LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

Table 9 Global security attributes

DescriptionAttribute

This integer attribute defines the amount of time that an account is locked due to

the Lockout-Threshold being exceeded. This value is stored as a large integer that

represents the negative of the number of 100 nanosecond intervals from the time

the Lockout-Threshold is exceeded that must elapse before the account is unlocked.

lockoutDuration

This integer attribute specifies the maximum amount of time a password is valid.

This value is stored as a large integer that represents the number of 100

nanosecond intervals from the time the password was set before the password

expires.

maxPwdAge

Security Policy Status Attributes

PAM_AUTHZ supports a list of attributes which hold the general security policy status information

for a particular user in the Active Directory Server shown in Table 10.

Table 10 Security policy status attributes

DescriptionAttribute

This attribute controls the behavior of the user account.userAccountControl

This string attribute contains the NetBIOS or DNS names

of the computers running Windows NT Workstation or

Windows Client Professional from which the user can log

on. Each NetBIOS name is separated by a comma.

userWorkStations

This integer attribute defines the date and time that the

password for this account was last changed. This value is

stored as a large integer that represents the number of 100

nanosecond intervals since January 1, 1601 (UTC). If this

value is set to 0 and the userAccountControl attribute

does not contain the UF_DONT_EXPIRE_PASSWD flag,

then the user must set the password at the next logon.

pwdLastSet

This integer attribute specifies the time when the account

expires. This value represents the number of 100

nanosecond intervals since January 1, 1601 (UTC). A value

of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807)

indicates that the account never expires.

accountExpires

This integer attribute specifies the date and time (UTC) that

this account was locked out. This value is stored as a large

integer that represents the number of 100 nanosecond

intervals since January 1, 1601 (UTC). A value of zero

means that the account is not currently locked out.

lockoutTime

This integer attribute defines the number of hours that the

user is allowed to log on to the domain.

logonHours

6.5 Adding additional domain controllers

Your Active Directory contains configuration profiles downloaded by each client system and name

service data accessed by each client system. As your environment grows, you may need to add

additional domain controllers to your environment. Follow these steps:

1. Use the dcpromo.exe tool to install and configure a new Active Directory domain controller.

For more information, refer to the respective literature on Active Directory or check Microsoft's

library at:

http://msdn.microsoft.com/library/default.asp

112 Administering LDAP-UX Client Services