEMPADMN was not selected when user STAGG was first enrolled.

If user STAGG is re-enrolled using the template TEMPHOUR, there are no changes made to the corresponding Windows account. Again, the only time a template can be used is when a profile is enrolled for the first time.

6.2.2 Password considerations in an integrated Windows environment

There are number of considerations that you need to be aware of when planning for password security in an integrated Windows environment:

OS/400 Retain server security data (QRETSVRSEC) system value Refer to “OS/400 Retain server security data system value” on page 138.

Windows Server 2003 password rules

Refer to “Windows Server 2003 password rules” on page 138 for more information.

Password expiry considerations

Refer to “Password expiry considerations” on page 140 for more information.

Password recommendations

Refer to “Password recommendations for Windows templates” on page 141.

OS/400 group profile Windows