ns700 windows adm tools

1 of 56

ContentsOverview of Windows Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . .2

Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Windows Administration Tools Roadmap. . . . . . . . . . . . . . . . . . . . . . . . . .5Using Windows 2000 and Windows Server 2003 Administrative Tools . .6

Opening the Computer Management MMC . . . . . . . . . . . . . . . . . . . . .6Creating Local Groups on a Data Mover . . . . . . . . . . . . . . . . . . . . . . .8Assigning User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Creating Shares and Setting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .12Monitoring Data Mover Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Auditing CIFS Users and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Using Windows NT Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . .27Accessing Windows NT Management Interfaces for a CIFS Server 27Creating Local Groups on a Data Mover . . . . . . . . . . . . . . . . . . . . . .31Assigning User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Creating Shares and Setting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .34Monitoring Data Mover Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Auditing CIFS Users and Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Want to Know More? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Using Windows AdministrativeTools with Celerra

P/N 300-001-255Rev A01

Version 5.2February 2004

Using Windows Administrative Tools with Celerra2 of 56 Version 5.2

Overview of Windows Administrative Tools

The Celerra® Network Server supports the CIFS protocol that allows Microsoft Windows clients to access files stored on the Celerra Network Server. After you have configured the Celerra Network Server to support Windows clients on the network, you can use Windows tools to perform a variety of administrative tasks on the Data Mover.

Note: For information on configuring Celerra for CIFS support, refer to the Configuring Celerra for the Windows Environment technical module.

This document is part of the Celerra Network Server documentation set and is intended for system administrators responsible for implementing the Celerra Network Server in their Windows network or for adding Windows clients to their existing UNIX network.

TerminologyThis section defines terms that are important to understanding the Celerra Network Server in the Windows environment. Refer to the Celerra Network Server User Information Glossary for a complete list of Celerra terminology.

CIFS (Common Internet File Service): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. The CIFS protocol is primarily used for file sharing by Windows platforms.

CIFS Server: A server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS server. Each instance is referred to as a CIFS server.

CIFS Service: A CIFS server process that runs on the Data Mover and presents shares on a network, as well as on Windows-based computers.

Data Mover: Celerra Network Server cabinet component running its own operating system that retrieves files from storage devices and makes the files available to a network client.

File system: A method of cataloging and managing the files and directories on a storage system.

NFS (Network File System): A distributed file system that provides transparent access to remote storage system. NFS allows all systems on the network to share a single copy of a directory.

NIS (Network Information Service): A network naming and administration system for smaller networks. NIS lets a user with a single user identification and password to gain access to files or applications on any host in the network. NIS is similar to the DNS in that it converts host names to IP addresses or IP addresses to host names but somewhat simpler and designed for a smaller network.

3 of 56Version 5.2Using Windows Administrative Tools with Celerra

Use of the Name Windows 2000The Celerra Network Server supports Windows 2000, Windows XP, and Windows Server 2003. Since the CIFS implementation on the Celerra Network Server is virtually identical for Windows 2000 and Windows XP, the term Windows 2000 in the rest of this technical module pertains to both operating systems. Windows Server 2003 is also similar to Windows 2000, and unless otherwise noted, functions the same as Windows 2000.


System RequirementsThis section describes the Celerra Network Server software, hardware, network, and storage configurations required for using Windows administrative tools as described in this technical module.

EMC NAS Interoperability MatrixRefer to the EMC NAS Interoperability Matrix for definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra network-attached storage (NAS) products.

To view the EMC NAS Interoperability Matrix:

1. Go to URL http://powerlink.emc.com.

2. Search for EMC NAS Interoperability Matrix, and select the latest version.

Table 1 System Requirements for Windows Administrative Tools

Software Celerra Network Server Version 5.2.

Hardware No specific hardware requirements.

Network No specific network requirements.

Storage No specific storage requirements.

https://powerlink.emc.com


Windows Administration Tools RoadmapTable 2 lists the tasks to manage Windows administration tools as described in this technical module.

Table 2 Windows Administration Tools Roadmap

Task Procedure

Performing Windows 2000 and Windows Server 2003 administrative tasks a CIFS server.

Using Windows 2000 and Windows Server 2003 Administrative Tools on page 6

Performing Windows NT administrative tasks on a CIFS server.

Using Windows NT Administrative Tools on page 27


Using Windows 2000 and Windows Server 2003 Administrative ToolsThe following sections provide information on performing typical Windows 2000 and Windows Server 2003 administrative tasks on the CIFS server on your Celerra Network Server. These tasks include the following:

◆ Opening the Computer Management MMC

◆ Creating Local Groups on a Data Mover

◆ Assigning User Rights

◆ Creating Shares and Setting ACLs

◆ Monitoring Data Mover Attributes

◆ Auditing CIFS Users and Objects

Note: For these tasks, Windows 2000 and Windows Server 2003 are virtually identical. Differences between the two are noted within the procedures themselves. The screens that are documented are Windows 2000 unless otherwise noted.

Opening the Computer Management MMCYou perform many of the Windows 2000 and Windows Server 2003 administrative tasks from the Computer Management Microsoft Management Console (MMC). Use this procedure to open the Computer Management MMC for a specific Data Mover.

Step Action

1. Log on to the Windows 2000 or Windows Server 2003 domain controller with administrator privileges for the Data Mover.


2. Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu. The Active Directory Users and Computers MMC opens.

3. Double-click EMC Celerra and click Computers.

Note: This is the default location. This may have changed when the CIFS server was joined to the domain.

4. In the Computer panel, right-click the Data Mover you want to manage and select Manage from the shortcut menu. The Computer Management window opens.

Step Action


Creating Local Groups on a Data MoverOnce you have created a CIFS service on a Data Mover and joined the Data Mover to the domain, you can use the MMC to create and manage local groups on the Data Mover with the CIFS service started.

About Local GroupsA local group is a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. Local groups contain user accounts and other global groups that need to have access rights and permissions assigned to a resource on a local computer. Local groups can not contain other local groups.

Note: Celerra Network Server supports all types of Windows 2000 or Windows Server 2003 user groups, as well as nested groups. However, Celerra Network Server does not support local user accounts.

For more information about creating and managing local groups, refer to the Windows 2000 or Windows Server 2003 online help.

To Create a Local GroupFor Windows 2000 or Windows Server 2003, use this procedure to create a local group on a Data Mover.

Step Action

1. Open the Computer Management MMC for the Data Mover on which you want to create a local group. Refer to Opening the Computer Management MMC on page 6 for instructions.

2. Under System Tools, double-click Local Users and Groups.


3. Right-click Groups and select New Group from the shortcut menu. The New Group dialog box appears.

4. Enter a group name and description for the group.

5. Click Add. The Select Users or Groups dialog box appears.

Step Action


Assigning User RightsSetting user rights for individual users and global groups on a Data Mover should be performed through the Celerra Data Mover Security Management Console, which is an MMC snap-in to the Celerra Management Console.

Refer to the Installing Celerra Management Applications technical module for information on installing the Celerra Management Console. Refer to the Celerra Data Mover Security Management snap-in online help for information on setting user rights.

Note: You cannot use Microsoft’s Windows Local Policy Setting tools to manage user rights assignments on a Data Mover because in Windows 2000 and Windows Server 2003, the Windows Local Policy Setting tools do not allow you to manage user rights on remote computers.

To Assign User RightsOnce the Celerra Management Console is installed, use this procedure to access the Security Management snap-in.

6. • For Windows 2000, add users or groups to the new group by selecting user or group names and clicking Add.

• For Windows Server 2003, add users or groups to the new group by typing the name of the user or group and clicking Add. You can also search for users or groups by clicking Advanced and using the search fields.

7. When you are done adding group members, click OK. You return to the New Group dialog box.

8. Click Create. The group is created and added to the Groups list.

Step Action

1. Log in to a Windows 2000 or Windows Server 2003 server with administrator privileges for the Data Mover.

Step Action


2. Click Start and select Programs, Administrative Tools, Celerra Management. The Celerra Management window appears.

3. Do one of the following:• If a Data Mover is already selected (name appears after Data Mover Management),

go to step 4. • If a Data Mover is not selected:

a. Right-click Data Mover Management and select Connect to Data Mover from the shortcut menu.

b. In the Select Data Mover dialog box, select a Data Mover using one of the following methods:– In the Look in list, select the domain in which the Data Mover you want to manage is located, and then select the Data Mover from the list, or– In the Name box, type the computer name, IP address, or the NetBIOS name of the Data Mover.

4. Double-click Data Mover Management, and then double-click Data Mover Security Settings.

Step Action


Creating Shares and Setting ACLsOnce you have created a CIFS service on a Data Mover and added the Data Mover to the domain, you can use the Microsoft Management Console (MMC) to create shares and set ACLs on shares.

Note: Shares created through Windows administrative tools are only accessible from the NetBIOS name used by the Windows client. If you want the share to be globally accessible by all NetBIOS names, create a share with the Celerra server_export command and do not specify the netbios=<netbiosName> option.

PrerequisitesTo create a share with MMC, you must:

◆ Have assigned UNIX UIDs and GIDs to CIFS users. Refer to Configuring CIFS User Authentication in the Configuring Celerra for the Windows Environment technical module.

◆ Have mounted the file system and created directories you want to share.

◆ Be a member of the local Administrators group on a Data Mover.

5. Click User Rights Assignment. The assignable rights appear in the right panel.

6. Double-click a user right to assign it to a particular group or user. Refer to the Celerra Data Mover Security Management snap-in online help for more information on setting rights.

Step Action


To Create Shares and Set ACLs For Windows 2000 or Windows Server 2003, use this procedure to create a share on a Data Mover.

Step Action

1. Open the Computer Management MMC for the Data Mover on which you want to create the share. Refer to Opening the Computer Management MMC on page 6 for instructions.

2. Double-click Shared Folders.

3. Right-click Shares and select New File Share from the shortcut menu. • For Windows 2000, the Create Shared Folder dialog box appears. • For Windows Server 2003, the Share a Folder Wizard appears.

4. In the Create Shared Folder dialog box or Share a Folder Wizard, provide the following information:• The name of the folder to share. Enter the path of the folder or click Browse and

locate the folder.• The share name for the folder. You cannot create a NetBIOS share name with the

same name as a global share.

Note: The Celerra Network Server only supports ASCII share names. Share name length is limited to 12 bytes, unless Unicode is enabled, in which case the limit is 255 bytes.

• A share description.

5. Click Next. The Create Shared Folder dialog box or the Share a Folder Wizard prompts you for share permissions.


6. For both Windows 2000 and Windows Server 2003, set permissions by selecting one of the options. The Customize Share and Folder Permissions option lets you assign permissions to individual groups and users.

7. Click Finish.Result: The share is created on the Data Mover.

Step Action


Monitoring Data Mover AttributesYou can use Windows administrative tools to monitor the following Data Mover attributes:

◆ Users logged in to the Data Mover

◆ User accessing shares on the Data Mover

◆ Use of files on the Data Mover

Monitoring Users on the Data MoverFor Windows 2000 or Windows Server 2003, use this procedure to monitor the number of users connected to a CIFS server.

Step Action

1. Open the Computer Management MMC for the Data Mover that you want to monitor. Refer to Opening the Computer Management MMC on page 6 for instructions.

2. Under Shared Folders, click Sessions. The current users connected to the CIFS Server appear on the right.

3. Optional action:• To force disconnections from the CIFS server, right-click the username and select

Close Session from the shortcut menu.• To force all users to disconnect, right-click Sessions and select Disconnect All

Sessions from the shortcut menu.


Monitoring Access to Shares on the Data MoverFor Windows 2000 or Windows Server 2003, use this procedure to monitor access to shares on the CIFS server.

Monitoring Use of Files on the Data MoverFor Windows 2000 or Windows Server 2003, use this procedure to monitor open files on the CIFS server.

Step Action


2. Under Shared Folders, click Shares. The current shares in use appear on the right.

3. Optional action:To force disconnections from a share, right-click the share name and select Stop Sharing from the shortcut menu.

Step Action



2. Under Shared Folders, click Open Files. The current files that are in use appear on the right.

3. Optional action:• To close an open file, right-click the file and select Close Open File from the

shortcut menu.• To close all open files, right-click the Open Files folder and select Disconnect All

Open Files from the shortcut menu.

Step Action


Auditing CIFS Users and ObjectsAll auditing of CIFS servers on a Data Mover should be performed through the Celerra Data Mover Security Management Console, which is a Microsoft Management Console (MMC) snap-in to the Celerra Management Console.

By default, auditing is disabled for all Windows object classes. To enable auditing, you must explicitly turn it on for specific events on specific Data Movers. Once you have enabled auditing, auditing is initiated whenever the CIFS service on the relevant Data Mover is started, and terminated whenever the CIFS service is stopped.

Refer to the Installing Celerra Management Applications technical module for information on installing the Celerra Management Console. Refer to the Celerra Data Mover Security Management snap-in online help for information on setting audit policies.

The following topics are discussed in this section:

◆ Enabling User Auditing

• Specifying the Audit Policy

• Setting the Audit Log Parameters

• Changing Log File Size

• Viewing the Audit Events

◆ Disabling Auditing

Enabling User AuditingTo enable auditing on a Data Mover, you must complete the following steps:

Note: Check that the CIFS service is running on the Data Mover.

1. Specify the auditing policy from the Celerra Management Console.

2. Set the audit log parameters in Event Viewer.

3. (Optional) Change the log file size in the Windows Registry.

4. View the audit events in Event Viewer.

Each of these steps is described in the following sections.

Note: If the group policy object (GPO) is configured and enabled on the Data Mover, then the GPO configuration of the audit settings will be used. Refer to Managing Celerra for the Windows Environment for more information.


Specifying the Audit Policy

Once the Celerra Management Console is installed, use this procedure to access the Security Management snap-in and specify audit policies. Specifying the

Audit Policy

Setting the Audit Log Parameters

Viewing the Audit Events

Step Action

1. Log in to a Windows 2000 or Windows Server 2003 server using an account that is a member of the local Administrators group on the Data Mover.


3. Do one of the following:• If a Data Mover is already selected (name appears after Data Mover Management)



b. In the Select Data Mover box, select a Data Mover using one of the following methods:– In the Look in list, select the domain in which the Data Mover you want to manage is located, and then select the Data Mover from the list.– In the Name field, type the computer name, IP address, or the NetBIOS name of the Data Mover.




For Windows 2000 or Windows Server 2003, use this procedure to set the audit log parameters.

5. Click Audit Policy. The audit policies appear in the right panel.

6. Right-click Audit Policy and select Enable Auditing from the shortcut menu.

7. Double-click an audit object in the right panel to define the audit policy for that audit object. Refer to the Celerra Data Mover Security Management snap-in online help for more information on setting rights.

Step Action


Setting the Audit Log

Parameters


Step Action

1. Open the Computer Management MMC for the Data Mover you want to audit. Refer to Opening the Computer Management MMC on page 6 for instructions.

2. Double-click Event Viewer. The specific log files are displayed.


3. Right-click a log file and select Properties from the shortcut menu. The property sheet for the log appears.

4. Normally, the Maximum log size field is locked. You cannot modify the log file size unless you complete the procedure described next in Changing Log File Size on page 22.Once you have completed the procedure, return to the Application Properties dialog box for the log and click the arrows to increase or decrease the size of the logs.

5. In the Log size area of the dialog box, specify what happens when the maximum log size is reached:• Overwrite events as needed: Overwrites the earliest events in the event log once

the file size specified in Step 4 is reached.• Overwrite events older than (<n>) days: Overwrites events older than the number

of days specified. You can use the arrows to specify the limit, or click the field to enter a value.The file size specified in step 4 is not exceeded. If the number of events generated fills the file before the time limit you specify, the earliest events will be overwritten even if they are not older than the limit.

• Do not overwrite events: Fills the log up to the limit specified in step 4. Once the log is full, no new events are written to it until you clear the log.

6. Click OK to save the settings.

Step Action


Changing Log File Size

The security log file, C:\security.evt, is normally stored in the root file system, which has a maximum capacity of 128 MB. If you expect to retain large Event Viewer logs, you should change the directory in which this log resides. To do so, you must edit the Registry that resides on the Data Mover.

For Windows 2000 or Windows Server 2003, use this procedure to change the log file size.

Note: You must have auditing enabled on the Data Mover for these changes to take effect.

!! CAUTION

If you do not have experience editing the Registry, seek the assistance of someone who does before beginning this procedure.

Step Action

1. On the Windows 2000 or Windows Server 2003 system used to manage the Data Movers, start the Registry Editor as follows:

a. Select Start, Run.b. Enter regedit.exe in the Open field.c. Click OK.

The Registry Editor opens.

2. • For Windows 2000, from the Registry menu, select Connect Network Registry. The Connect Network Registry dialog box appears.

Note: Depending on how your CIFS account is setup, you might receive an error message stating, “Unable to connect to all roots in the computer’s registry.” Click OK to continue with the next step.

• For Windows Server 2003, from the File menu, select Connect Network Registry. The Select Computer dialog box appears.


3. • For Windows 2000, in the Computer name field, enter the name of the CIFS server and click OK.

• For Windows Server 2003, in the Enter the object name to select field, enter the name of the CIFS server or click Advanced to search by name. Click OK on the Select Computer dialog box.

The Registry Editor is updated to display the Registry information for the CIFS server.

4. Navigate to the following Registry key on the CIFS server:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security

The settings for the Registry key appear in the right panel.

5. Right-click the File icon in the right panel and select Modify. The Edit String dialog box appears.

6. In the Value data field, edit the path where you want to store the log file. For example, C:\<mtpnt>\<directory_name>\security.evt

Where:<mntpt> = mount point of the file system (must not be the root file system).Example: CIFS_FS_1<directory_name> = name of the directory.Example: Win2KLog

!! CAUTION

Do not change the name of the log file.

Step Action



For Windows 2000 or Windows Server 2003, use this procedure to view the audit events.

7. Click OK.

8. Close the Registry Editor. The changes you have made take effect immediately.

Step Action




Step Action

1. Click Start and select Programs, Administrative Tools, Event Viewer. The Event Viewer opens.

2. Right-click the Event Viewer icon in the right panel and select Connect to Another Computer from the shortcut menu. The Select Computer dialog box appears.

3. • For Windows 2000, click Browse, and select the name of the Data Mover to which you want to connect, and click OK.

• For Windows Server 2003, enter the name in the Enter the object name to select field or click Advanced to search for a computer.

Click OK again to close the Select Computer dialog box.

4. Click the log you want to view. The log entries appear in the right panel.


Disabling AuditingFor Windows 2000 or Windows Server 2003, use this procedure to disable auditing.

Note: If the group policy object (GPO) is configured and enabled on the Data Mover, then the GPO configuration of the audit settings will be used. Refer to Managing Celerra for the Windows Environment for more information.

5. Double-click the log entry to view the event detail. The Event Properties window opens.

Step Action

1. Log in to a Windows 2000 or Windows Server 2003 domain controller using an account that is a member of the local Administrators group on the Data Mover.

Step Action



3. Do one of the following:• If a Data Mover is already selected (name appears after Data Mover Management)



b. In the Select Data Mover dialog box, select a Data Mover using one of the following methods:– In the Look in list, select the Domain in which the Data Mover you want to manage is located, and then select the Data Mover from the list.– In the Name field, type the computer name, IP address, or the NetBIOS name of the Data Mover.


5. Right-click Audit Policy and select Disable Auditing from the shortcut menu.

Step Action


Using Windows NT Administrative ToolsThe following sections provide information on performing typical Windows administrative tasks on the CIFS server on your Celerra Network Server. These tasks include the following:

◆ Accessing Windows NT Management Interfaces for a CIFS Server

◆ Creating Local Groups on a Data Mover

◆ Assigning User Rights

◆ Creating Shares and Setting ACLs

◆ Monitoring Data Mover Attributes

◆ Auditing CIFS Users and Objects

Accessing Windows NT Management Interfaces for a CIFS ServerTo perform the procedures in the Using Windows NT Administrative Tools section, you need to open Windows NT interfaces and select the CIFS server that you want to manage. The following sections provide instructions on accessing the following interfaces for a specific CIFS server:

◆ User Manager for Domains

◆ Server Manager for Domains

◆ Event Viewer

Accessing User Manager for DomainsUse this procedure to open User Manager for Domains and select a CIFS server to manage.

Step Action

1. Log in to a Windows NT server from an account that is a member of the local Administrators group on the Data Mover.


Accessing Server Manager for DomainsUse this procedure to open Server Manager and select a CIFS server to manage.

2. Click Start and select Programs, Administrative Tools, User Manager for Domains. The User Manager window appears.

3. On the User menu, select Select Domain. The Select Domain window appears.

4. In the Domain field, enter the UNC name of the Data Mover’s CIFS server (for example, \\DM101) or the CIFS server’s IP address, and then click OK. The User Manager windows displays the default groups for the CIFS server.

Step Action

1. Log in to a Windows NT server from an account that is a member of the local Administrators group on the Data Mover.

Step Action


Accessing Event ViewerUse this procedure to open Event Viewer and select a CIFS server to view.

2. Click Start and select Programs, Administrative Tools, Server Manager. The Server Manager window appears, displaying a list of servers in the domain.

Note: If you want to access the server manager as someone else or from another domain, the username or group should be added to that Data Mover’s Administrator’s local group using User Manager for domains.

Step Action

1. Click Start and select Programs, Administrative Tools, Event Viewer. The Event Viewer window for the server you are using appears.

Step Action


2. Select the Select Computer option from the Log menu. The Select Computer window appears.

3. In the Computer field, enter the UNC name of the Data Mover’s CIFS server (for example, \\DM101) or the CIFS server’s IP address, and then click OK. The User Manager windows displays the default groups for this Data Mover.

Step Action


Creating Local Groups on a Data MoverOnce you have created a CIFS service on a Data Mover and added the Data Mover to the domain, you can use Windows NT User Manager to create and manage local groups on the Data Mover.

Note: You cannot use User Manager to create local users on the Celerra Network Server.

About Local GroupsA local group is a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. Local groups contain user accounts and other global groups that need to have access rights and permissions assigned to a resource on a local computer. Local groups can not contain other local groups.

Note: Celerra Network Server supports all types of Windows NT users and groups.

For more information about creating and managing local groups, refer to the Windows NT online help.

To Create a Local GroupFor Windows NT, use the following procedure to add a local group to a Data Mover.

Step Action

1. Open User Manager for the CIFS server you want to manage. Refer to Accessing User Manager for Domains on page 27 for instructions on opening User Manager.

2. From the User menu, select New Local Group.... The New Local Group window appears.

3. Enter the name of the local group in the Name field. Optionally, enter a description in the Description field.


4. Click Add... to add the users to the local group. The Add Users and Groups window appears.

5. Click the down arrow in the List Names From field to display the list of domains.

6. Select a domain. The Names field displays the list of users and global groups in this domain.

7. Select the users or global groups you want to add to the local group and click Add. As you add names, they are displayed in the Add Names field.If you want to add only certain individuals from a global group do the following:

a. Select the global group.b. Click Members. The Global Group Membership window that lists all members of

this group appears.c. Select the users you want to add to the local group, and click Add. The users are

added to the local group, and their names are displayed in the Add Names field in the Add Users and Groups window.

8. When you have finished adding users and global groups to the local groups, click OK. The users and groups you have added appear in the Members field of the New Local Group window.

9. Click OK to create the local group.

Step Action


Assigning User RightsYou can use user rights assignments to manage which users and groups can log on to or execute tasks on a Data Mover. User rights assignments are local policies and apply only to the selected Data Mover.

Data Mover Usage NotesWhen a new CIFS service is created on a Data Mover and it becomes a domain member, there are no local groups resident on the Data Mover.

User RightsThe following privileges can be assigned to local groups, individual users, and global groups:

◆ Take ownership of files or object—All administrators have this capability.

◆ Back up files.

◆ Restore files.

◆ Bypass traverse checking—Bypassing traverse checking improves performance.

◆ Set security audit—Users with this privilege can manage audits on the server.

Note: This capability is not supported for Data Movers in the current release

To Assign User RightsFor Windows NT, use this procedure to set user rights on the Data Mover.

Step Action


2. From the Policies menu, select User Rights. The User Rights Policy window appears.


Creating Shares and Setting ACLsOnce you have created a CIFS service on a Data Mover and added the Data Mover to the domain, you can use the Windows NT Server Manager for Domains to create shares and set ACLs on shares.

Note: Shares created through Windows administrative tools are only accessible from the NetBIOS name used by the Windows client. If you want the share to be globally accessible by all NetBIOS names, create a share with the Celerra server_export command and do not specify the netbios=<netbiosName> option.

PrerequisitesTo create shares with Server Manager, you must:

◆ Have assigned UNIX UIDs and GIDs to CIFS users and groups. Refer to Configuring CIFS User Authentication in the Configuring Celerra for a Windows Environment technical module.

◆ Have mounted the file system and created directories you want to share.

◆ Be the Administrator—or another user that is a member of the Administrators local group on a Data Mover—for the domain to which the Data Mover belongs. If you want to use the NT Server Manager as someone else or from another domain, the username or group should be added to that Data Mover’s Administrator’s local group using User Manager for Domains.

3. Select the access right you want to assign to the local group by clicking the down arrow in the Right: field. For example, to assign the right to take ownership of files to the local group, click the down arrow to select Take ownership of files or other objects.

Note: Click Show Advanced User Rights to display all possible user rights.

4. Click Add. The Add Users and Groups window appears.

5. Click the down arrow in the List Names From: field and select the UNC name of the Data Mover’s CIFS service (for example, \\DM101). The list of groups with accounts on the Data Mover are displayed in the Names: field.

6. Select the local group name and click Add. The local group you selected appears in the Add Names field.

7. Click OK. The local group appears in the Grant To: field of the User Rights Policy window.

8. Repeat steps 3 through 7 for each access right you want to grant to the local group.

9. When you have assigned all desired rights to the local group, click OK in the User Rights Policy window.

Step Action


Note: You cannot use Windows NT administrative tools to manage server General Information and Password Relative Information for Data Movers.

To Create Shares and Set ACLsFor Windows NT, use this procedure to create a share on a Data Mover.

Step Action

1. Open Server Manager for the CIFS server you want to manage. Refer to Accessing Server Manager for Domains on page 28 for instructions on opening Server Manager.

2. Select a CIFS server and then select Shared Directories from the Computer menu. The Shared Directories window appears, displaying a list of shares on the Data Mover.

3. Click New Share. The New Share dialog box appears.

4. Enter the name of the share in the Share Name: field.

Note: The Celerra Network Server only supports ASCII share names. Share name length is limited to 12 bytes, unless Unicode is enabled, in which case the limit is 255 bytes.

5. Enter the local pathname of the share in the Path: field. The local pathname is the path on the local machine. For example, to create the share \News under the \Events directory on the C: drive, enter C:\Events\News.

Note: You must create and mount the \Events\News directory on the Data Mover prior to executing this step.


Monitoring Data Mover AttributesYou can use Server Manager for Domains to monitor the following Data Mover attributes:

◆ Users accessing the Data Mover

◆ User accessing shares on the Data Mover

◆ Use of Data Mover resources

6. Ensure the Maximum Allowed button in User Limit: is selected.

7. To set ACLs on the share, click Permissions. The Access Through Share Permissions window appears, displaying the default permissions for this share.

8. Do one of the following:• To modify the ACLs for a displayed group or user, select the group or user, select the

desired access in the Type of Access field, and click OK.• To add a group or user, click Add to display the Add Groups or Users window. Add

the group or user you want to have access to the share, click Add, and click OK. You can then modify the permissions.

• To delete a group or user, select the group or user and click Remove.

9. When you have completed the assignment of ACLs, click OK to return to the New Share window.

Note: For CIFS users, the ACLs you create override the base ACLs that may exist on the file system.

10. Click OK to complete the share creation.

Step Action


Monitoring Users on the Data MoverFor Windows NT, use this procedure to monitor the number of users connected to a CIFS server.

Step Action

1. Open Server Manager for the CIFS server you want to monitor. Refer to Accessing Server Manager for Domains on page 28 for instructions on opening Server Manager.

2. From the Computer menu, select Properties. The Properties for ... window appears, where the system name appears in the dialog box name.

3. Click Users. The Users Session on ... window appears, displaying the users with sessions on the Data Mover and the network resources (such as shares) that are available.

4. To force disconnections from the Data Mover, select the username and click Disconnect or Disconnect All.


Monitoring Access to Shares on the Data MoverFor Windows NT, use this procedure to monitor access to shares on the CIFS server.

Step Action


2. From the Computer menu, select Properties. The Properties for ... window appears, where the system name appears in the dialog box name.

3. Click Shares. The Shared Resources on ... window appears, displaying all active network resources (such as shares) available on the Data Mover, the number of users of the resource, and the path to the resource.

4. Click a resource to display the users connected to it.

5. To force disconnections from the resource, select the username and click Disconnect or Disconnect All.


Monitoring Use of Data Mover ResourcesFor Windows NT, use this procedure to monitor the use of Data Mover resources.

Auditing CIFS Users and ObjectsYou can use the Windows NT Event Viewer to audit Data Movers for certain events and activities. Many of the event types that are available for monitoring and auditing on a Windows NT server can be audited on a Data Mover.

By default, auditing is disabled for all Windows object classes. To enable auditing, you must explicitly turn it on for specific files and events on specific Data Movers. Auditing is only available on the specific object classes and events listed in Table 3 on page 41. Once you have enabled auditing, it is initiated whenever the CIFS service on the relevant Data Mover is started, and terminated whenever the CIFS service is stopped.

Note: Only members of the Administrators local group can set auditing on a server.

Step Action


2. From the Computer menu, select Properties.... The Properties for ... window appears, where the system name appears in the dialog box name.

3. Click In Use. The Open Resources on ... window appears, listing users who are accessing resources (such as shares) on the Data Mover.

4. To force disconnections from the resource, select the username and click Close Resource or Close All Resources.


The following topics are discussed in this section:

◆ Enabling User Auditing

• Specifying the Auditing Policy

• Setting the Audit Log Parameters

• Changing Log File Size

• Viewing the Audit Events

◆ Disabling Auditing

◆ Enabling Auditing on a Folder or File


Table 3 lists the types of events that can be audited.Table 3 Auditing Object Classes

Object class Event Audited for

Logon/logoff • CIFS user login• CIFS guest login

success

• Windows NT/UNIX mapping (user/domain combination not found)

• Password authentication error returned by domain controller (DC)

• DC returned a nonprocessed error code• No reply from DC (insufficient resources or bad protocol)

failure

File and object access

Object Open:• File and directory access (if system access control list

(SACL) set) for read, write, delete, execute, set permissions, take ownership

• Security Access Manager (SAM) local group modification

Close Handle:• File and directory access (if SACL set) for read, write,

delete, execute, set permissions, take ownership• SAM database closeObject Open for Delete:File and directory access (if SACL set)Delete Object:File and directory access (if SACL set)

success

SAM database access (lookup) success and failure

Process tracking Not supported N/A

System restart/shutdown

Restart:• CIFS service startup (includes DART release number)• CIFS service shutdown• Audit log cleared

success

Security policies Session Privileges: • Enumerate user privileges• User rights assigned• User rights deletedPolicy Change: List policy categories and associated audit state

success

Use of user rights Not supported N/A

User and group management

• Create local group• Delete local group• Add member to local group• Remove member from local group

success


When auditing is enabled, the Event Viewer creates a Security log with the following default settings:Table 4 Default Log Settings

Enabling User AuditingTo enable auditing on a Data Mover, you must complete the following steps:

Note: Check that the CIFS service is running on the Data Mover.

1. Specify the auditing policy in User Manager for Domains.

2. Set the audit log parameters in Event Viewer.

3. (Optional) Change the log file size in the Windows Registry.

4. View the audit events in Event Viewer.

Each of these steps is described in the following sections.

Specifying the Auditing Policy

For Windows NT, use this procedure to specify the auditing policy.

Note: To enable auditing on the Celerra Network Server, you must be an Administrator or a member of the Administrator local group on the Data Mover.

Log type Windows NT File name Maximum file size1

1. You must complete the procedure in Changing Log File Size on page 44 before you can modify this value.

Retention*

Security C:\security.evt 512 KB 10 days




Step Action

1. Open User Manager for the CIFS server you want to audit. Refer to Accessing User Manager for Domains on page 27 for instructions on opening User Manager.

2. In the User Manager for Domains window, select Audit... from the Policies menu. The Audit Policy window appears.



For Windows NT, use this procedure to set the audit log parameters.

3. By default, the Do Not Audit option is selected. To enable auditing, select Audit These Events. When you do so, the list of audited events becomes active.

4. For each supported object class that you want to audit, select Success or Failure. Refer to Table 3 on page 41 for a list of supported object classes.

5. Click OK.

6. Repeat steps 1 through 5 for each CIFS server that you want to audit.

7. Minimize or close User Manager for Domains.

Step Action


Setting the Audit Log

Parameters


Step Action

1. Open Event Viewer for the CIFS server that you want to audit. Refer to Accessing Event Viewer on page 29 for instructions on opening Event Viewer.

2. From the Log menu, select Log Settings.... The Event Log Settings dialog box appears. You can modify the Security, System, or Application log settings from this dialog box.

Note: Refer to Table 4 on page 42 for the default log settings.


Changing Log File Size

The security log file, C:\security.evt, is normally stored in the root file system, which has a maximum capacity of 128 MB. If you expect to retain large Event Viewer log files, you should change the directory in which this log resides. To do so, you must edit the Registry that resides on the Data Mover.

Note: If you receive an autorefresh warning message when updating the registry, click OK to continue.

!! CAUTION

If you do not have experience editing the Windows NT Registry, seek the assistance of someone who does before beginning this procedure.

3. In the Change Settings for field, click the down arrow to select the log you want to modify.

4. Normally, the Maximum Log Size field is locked. You cannot modify the log file size unless you complete the procedure described in Changing Log File Size, which follows.Once you have completed the procedure, return to the Event Log Settings dialog box and click the arrows to increase or decrease the size of the log.

5. In the Event Log Wrapping area of the dialog box, specify the log wrapping setting:• Overwrite Events as Needed: Overwrites the earliest events in the event log once

the file size specified in Step 4 is reached.• Overwrite Events Older than (<n>) Days: Overwrites events older than the

number of days specified. You can use the arrows to specify the limit, or click the field to enter a value.The file size specified in Step 4 is not exceeded. If the number of events generated fills the file before the time limit you specify, the earliest events will be overwritten even if they are not older than the limit.

• Do Not Overwrite Events: Fills the log up to the limit specified in step 4. Once the log is full, no new events are written to it until you clear the log.

6. Click OK. The Event Log Settings dialog box closes.

7. Repeat steps 2 through 6 for each log file you want to modify.

Step Action


For Windows NT, use this procedure to change the log file size.

Step Action

1. On the Windows NT system used to manage the Data Movers, select Run from the Start menu.

2. Type regedit32.exe and click OK. The Registry Editor appears.

3. From the Registry menu, select the Select Computer option. The Select Computer dialog box appears.

Note: If you receive an autorefresh warning message, click OK to continue.

4. In the Computer Name field, enter the NetBIOS name of the Data Mover and click OK. The Registry Editor is updated to display the Registry information for the Data Mover.

5. Navigate to the following Registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\security\File

6. Right-click the File icon. The Edit File Value window displays the absolute path for the security log file (C:\security.evt by default) in the File field.



For Windows NT, use this procedure to view the audit events.

7. In the File field, edit the path where you want to store the log file. For example, C:\<mntpt>\<directory_name>\security.evt,Where:<mntpt> = mount point of the file system (must not be the root file system). Example: CIFS_FS_1<directory_name> = name of the directory.Example: WinNTlogs

!! CAUTION

Do not change the name of the log file.

8. Click OK.

9. Select Exit from the Registry menu to exit the editor. The changes you have made take effect immediately.

Step Action




Step Action

1. Open Event Viewer for the CIFS server that you want to view. Refer to Accessing Event Viewer on page 29 for instructions on opening Event Viewer.

2. Double-click an event to view the event detail. The Event Detail window opens.

3. Click Close to close the Event Detail window.

4. Repeat steps 2 and 3 for each event of interest.


Disabling AuditingAuditing can be suspended by modifying the audit policies in User Manager for Domains. Use this procedure to disable auditing.

Step Action


2. In the User Manager for Domains window, select Audit from the Policies menu. The Audit Policy window appears.

3. Do one of the following:• To suspend auditing on all object classes, select Do Not Audit. Click OK when

done.• To suspend auditing on individual object classes, clear Success or Failure for each

object class. Click OK when done.

4. Repeat steps 1 through 3 for each CIFS server that you want to audit.


Enabling Auditing on a Folder or FileAll Windows NT network users can establish auditing on directories or files to which they own or have read, write, and execute rights. The Celerra Network Server supports auditing on individual folders and files.

Use this procedure to enable auditing on a folder or file stored on the Celerra Network Server (alternatively, you can use the My Computer interface on the desktop).

Step Action

1. Ensure that auditing has been enabled on the share in which the file or folder you want to audit resides. Refer to Enabling User Auditing on page 42 for details on how to enable auditing on a Celerra-resident share.

2. Click Start and select Programs, Windows NT Explorer. The Windows NT Exploring window appears.

3. In the All Folders panel, navigate to the folder or file you want to audit.


4. Right-click the folder or file you want to audit and select Properties from the shortcut menu. The Properties window for this folder or file appears.

5. Click the Security tab. The Security window appears.

Step Action


6. Click Auditing. The File Auditing or Directory Auditing window appears.

7. Click Add. The Add Users and Groups window appears.

Step Action


8. You can audit activity on this directory or file by local group or by individual user, as follows:To audit activity by local group:1. Select the local group you want to audit.2. Click Add. The local group is added to the Add Names: box.3. Repeat steps 1 and 2 for each local group you want to audit.4. When you have added all local groups you want to audit, click OK to return to the

Directory Auditing window.

To audit activity by user:1. Select the local group containing the user you want to audit.2. Click Show Users. The users in the local group you selected appear at the bottom

of the Names: field. You may have to scroll down to view them.3. Select the user you want to audit.4. Click Add. The user is added to the Add Names: box.5. Repeat steps 1 through 5 for each user you want to audit.6. When you have added all the users you want to audit, click OK to return to the File

Auditing window.

Note: You can audit both local groups and users.

9. Once you have added the local groups and users you want to audit, you must select the events to audit.To select events to audit:1. Select the events for the folder or file that you want to audit in the File Auditing

window. You can select Read, Write, Execute, Delete, Change Permissions, or Take Ownership, and you can choose to audit Success or Failure for each.

2. Click OK. The File Auditing window closes.3. Click OK in the Properties window to apply the changes and close the window.

Step Action


Related InformationFor specific information related to the features and functionality described in this technical module, refer to:

◆ Managing Celerra for the Windows Environment technical module

◆ Configuring Celerra for the Windows Environment technical module

For general information on other EMC Celerra publications, refer to the Celerra Network Server User Information CD, which is supplied with your Celerra Network Server and also available at Powerlink™ at http://powerlink.emc.com.

Want to Know More?EMC Customer Education Courses are designed to help you learn how EMC storage products work together and integrate within your environment in order to maximize your entire infrastructure investment. EMC Customer Education features online, and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training courses are developed and delivered by EMC experts. For course information and registration, refer to EMC Powerlink, our customer and partner website on http://powerlink.emc.com.




Index

Aaccess rights

Windows 2000 10Windows NT 33

ACLs settingfor Windows 2000 groups 12for Windows NT groups 34

auditingWindows 2000

auditing 25changing log file size 22CIFS users on Data Mover 18–25enabling 18setting log parameters 20specifying policy 19viewing audit events 24

Windows NTCIFS users on Data Mover 39–46disabling 47enabling 42enabling for folder or file 48setting log parameters 43specifying policy 42viewing events 46

DData Mover

creating local groupsfor Windows 2000 8for Windows NT 31

editing Registryfor Windows 2000 22

editing registryfor Windows NT 44

Windows 2000monitoring files 16monitoring shares 16monitoring users 15

Windows NTmonitoring shares 38monitoring users 37

disablinguser auditing for Windows 2000 25user auditing for Windows NT 47

Eenabling

auditing for folder or file for Windows NT 48user auditing

for Windows 2000 18for Windows NT 42

Event ViewerWindows 2000 24Windows NT 29

Ffiles, monitoring on Data Mover for Windows 2000 16

Llimitations, Windows NT administrative tools 31local groups

Windows 2000creating on Data Mover 8setting user rights 10

Windows NTcreating on Data Mover 31setting user rights 33

log file, changing sizefor Windows 2000 22for Windows NT 44

MMMC, opening 6monitoring

Windows 2000files on Data Mover 16shares on Data Mover 16users on Data Mover 15

Windows NTshares on Data Mover 38users on Data Mover 37

RRegistry, editing

Windows 2000 22Windows NT 44

Ssecurity log file,changing size

for Windows 2000 22for Windows NT 44

Server Manager for Domains 28shares

Windows 2000creating 12monitoring on Data Mover 16setting ACLs 12

Windows NTcreating 34monitoring on Data Mover 38setting ACLs 34

Ttools

Event ViewerWindows 2000 24Windows NT 29

MMC 6Server Manager for Domains 28User Manager for Domains 27

54 of 56 Using Windows Administrative Tools with CelerraVersion 5.2

Uuser auditing

Windows 2000disabling 25enabling 18viewing events 24

Windows NTdisabling 47enabling 42viewing events 46

User Manager for Domains 27users

auditing from Windows 2000 18–25auditing from Windows NT 39–46monitoring on Data Mover for Windows 2000 15monitoring on Data Mover for Windows NT 37

WWindows 2000

changing log file size 22creating

local groups on the Data Mover 8shares 12

disabling user auditing 25enabling user auditing 18MMC 6monitoring

files on the Data Mover 16shares on the Data Mover 16users on the Data Mover 15

settingACLs on shares 12log parameters 20user rights 10

specifying audit policy 19Windows 2003 3, 6Windows NT

administrative tools, limitations 31auditing a file or folder 48changing log file size 44creating

local groups on the Data Mover 31shares 34

disabling user auditing 47enabling user auditing 42Event Viewer 29, 39monitoring

shares on the Data Mover 38users on the Data Mover 37

Server Manager for Domains 28setting

ACLs 34audit log parameters 43user rights 33

specifying audit policy 42User Manager for Domains 27viewing audit events 46

Windows XP 3


Notes

Copyright © 1998–2004 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

Using Windows Administrative Tools with Celerra 56 of 56

About This Technical ModuleAs part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, please contact your EMC representative for a hardware upgrade or software update.

Comments and Suggestions About the DocumentationYour suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send a message to [email protected] with your opinions of this document.

ns700 windows adm tools

Documents

windows network

windows server

windows tools

cifs server process

network naming

network client

windows platforms

nfs network file system