This category includes the following APIs:

User - NetLogonEnum
User - NetUserAdd
User - NetUserDCDBInit
User - NetUserDel
User - NetUserEnum
User - NetUserGetAppSel
User - NetUserGetGroups
User - NetUserGetInfo
User - NetUserGetLogonAsn
User - NetUserModalsGet
User - NetUserModalsSet
User - NetUserPasswordSet
User - NetUserSetAppSel
User - NetUserSetGroups
User - NetUserSetInfo
User - NetUserSetLogonAsn
User - NetUserValidate2

User APIs control a user's account in the user accounts subsystem (UAS) database for LAN Server and OS/2 Warp Server. The following APIs are used with the DCDB.H and NETCONS.H header files:

• NetUserDCDBInit 
  NetUserGetAppSel
  
  NetUserGetLogonAsn
  
  NetUserSetAppSel
  
  NetUserSetLogonAsn

  Each user or application that accesses the resources must have a user account in the system. The system uses this account to verify that the user or application has permission to connect to any shared resource. A user's account is set up by calling the NetUserAdd API.

  There are three types of information in a user's account:

  • That which can be set only by the administrator 
    That which can be set by the owner of the account
    
    That which can be set only by the system

    The following user account information can be set only by Administrator authority:

    Account name

    The name used to log on (for example, JSMITH).
    Full name field
    The full name of the user (for example, John Smith, Jr.). This field can be up to MAXCOMMENTSZ + 1 bytes long. A null pointer is treated as a null string.
    Comment
    The comment associated with an account (for example, Vice President). It can contain any text and can be up to MAXCOMMENTSZ + 1 bytes.
    Home directory
    The network directory (absolute, UNC, or local path) for the user's files. The field length can be up to PATHLEN bytes.
    Account disabled
    When set, no one can log on using this account.
    Privilege level
    Affects the default rights of an account to access resources and to call APIs remotely. An account can have one of three levels of privilege: GUEST, USER, or ADMIN. GUEST is not valid in DSS
    Logon script flag
    Must be TRUE for OS/2 LAN Server and DSS.
    Logon script path
    The path name of the user's logon script. The logon script must be a path relative to the NETLOGON service SCRIPTS path. This field can contain up to PATHLEN bytes, and a null pointer is treated as a null string. The extension can be PRO, CMD (or BAT), EXE, or COM. If no extension is specified, CMD (or BAT) is used by default.
    Account expiration date
    The date after which logon is disabled.
    List of authorized requesters
    The workstations from which the account can log on. The list may include 0-8 workstations. Zero workstations means ALL.
    Logon hours
    One hour granularity, hours specified for each day of the week. A null pointer means ALL for NetUserAdd calls and means DONT_CHANGE for NetUserSetInfo calls.
    Home directory required
    Indicates that the Home Directory field must not be NULL.
    Password not required
    Permits the account to have a null password, even if the minimum password length for the system is greater than 0. This option is not supported in DSS.
    Maximum storage allotment
    Specifies the limit in KB on the home directory.
    User cannot change password
    Restricts users from changing the password on their accounts. This option is not supported in DSS.
    Logon server
    Points to an ASCIIZ string containing the name of the preferred server, which validates user logon requests for this user. The server name should be preceded by a double backslash (\\) and should be the name of a domain controller or backup server on the domain. A server name of an asterisk (\\*) indicates that the logon request can be handled by any domain controller or backup server on the domain. A null string indicates that the domain controller is the preferred logon server.
    DCE Primary Group
    Allows you to specify the distributed computing environment primary group. The default is "none".
    DCE Policy Group
    Allows you to specify the distributed computing environment policy group or organization. The default is "none".
    Password Strength Server
    Ensures that newly created or modified passwords follow specified rules of password composition. The DSS password strength server (PSS) is "lspwsd".
    The following fields can be set by a user (or by an administrator) only for the user's own account:

    Encrypted password

    When you create a password, it automatically becomes encrypted.
    User comment
    Can contain up to MAXCOMMENTSZ + 1 bytes long. A null pointer is treated as a null string.
    Parms
    Points to an ASCIIZ string that is set aside for use by applications. It can have as many as MAXCOMMENTSZ+1 characters.
    Country code
    The OS/2 country code for the language choice of the user. This is used by the OS/2 LAN Server software to generate messages in the appropriate language whenever possible.
    Code page
    The code page of the OS/2 program for national language support.
    Default resource domain
    An ASCIIZ string containing the name of the user's default resource domain.
    The following fields are set automatically by the accounts system and are not set directly by an administrator or user:

    Last logon

    The time and date when the last logon occurred. A value of 0 means unknown.
    Last logoff
    The time and date the last logoff occurred. A value of 0 means unknown.
    Bad password count
    The number of attempts to validate a bad password. A value of -1 means unknown.
    Number of logons
    The number of instances of logons to the account. A value of -1 means unknown.

    These fields are not used by DSS.

    When a user or application requests access to any shared resource, LAN Server checks to see whether there is a UAS account granting the proper access authority to that user or application. To make this easy, first call the NetUserGetInfo API with a specified user ID and password. If an account is found, the API returns whatever information is available at that level of data structure. If an account is not found, you can examine the returned flags to determine what must be done to establish an account. *

    The OS/2 LAN Server software then checks the user's privilege level. Depending on the parameter, the request to access a resource is accepted immediately, if the user has been given administrative privileges. Otherwise, processing continues. *

    Administrative privileges grant the broadest access to the domain, giving permission to run all administrative functions and complete access to the shared and nonshared resources of a server.

    If the user does not have administrative privileges, the LAN Server software checks the resource's access permission record to see whether the user has the proper permissions to use that particular resource. (See Access Permission Category.)

    Each time an account that has either administrative or user privileges is established with the NetUserAdd API, LAN Server automatically adds the new account to either the group ADMINS or the group USERS. At this time, the user inherits all permissions assigned to that special group.

    An application has two ways to change a user's current privileges: (1) by calling the NetUserSetInfo API, or (2) by changing that user's group accounts (see Group Category). Individually assigned user permissions take precedence over group permission assignments. An application can verify to which groups a user belongs by calling the NetUserGetGroups API. This API returns a list of group names.

    To find out how to change individual permission settings for members of one of the special groups, see Access Permission Category.

    When a user account is no longer needed, call the NetUserDel API to eliminate the account from the system. Once the account is removed, the user no longer can access the system.

    If an account does not have a password, any password (or none) is treated as a match for account validation. *

    To set password policy globally within the account system database, you can use user accounts subsystem (UAS) modals. None of the system-wide password characteristics are enforced for accounts that do not require passwords. *

    Enter passwords in uppercase characters. The password of a user account is case-sensitive at the API level, and lowercase characters in a password make the user ID unavailable at the command-line interface and through the User Profile Management (UPM) interface.

    The user's password is confidential and is not returned when the NetUserEnum or NetUserGetInfo API is called; a string of spaces is substituted for any password that is requested. The password is assigned initially when NetUserAdd is called. Any user or application can use NetUserPasswordSet to change a password, if the current password can be supplied. To verify an existing user account with a specified password, call NetUserValidate2. To set the password and other components of a user account, use the NetUserSetInfo API.

    To give a user access to network resources at logon, call the NetUserSetLogonAsn API. You can get information about a user's logon assignments by calling the NetUserGetLogonAsn API.

    To add network applications to their desktop applications folders, users can call the NetUserSetAppSel API. Users can get lists of the applications that appear in their desktop applications folders by calling the NetUserGetAppSel API.

    * This information does not apply to DSS. This specific information is part of LAN Server and OS/2 Warp Server.

    ---

    [Back] [Next]