|Document revision date: 30 March 2001|
You can monitor the activities of users by auditing their actions and resources on your server. Auditing an action or resource causes an entry to be written to the security event log whenever that activity is performed or a resource is accessed. This helps to ensure that users are accountable for their actions.
Auditing in the Advanced Server is configured on the domain level. Every server in a domain is covered by the domain's audit policy.
You can specify that an audit entry is written to the security event log when certain actions are performed or files are accessed. An audit entry shows the action, the user, and the date and time of the action. Both successful and failed logon attempts can be audited. The audit trail shows who performed which actions on a network, and who tried to perform actions that are not permitted.
Table 3-3 lists the categories of events that you can choose to audit and which events are covered by each category. For each of the categories listed, you can choose whether to audit only successful actions in that category, failed attempts to perform actions in that category, both, or neither.
|Logon and Logoff||Logon attempts, logoff attempts, and the creating and breaking of network connections to servers.|
|Object Access||Accesses of a directory or a file that is set for auditing in File Manager; uses of a printer managed by the computer.|
|Privilege Use||Successful uses of user or group rights, and failed attempts to use rights not assigned to users or groups.|
|Account Management||Creation, deletion, and modification of user and group accounts.|
|Security Policy Changes||Granting or revoking user rights to users and groups; changing the Audit policy; establishing and breaking trust relationships with other domains.|
|Restart 1, Shutdown 1, and System||Shutdowns and restarts of the computer, the filling up of the audit log, and the discarding of audit entries if the audit log is already full.|
|Process Tracking 1||Starts and stops of processes on the computer.|
Using ADMINISTER commands, you specify which types of security events are audited; designate which files are audited and how; set the size of the event log files; and save or clear the event logs when they become full.
Table 3-4 shows the types of directory and file accesses you can audit.
|Directory access||File access|
|Displaying names of files in the directory||Displaying the file's data|
|Displaying directory attributes||Displaying file attributes|
|Changing directory attributes||Displaying the file's owner and permissions|
|Creating subdirectories and files||Changing the file|
|Going to the directory's subdirectories||Changing file attributes|
|Displaying the directory's owner and permissions||Running the file|
|Deleting the directory||Deleting the file|
|Changing directory permissions||Changing the file's permissions|
|Changing directory ownership||Changing the file's ownership|
For more information, see your Server Administrator's Guide.
By organizing users into domains and setting up trust relationships, you can manage and track the actions of users while allowing them access to the resources they need.
In addition, you can arrange users into groups. Using groups makes it easier and faster to grant multiple users access to resources. You perform only one task to grant rights or permissions to a group; those rights and permissions are then active for all current and future group members.
Another advantage to using groups is evident when a new user joins the network. For example, a new accountant is hired and a group called Accountants has permissions to all of the network resources needed by accountants. Adding the new user to the Accountants group gives the new accountant all of the permissions that are needed.
Advanced Server groups do not map in any way to OpenVMS groups.
This chapter describes the types of groups and identifies some
strategies you can use to make your network simpler to administer and
easier to maintain.
4.1 What Is a Group?
A group is an account containing other accounts called members. The permissions granted to a group are also granted to its members. Groups are a convenient means of granting common access and user rights to collections of user accounts.
You can use the ADMINISTER commands to create and manage user and group accounts, to grant permissions for files and directories to users and groups, and to give users and groups access to printers.
On Advanced Servers, rights are granted and restricted on the domain
level; if a group has a right within a domain, its members have the
right on all servers in the domain (but not on Windows NT workstation
computers participating in the domain).
4.2 Types of Groups
You can group users who have similar jobs or resource needs into the following types of groups:
Table 4-1 shows the contents of both local and global groups.
|A global group contains . . .||A local group contains . . .|
|Name (up to 20 characters)||Name (up to 20 characters)|
|Members' user names||Members' user names or global group names; names of users and global groups from trusted domains|
4.3 Global Groups
A global group is a collection of user accounts from one domain that
are assembled under a single group name. A global group
can contain user accounts from only one domain --- the domain in which
the global group was created. After a global group is created, it is
available globally; that is, it can be granted permissions and rights
in its own domain as well as in any domain that trusts that domain. A
global group can contain only user accounts; it cannot contain other
global groups or local groups.
Figure 4-1 shows the global group Accounting, which can contain only users from the Finance domain, but which can appear in permissions lists in any domain that trusts Finance. In this example, the Accounting group can be granted permissions in the Sales domain. Likewise, the global group Planners can contain users only from the Sales domain, but the Planners group can appear in permissions lists in the Production domain.
Figure 4-1 Understanding Global Groups
4.4 Local Groups
A local group
is a collection of users and global groups from one or more domains
that have been assembled under a single group name. Although a local
group in a domain can contain users and global groups from that domain
and any domain trusted by that domain, you can grant rights and
permissions to a local group only for resources located in the domain
in which the local group is defined.
Local groups also can be used to classify users and give them predefined sets of rights and permissions. For example, to make an account for a print operator in a domain, you would add the account to the Print Operators local group in the domain. The account then would have all the rights and abilities required for a print operator. The use of that group is local to the servers in that domain. A local group can contain users and global groups, but it cannot contain any other local groups.
In Figure 4-2, a local group, Accounting, has been added to the Sales domain. Although Accounting can contain users and global groups from Finance (and any other domains that Sales trusts), Accounting can be assigned permissions and rights only in Sales.
Local groups also exist on Windows NT workstation computers. A local group on a workstation can contain user accounts from the workstation itself, and users and global groups from the workstation's domain and domains trusted by the workstation's domain.
Figure 4-2 Understanding Local Groups
The terms global group and local group indicate the scope of a group, not the contents of the group; they refer to the rights and permissions that a group can be granted. Local groups can contain global groups, but global groups cannot contain either local groups or other global groups. Although global and local groups serve similar functions, different rules apply to their creation and use.
As shown in Figure 4-2, a global group, Accounting, created in the Finance domain can:
A local group created in the Sales domain can:
This section discusses strategies for using global and local groups that can make your network easier to administer and maintain.
If you organize your domains so that each represents a division or department of your company, you can think of a global group as being a group of users from the same department. This group of users can be assigned permissions and rights in other domains. In this way, the global group becomes a means of exporting a group of users as a single unit to other domains in the company.
When administering an Advanced Server, you may see that a global group name is preceded by the domain name in which the global group is located. You see both the types of users that the group represents (by the group name) and the origin or location of that group (by the domain name). For example, when you view file permissions on a server in the Sales domain, if the Accounting global group in the Finance domain has permissions, they are shown as Finance\Accounting. In this way, you can positively identify a global group when it is referred to in a domain other than its own. (A global group viewed in its own domain has no domain name prefix. For example, when you view file permissions on a server in the Sales domain, global groups located in the Sales domain, such as Planners in Figure 4-2, are shown by their group names only.)
A local group can include users and global groups from other trusted domains. Therefore, it is a way to import users and global groups from other domains into a single unit for use in the local domain.
For example, suppose that a domain called Engineering has a server with a shared directory containing documents that explain the new technologies that the company is investigating. If managers in other departments (domains) are interested in seeing these documents, network administrators can provide this ability by performing the following procedure:
In this example, you could give permission to read the files to all the Managers global groups from the other domains and thus bypass the step of creating the local group. However, in many cases, creating the local group saves time later. For example, imagine that later on you add two new directories containing files of interest to managers. If you have not created the All Managers local group, you need to grant access for the new directories separately to all the Managers global groups, instead of to the single local group. If the All Managers local group contains many global groups rather than just the two in this example, creating it could represent a significant savings of effort.
As this example illustrates, a local group is a way of assembling global groups and assigning them permissions in one step. If another global group needs the same permissions as an existing global group, you can add the new global group to the appropriate local group to give it all the permissions it needs.
Table 4-2 summarizes the uses of global and local groups.
|Group users of a domain into a single unit for use in other domains||Global group||The global group can be put into local groups, or given permissions and rights directly, in other domains.|
|Need permissions and rights only in one domain||Local group||The local group can contain users and global groups from other domains.|
|Need permissions to access resources on Windows NT workstation computers||Global group||A domain's global groups can be given permissions on Windows NT workstation computers, but a domain's local groups cannot.|
|Contain other groups||Local group||The local group can contain global groups and individual users; no group of any type can contain other local groups.|
|Include users from multiple domains||Local group||The local group can contain users and global groups. The local group can be used only in the domain in which it is created.|
The actions that a user can perform depend on the group memberships of the user's account. The Advanced Server provides several default groups that have established collections of rights and abilities. Built-in groups are Advanced Server default groups that have established rights and abilities. The Advanced Server provides both global and local types of built-in groups:
The built-in groups are explained in the sections that follow.
4.7.1 Built-In Local Groups
When the Advanced Server is installed on any computer, several default built-in local groups are created. Table 4-3 lists the built-in local groups, their initial contents, and who can modify them.
|Local Group+||Initial Contents||Who Can Modify|
|Administrators||Domain Admins (global group) Administrator (user account)||Administrators|
|Users||Domain Users (global group)||Administrators, Account Operators|
|Guests||Domain Guests (global group)||Administrators, Account Operators|
In addition to these built-in local groups, an identity called Everyone represents all known people on the network, including administrators, all types of operators, users, users from other domains, and guests. You cannot change the membership of Everyone; it always contains all users. Everyone is not actually a local group and does not appear when groups are displayed, but you can assign file permissions and rights to Everyone.
Membership in built-in local groups gives a user certain privileges.
Table 4-4 shows the rights and abilities held by each built-in local group on an Advanced Server domain. The built-in global groups of a domain are not shown in this table because built-in global groups receive their rights and abilities indirectly through their memberships in built-in local groups.
|Right or Ability||Admin-
|Server Operators||Account Operators||Print Operators||Backup Operators||Every-
|Log on locally 1||X||X||X||X||X|
|Access this computer from network||X||X||X||X|
|Take ownership of files||X|
|Manage auditing and security log||X|
|Change system time 1||X||X|
|Shut down system 1||X||X||X||X||X|
|Force shutdown from a remote system 1||X||X|
|Back up files and directories 1||X||X||X|
|Restore files and directories 1||X||X||X|
|Create and manage user accounts||X||X 2|
|Create and manage global groups||X||X 2|
|Share and stop sharing directories||X||X|
|Share and stop sharing printers||X||X||X|
The following sections describe the built-in local groups in the Advanced Server. For information about built-in local groups on a Windows NT Server, see the Microsoft Windows NT Server Concepts and Planning Guide.
|privacy and legal statement|