User enrollment

One of the key benefits of installing Windows on the Integrated xSeries Server (IXS) and Integrated xSeries Adapter (IXA) is the ability to integrate the administration of both OS/400 and Windows users. This integration permits you to administer one unified set of users and groups instead of separate OS/400 and Windows user registries.

In this chapter we show you how to set up and administer user integration, and we cover these user enrollment topics:

Creating user enrollment templates

Enrolling OS/400 users and groups on Windows

Working with enrollment status

Ending enrollment

6

Terminology:

In this chapter, all references to Windows apply equally to Windows Server 2003 and Windows 2000 Server, except where noted.

An OS/400 user has a user profile whereas a Windows user has a user account.

An integrated Windows server is an instance of Windows running on an IXS or IXA.

Each integrated Windows server has its own corresponding network server description (NWSD).

6.1 Overview

The user enrollment function of iSeries Windows integration reduces the maintenance of Windows user accounts by replicating OS/400 user profile and password information to integrated Windows servers. This synchronization provides benefits to both administrators and users that include:

Centralized control of both OS/400 and Windows user administration through the iSeries Navigator GUI or an OS/400 green screen.

The ability to automatically assign OS/400 users to be members of Windows groups.

Single-password user access to OS/400 or Windows.

There are two key processes involved in the user enrollment function: enrollment and propagation. Here is a description of each:

Enrollment

The process by which an OS/400 user or group profile is registered with the integration software by using iSeries Navigator or the Change Network Server User Attributes command (CHGNWSUSRA).

Propagation

The process by which an enrolled OS/400 user or group profile, or updates to profiles, are sent to either a Windows domain or local server:

– Windows domain

The integrated Windows server, running on an IXS or IXA in the iSeries, is a member of a domain. A member of a domain can either be a:

• Domain controller

• Member server (any member of the domain that is not a domain controller) – Windows local server

The integrated Windows server, running on an IXS or IXA in the iSeries, is a member of a workgroup. It is not part of a domain.

The enrollment and propagation processes happen automatically when they are triggered by an event such as running the CHGNWSUSRA command to enroll a user or group, a user updating their password on OS/400, or restarting the integrated Windows server.

Modifications to enrolled OS/400 user profiles, especially passwords, are propagated to the Windows domain or local server in real time. The synchronization of passwords is a key benefit of running Windows on the IXS or IXAIXS or IXA because of the greatly reduced administration of user accounts and passwords.

Be careful about who has control of user profiles and from where profiles are modified. Also, use discipline when managing control of users. It is usually more appropriate to use OS/400 for user administration whenever possible.

Important: In this chapter we refer to domains and local servers together as the Windows environment.

Important: Be aware that propagation of user profile information and passwords is one-way only: from OS/400 to Windows, but not vice versa.

6.1.1 Management of users in a Windows integration environment

Users in a Windows integration environment can be managed through iSeries Navigator or green screen:

iSeries Navigator

Most user enrollment tasks can be performed using the iSeries Navigator graphical interface, and this is the recommended method. You do not need to know OS/400 CL commands to use iSeries Navigator.

Green screen

Green screen is the traditional text-based interface that allows more flexibility in the way you manage users in a Windows integration environment, but it is not recommended for new users unless there is a task that cannot be performed using iSeries Navigator.

6.1.2 Saving and restoring enrollment information

After you have set up your user and group enrollments, be sure to save them. You can save the enrollment information using options 21 or 23 on the GO SAVE menu, by using the SAVSECDTA command, or by using the QSRSAVO API. For more information, refer to 7.3.5,

“Disaster recovery backup and user enrollment information” on page 192.

6.1.3 OS/400 groups in Windows

Two OS/400-specific groups are created automatically on each integrated Windows server as part of the installation of Windows on the IXS or IXA. They perform functions specifically related to user enrollment. The two types of groups are:

Groups that are created on a domain controller:

– OS400_Users

– OS400_Permanent_Users An example is shown in Figure 6-1.

Figure 6-1 Windows OS400_Users and OS400_Permanent_Users groups on a domain controller

Groups that are created on a member server or on a local server:

– AS400_Users

– AS400_Permanent_Users

The AS400_Users and AS400_Permanent_Users terminology was used with previous OS/400 releases, and these legacy groups are still used for reasons of compatibility with, and migration from, integrated Windows NT and 2000 Servers. An example is shown in Figure 6-2.

Figure 6-2 Windows AS400_Users & AS400_Permanent_Users groups on a member or local server