Chapter 18 - Logon, Browsing, and Resource Sharing
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
This chapter describes how to configure and use the logon, network browsing, and peer resource sharing capabilities of Microsoft Windows 98. It is intended for advanced users and network administrators who need to know how to configure and use logon, browsing, and resource sharing.
See Also
For more information about installing and using Client for Microsoft Networks, see Chapter 16, "Windows 98 on Microsoft Networks."
For more information about other networking clients, see Chapter 17, "Windows 98 on Third-Party Networks."
For more information about system policies, see Chapter 8, "System Policies."
For more information about security, see Chapter 9, "Security."
Overview of Logon, Browsing, and Peer Resource Sharing
.gif "Cc768188.spacer(en-us,TechNet.10).gif")
This section summarizes key Windows 98 features that you can use to make network logon, resource browsing, and peer resource sharing easier and more secure for computers running Windows 98 on your network.
Unified System Logon Overview
Windows 98 offers a consistent user interface for logging on to and validating access to network resources. The first time the user logs on to Windows 98, logon dialog boxes appear for each network client on that computer and for Windows 98. For a Windows 95 upgrade, your Primary Network Logon setting and all Windows 95 password caching settings remain the same; therefore, you might not see a logon box for each client and for Windows 98 depending on how you have configured your computer.
Windows 98 includes the following features that enable you to see only one logon prompt (or no logon prompts) when you log on:
Unified system logon
Password caching
For more information about these features, see "Understanding System Logon," later in this chapter.
For Novell NetWare networks, Windows 98 provides graphical logon to Novell NetWare version 3.x, or version 4.x if the network is configured for bindery emulation or if your computer is running Microsoft Service for NetWare Directory Services. Windows 98 also provides a NetWare-compatible Login Script Processor. This means that if you are using Microsoft Client for NetWare Networks, Windows 98 can process NetWare login scripts.
For Microsoft networks, Windows 98 supports network logon using domain user accounts and logon script processing (as supported by Windows NT and LAN Manager version 2.x).
The Windows 98 logon processor can parse most statements in the NetWare login scripts. However, any statements loading terminate-and-stay-resident (TSR) programs must be removed from the scripts and loaded from Autoexec.bat. Because the Windows 98 logon processor operates in protected mode, it is not possible to load TSRs for global use from the login script. These TSRs should be loaded from Autoexec.bat before protected-mode operation begins, or you can use other methods described in "Using Logon Scripts" later in this chapter.
In some cases, logon scripts load backup agents as TSRs. In such cases, you can use protected-mode equivalents compatible with Windows 98, making it unnecessary to load these TSRs.
Network Browsing Overview
Network Neighborhood is the central point for browsing in Windows 98. It offers the following benefits:
Users can browse the network as easily as browsing the local hard disk.
Users can create shortcuts to network resources on the desktop and hard disk.
Users can easily connect to network resources by using the Map Network Drive dialog box.
Users can easily connect to network resources using universal naming convention (UNC) connections, which are described later in this section.
Users can open files and complete other actions by using new common dialog boxes in applications. This standard provides a consistent way to open or save files on both network and local drives.
The network administrator can customize Network Neighborhood by using system policies, as described in Chapter 8, "System Policies." A custom Network Neighborhood can include shortcuts to commonly used resources, including Dial-Up Networking resources.
In any situation in which you can type a path for connecting to a server—such as in the Map Network Drive dialog box or at the command prompt—you can specify the server name with two backslashes (\\) if your network uses UNC path names. For example, to connect to the server CORP, volume DOCS, directory WORD, and subdirectory Q1, type the UNC name \\corp\docs\word\q1.
Network browsing issues include the following:
You can plan ahead to configure workgroups for effective browsing by using Wrkgrp.ini to control the workgroups that people can choose. For more information about configuring Wrkgrp.ini, see Chapter 3, "Custom Installations."
If your enterprise network is based on Microsoft networking, is connected by a slow-link wide area network (WAN), and includes satellite offices running only Windows 98, users in the satellites cannot browse the central corporate network. Consequently, they can connect to computers outside their workgroups only by typing the computer name in a Map Network Drive dialog box. To provide full browsing capabilities, the satellite office must have a Windows NT Server.
Note There is one exception: if one computer in the satellite office has a workgroup name that corresponds to the corporate network's domain name, users will be able to browse the central corporate network. For more information, see Knowledge Base article 149941, "Windows Clients Not Able to Browse Remote Workgroups."
You can use system policies, such as Hide Drives In My Computer or Hide Network Neighborhood, to limit or prevent browsing by users. For more information, see Chapter 8, "System Policies."
Peer Resource Sharing Overview
The two peer resource sharing services in Windows 98 — Microsoft File and Printer Sharing for NetWare Networks and File and Printer Sharing for Microsoft Networks — are 32-bit, protected-mode networking components that allow users to share directories, printers, and CD-ROM drives on computers running Windows 98. File and printer sharing services work with existing servers to add complementary peer resource sharing services. These components are required for any computer whose name will appear in a browse list.
For example, using File and Printer Sharing for NetWare Networks produces the following benefits:
Users can share files, printers, and CD-ROM drives without running two network clients. This saves memory, improves performance, and reduces the number of protocols running on your network.
Security is user-based, not share-based. You can administer user accounts, passwords, and group lists from the NetWare server, because File and Printer Sharing for NetWare Networks uses the NetWare server's authentication database.
Note In the Windows 98 Resource Kit, NETX is used to refer to the Novell NetWare workstation shell for NetWare version 3.x; VLM (Virtual Loadable Module) is used to refer to the workstation shell for version 4.x.
Users running VLM or NETX clients can access shared resources on computers running Windows 98. The computer running Windows 98 looks as if it were just another NetWare server if it uses Service Advertising Protocol (SAP) Advertising, as described in "Using File and Printer Sharing for NetWare Networks" later in this chapter. The computer providing file and printer sharing services can handle up to 250 concurrent connections.
You can add secure storage space and printing to the network inexpensively, while using familiar NetWare tools to manage these resources. You can reduce the load and improve the performance of NetWare servers by moving selected shared resources to one or more computers running file and printer sharing services. This allows you to manage load balancing for users without adding a new NetWare server.
You get a scalable, high-performance 32-bit peer server that uses multiple 32-bit threads, the Windows 98 Virtual File Allocation Table (VFAT) 32-bit file system, 32-bit network driver interface specification (NDIS) drivers, a 32-bit Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX) – compatible protocol, and the Packet Burst protocol.
Similar benefits are available when you use File and Printer Sharing for Microsoft Networks. You can also use either share-level security or, on a Windows NT network, user-level security to protect access to peer resources.
Resource sharing issues include the following:
You can install only one file and printer sharing service at a time.
If you want to configure a computer to share its files or printers, the choice of which file and printer sharing service you install depends on whether users who will be browsing for shared resources are running Microsoft or NetWare network clients.
If you want to use File and Printer Sharing for NetWare Networks, a NetWare server must be available on the network. This peer resource sharing service uses only user-level security, not share-level security, so a NetWare server must be available to validate user accounts. Also, the NetWare server must include a Windows_Passthru account (with no password) in its user accounts database.
If you plan to use File and Printer Sharing for Microsoft Networks with user-level security, a Windows NT Server or domain must be available to validate user accounts.
If you are configuring a user's workstation to act as a peer server, you might also want to specify that this computer cannot run MS-DOS-based applications that take exclusive control of the operating system, shutting down file and printer sharing services. To do this, you can set the system policy named Disable Single-Mode MS-DOS Applications.
Logging on to Windows 98
This section discusses how to configure logon for Windows 98 computers.
Understanding System Logon
There are two levels of system logon on Windows 98 computers:
Log on to Windows 98 by using a user name and password.
With Windows 95, you logged on to the computer using the Windows Logon. Windows 98 provides a new option called Microsoft Family Logon. If user profiles are enabled and Microsoft Family Logon has been configured, Microsoft Family Logon lists all users for that computer. For more information about the Microsoft Family Logon, see "Configuring Microsoft Family Logon" later in this chapter. For more information about user profiles, see Chapter 7, "User Profiles.
Log on to a Windows NT domain, NetWare network, or another network for which you are using a 32-bit, protected-mode networking client.
Windows 98 provides a single unified logon prompt that allows the user to log on to all networks and Windows 98 at the same time. The first time a user starts Windows 98, there are separate logon prompts for each network, as well as one for Windows 98. If these passwords are made identical, the system logon prompt for Windows 98 is not displayed again.
Note The Passwords option in Control Panel provides a way to synchronize logon passwords for different networks so they can be made the same if one is changed. For more information, see Chapter 9, "Security."
Windows 98 also includes a related feature, called password caching. With password caching, when a user logs on to other networks with different passwords and chooses to save them, the passwords are stored in a password cache. Thereafter, the user sees only the Windows 98 logon prompt, or no prompt, even if the Windows 98 password is different from the password for the primary network client. You can enable password caching for a network client simply by selecting the check box for the Save this password in your password list option on the logon prompt for your network client (if the check box appears). You can also enable password caching later, by using the following procedure:
To set up password caching of network passwords
In Control Panel, double-click Network.
In Primary Network Logon, select Windows Logon, and then click OK.
In Control Panel, double-click Passwords, click Change Windows Password, and then click OK.
Make your Windows password blank, and then click OK two times.
Restart your computer.
When asked for a password to log on to Windows 98, enter a password, and then press OK.
For each network prompt, enter your network password and make sure the check box for Save this password in your password list is selected.
Note This check box does not appear for Client for NetWare Networks unless you are using Service for NetWare Directory Services. Therefore, to use password caching with Client for NetWare Networks, you must install Service for NetWare Directory Services.
The next time you log on to Windows 98 using that password, Windows 98 uses the passwords stored in this cache to log the user on to other networks, you do not need to type any additional passwords.
You can also configure Windows 98 to perform an automatic or "silent" logon, by opening the user's password file with a blank password. To do so, follow the procedure above, but instead of entering a password in Step 5, simply click OK. On subsequent boots, you will not need to log on either to Windows 98 or to the network.
You might choose this configuration, for example, for peer servers that are physically secure from user access and that must be able to automatically recover from power outages or other failures without user intervention.
If you are concerned about users compromising network security by using automatic logon, you can disable this feature by using system policies. For more information, see Chapter 9, "Security."
The following procedures describe how to log on to Windows 98 and to Microsoft and NetWare networks.
To log on to Windows 98 when no network logon has been configured
- When the Welcome to Windows dialog box appears, type the user name and password.
The following screen appears.
.gif "Cc768188.wrk0z54(en-us,TechNet.10).gif")
Windows 98 uses this logon information to identify the user and to find any user profile information. User profiles define user preferences, such as the fonts and colors used on the desktop, and access information. For more information on user profiles, see Chapter 7, "User Profiles."
To log on to Windows 98 on a Microsoft network for the first time
When the Enter Network Password dialog box appears after starting Windows 98 for the first time, type the user name and password.
Note This dialog box appears without the Domain box unless your computer is configured to log on to a Windows NT domain. For information, see Chapter 16, "Windows 98 on Microsoft Networks."
.gif "Cc768188.wrk0z50(en-us,TechNet.10).gif")
For network logon on a Microsoft network, type the name of the Windows NT domain, LAN Manager domain, or Windows NT computer that contains the related user account.
After the user name and password pair are validated by the network server, the user is allowed to use resources on the network. If the user is not validated, the user cannot gain access to network resources.
If you do not already have a Windows password for this computer or if your Windows password and network password are different the first time Windows 98 starts, the Set Windows Password dialog box appears, prompting you to type the user name and password defined for Windows 98.
To log on to Windows 98 on a NetWare network for the first time using Client for NetWare Networks
The following dialog box appears if you are running Service for NetWare Directory Services (Microsoft's service for accessing Novell Directory Services):
.gif "Cc768188.wrk0z53(en-us,TechNet.10).gif")
To log on, type your user name and password.
– Or –
If you are not running Service for NetWare Directory Services, the following dialog box appears instead:
.gif "Cc768188.wrk0z52(en-us,TechNet.10).gif")
To log on to a NetWare network using Client for NetWare Networks, type your user name, password, and the name of the NetWare server, which is the preferred server where the related user account is stored.
If you are running Service for NetWare Directory Services, click the Advanced button and verify that the correct context and tree are selected.
After the user name and password pair are validated by the NetWare server, the user can use resources on the network. If the user is not validated, the user will be prompted to type a password when connecting to a NetWare server during this work session.
If you do not already have a Windows password for this computer or if your Windows password and network password are different the first time Windows 98 starts, the Set Windows Password dialog box appears, prompting you to type the user name and password defined for Windows 98.
To log on to Microsoft or NetWare networks after the first time
- The next time this computer is started, Windows 98 displays the name of the last user who logged on and the name of the domain or preferred server used for validation. If the same user is logging on again, only the password for the network server or domain needs to be entered. If a different user is logging on, that user's unique user name and password must be entered. If the passwords are the same for the network and Windows 98, the second dialog box for logging on to Windows 98 does not appear again.
Configuring MS Family Logon
Microsoft Family Logon is a new feature that works in combination with user profiles to prevent any user from gaining access to your computer unless you have configured a user profile for that user. Before you can use or configure Microsoft Family Logon, you must enable user profiles. (For more information about enabling user profiles, see "User Profiles and Windows 98 Logon" later in this chapter.) Windows 98 includes a new way to enable user profiles: the Users option in Control Panel. If you enable user profiles with this option, Microsoft Family Logon will be automatically enabled. If you already have user profiles enabled on your computer, however, you can configure Microsoft Family Logon by using the Network option in Control Panel. This section describes both methods of configuring Microsoft Family Logon.
To enable user profiles with the Users option in Control Panel
In Control Panel, double-click Users.
A wizard appears and asks you to enter a user name and password. After you do so, it automatically enables user profiles and installs the Microsoft Family Logon Client.
To configure Microsoft Family Logon if you have already enabled user profiles
In Control Panel, double-click Network, and then click Add.
In the Select Network Component Type dialog box, select Client, and then click Add.
In the Manufacturers box, select Microsoft.
In the Network Clients box, select Microsoft Family Logon, and then click OK.
You must restart the computer for the changes to take effect. If you have selected a network logon as your primary logon, you will see only the Enter Network Password dialog box when you restart.
If you have selected the Microsoft Family Logon as your primary logon, and if user profiles have been enabled, the Enter Password dialog box appears:
.gif "Cc768188.wrk0z51(en-us,TechNet.10).gif")
If your Windows password and your network logon password have not been synchronized, you will also see the Enter Network Password dialog box.
Just as with Windows logon, if your user name and password for Microsoft Family Logon are the same as your user name and password for your network, you will not need to perform both a system logon and a network logon.
Configuring Network Logon
If you install either Client for Microsoft Networks or Client for NetWare Networks, you can configure a computer running Windows 98 to participate on a Windows NT or NetWare network.
Before you can access domain resources on a computer running Windows 98, however, you must have a Windows NT domain controller or NetWare server on the network that contains user account information for the Windows 98 user. (A Windows NT or NetWare server is not necessary for a peer-to-peer network.) For more information about setting up permissions on a Windows NT or NetWare server, see the administrator's documentation for the server. For related information, see Chapter 16, "Windows 98 on Microsoft Networks" and Chapter 17, "Windows 98 on Third-Party Networks."
The validation of a user's network password at system startup might not be required for accessing network resources later during that work session. However, the logon script can run only in one of two circumstances:
During system startup.
If your computer is configured to use Dial-Up Networking only, and there is no active network adapter installed that forces network components to load on system startup, a logon script can run after you connect to a network using Dial-Up Networking.
Because those are the only two cases in which logon scripts can be run if you are using a Microsoft-provided network client, they are the only times at which user profiles and system policies can be downloaded on the local computer. (However, profiles and policies are disabled by default over Dial-Up Networking connections and require special configuration to be enabled.) Therefore, proper network logon is extremely important.
The following sections provide information about configuring network logon for computers on Windows NT and NetWare networks when using a 32-bit, protected-mode network client. You can also use system policies to control network logon options, as summarized at the end of this section. For more information about enforcing logon password requirements, see Chapter 9, "Security."
Tip Logon validation controls only user access to network resources, not access to running Windows 98. To require validation by a network logon server before allowing access to Windows 98, you must use system policies. For information, see "Setting Network Logon Options with System Policies" later in this chapter.
Notice, however, that Windows 98 security cannot prevent a user from starting the computer by using Safe Mode or a floppy disk. If you require complete user validation before starting the computer in any way, use Windows NT as the sole operating system.
Configuring Logon for Client for MS Networks
When the computer is configured to use Client for Microsoft Networks as the Primary Network Logon, you can specify Microsoft Windows NT logon options in the Network option in Control Panel. This section discusses these options.
If your network includes a Windows NT domain, you can configure your computer to automatically validate you on the specified domain during the logon process. If this option is not configured, you cannot access most network resources. If this option is configured and you do not provide a correct password, you will not have access to most network resources.
You can also specify whether you want to automatically establish a connection for each persistent connection to a network resource or verify whether to reestablish connections at system startup. You can also specify basic network logon options in custom setup scripts used to install Windows 98.
For complete procedures for configuring network logon and persistent connections for Client for Microsoft Networks, see Chapter 16, "Windows 98 on Microsoft Networks." For more information about defining network logon options in custom setup scripts, see Chapter 3, "Custom Installations." For more information about controlling network logon by using system policies, see Chapter 8, "System Policies."
Configuring Logon for NetWare Networks
Each Windows 98 user must have an account on the NetWare server before being able to use its files, applications, or print queues. The NetWare server account contains user credentials (a user name and password).
With Client for NetWare Networks, there is no real-mode logon before Windows 98 starts, just the single, unified logon prompt for Windows 98 that allows users to log on to the system and to all networks at the same time. The first time a user starts Windows 98, there are two separate logon prompts: one for Windows 98 and one for the NetWare preferred server. If the two passwords are the same, the second logon prompt for Windows 98 is not displayed again. If you are using password caching, only the Windows 98 dialog box is displayed.
Like Client for NetWare Networks, Novell Client for Windows 95/98 uses a protected-mode logon instead of a real-mode logon. However, unlike Client for NetWare Networks, Novell Client for Windows 95/98 does not cache passwords in a PWL file. Thus, you will see separate logon prompts unless you set Novell Client for Windows 95/98 as the Primary Network Logon.
If the computer uses a Novell-supplied real-mode network client, network logon occurs in real mode and uses all the NetWare configuration settings that were in place before Windows 98 was installed. There are no required changes. However, the logon prompt for Windows 98 always appears when these clients are used because the unified logon process is not available.
Passwords on Windows 98 and NetWare Servers
If you are using a protected-mode network client, maintaining the same user name and password for both Windows 98 and the NetWare network makes it easier for network administrators to coordinate user accounts. For more information about passwords, including brief information on changing passwords on a NetWare server, see Chapter 9, "Security."
To configure Client for NetWare Networks for network logon, you need to specify whether Client for NetWare Networks is the Primary Network Logon. If Client for NetWare Networks is the primary network logon, the following happens:
System policies and user profiles are downloaded from NetWare servers, if you use these features.
Users are prompted first to log on to a NetWare server for validation when Windows 98 starts (before being prompted to log on to any other networks).
The last login script runs from a NetWare server.
Tip When you start Windows 98 with Client for NetWare Networks configured as the Primary Network Logon, Windows 98 automatically prompts you to provide logon information, such as your password on the NetWare server.
Therefore, you should never run the Novell-supplied Login.exe utility from a batch file or at the command prompt when you are using Client for NetWare Networks.
When you designate Client for NetWare Networks as the Primary Network Logon, you can also specify a preferred NetWare server. Windows 98 uses the preferred server to validate user logon credentials and to find user profiles and system policy files. You can change the preferred NetWare server at any time.
With Client for NetWare Networks, you can log on only to specific servers, not to the NDS tree. However, with Service for NetWare Directory Services, you can log on to either the NDS tree or to specific bindery-based servers. The following sections explain how to use Client for NetWare Networks and Service for NetWare Directory Services to log on to NetWare servers and to the NDS tree.
Configuring Client for NetWare Networks to Log on to a NetWare Network
The following procedure describes how to configure Client for NetWare Networks to log on to a NetWare network. If you use a NETX or VLM client, you can configure the setting for the preferred server using Net.cfg or using the /ps option (/ps=server) in Startnet.bat, Autoexec.bat, or wherever you start NETX or VLM. For more information, consult your Novell-supplied documentation.
Note In the Windows 98 Resource Kit, NETX is used to refer to the Novell NetWare workstation shell for NetWare version 3.x; VLM (Virtual Loadable Module) is used to refer to the workstation shell for version 4.x.
To use a NetWare server for network logon
In Control Panel, double-click Network.
Select Client for NetWare Networks in the Primary Network Logon dialog box.
Double-click Client for NetWare Networks in the list of installed components.
In the General tab set values for the configuration options, as described in Table 18.1.
Table 18.1 Client for NetWare configuration options
Property
Meaning
Preferred Server
Designates the name of the NetWare server that appears automatically in the Network Logon dialog box. Windows 98 obtains the NetWare login script from this server, unless you specify a different NetWare server in the Enter Network Password dialog box. This is also the server used to store user profiles and system policies, if these are used on your network. The Preferred Server setting applies to the computer, not for individual users.
If you are running Service for NetWare Directory Services, this setting will be used only if the preferred server is a 4.x server in the same NDS tree that you are logging on to. If you want to log on to a bindery-based server when running Service for NetWare Directory Services, follow the procedures outlined in "Configuring Microsoft Service for NetWare Directory Services to Log on to a NetWare Bindery Server" to log on to a NetWare bindery server.
First network drive
Specifies the first drive letter that you want assigned to the first NetWare network connection.
Enable login script processing
Specifies that this computer will process NetWare login scripts when a user logs on to the network.
If the preferred server has been specified, Client for NetWare Networks attempts to connect to the preferred server rather than the first server that responds to the Get Nearest Server broadcast. Client for NetWare Networks also attempts a number of server connections in case the client computer cannot establish a connection with the preferred server.
Configuring Microsoft Service for NetWare Directory Services to Log on to the NDS Tree
This section describes how to configure Service for NetWare Directory Services to log on to the NDS tree. For more information about Service for NetWare Directory Services and how to install it, see Chapter 17, "Windows 98 on Third-Party Networks."
To log on to an NDS tree, you must select a default context and a preferred NDS tree. The default context determines what the user will be able to see and use in Network Neighborhood. You can also configure a preferred server by following the procedure in "Configuring Client for NetWare Networks to Log on to a NetWare Network," earlier in this chapter. For more information about configuring the default context and directory tree, see Help.
The logon context is the context where your user object is located. In many cases, a user's default context and logon context will be the same, so he or she can log on without using a full or partial distinguished name.
Depending on how your directory tree is set up, a user who travels to other locations in your organization (such as other people's offices or other sites) may need to log on from a different context from the one that contains his or her user object. You may want to encourage such users to type their full distinguished name when they log on. They may also need to change the context they are logging on to. For information on changing the logon context, see Chapter 17, "Windows 98 on Third-Party Networks."
Note When a user logs on using a different logon context than the computer's default context, the current context does not switch to the user's logon context, but the container script from the user's logon context is run. For example, suppose Ann has a user object in the APPS container object. She logs on to a machine whose default context is set to MARKETING, using the full distinguished name .CN=ANN.O=APPS. Even though her logon context is APPS, the current context stays in MARKETING, but the APPS container login script is run.
Logging on to a NetWare Bindery Server using Microsoft Service for NetWare Directory Services
If you want to log on to a bindery server instead of to an NDS directory tree, you can do so at system startup.
To log on to a bindery server
Restart your computer
In the Enter Network Password dialog box, enter your name and password and then click the Advanced tab.
Click Log in to a bindery server.
Select a bindery server, and then click OK, and then click OK again.
Configuring Novell Client for Windows 95/98 to Authenticate to NDS Trees and Servers
You are first prompted to authenticate to an NDS tree when you log on to Windows 98. However, you can also authenticate to other NDS trees or NetWare servers during the same session, so you can be authenticated to more than one NDS tree at once.
To authenticate to NDS Trees and NetWare servers
Right-click the server or tree you want to attach to.
In the context-sensitive menu, click Authenticate.
If prompted, specify your user name and password for the tree or server you are authenticating to.
To view the trees and servers you are authenticated to
- Right-click Network Neighborhood, and then click NetWare Connections.
To view a specific connection
From Network Neighborhood, right-click a server or tree.
In the context-sensitive menu, click WhoAmI.
Setting Network Logon Options with System Policies
The network administrator can define system policies to enforce requirements for network logon. For example, you may want to make sure that users cannot access the local computer without network validation, or you may want to disable password caching.
Note System policies are not installed on Windows 98 by default. For more information, see Chapter 8, "System Policies."
For network logon in general, use the following policies:
Logon Banner, to specify a caption and other text, such as a legal notice, to be displayed before the logon dialog box appears.
Require Validation By Network For Windows Access, to specify that each logon must be validated by a server before access to Windows is allowed.
For Client for Microsoft Networks, use the following policies:
Log On To Windows NT, to specify that this computer can participate in a Windows NT domain.
Display Domain Logon Validation, to display a message when the domain controller has validated user logon.
Disable Caching of Domain Password, to specify that no caching is used for the network password. However, do not enable the Quick Logon features when password caching has been disabled using system policies. The Quick Logon feature requires password caching to function properly.
For Microsoft Client for NetWare Networks, use the following policy:
- Disable Automatic NetWare Logon, to specify that when Windows 98 attempts to connect to a NetWare server, it does not automatically try to use the user's network logon name and password and the Windows logon password to make the connection.
For Microsoft Service for NetWare Directory Services, use the following policies:
Preferred Tree, to specify the preferred NDS tree.
Default Name Context, to specify the default context.
For more information about these policies and others that enforce password requirements, see Chapter 8, "System Policies."
If a computer has the Microsoft Remote Registry agent installed, you can use System Policy Editor to remotely set network logon options on individual computers without using system policies. This is useful in cases in which you have not previously enforced logon requirements using system policies but you want to make sure that network logon is configured properly on a specific computer.
Using Logon Scripts
This section summarizes some information about using logon scripts on Windows NT and NetWare networks. For details about using logon scripts for a push installation of Windows 98, see Chapter 4, "Automated Installations."
Using Logon Scripts with MS Networking
This section summarizes how to use logon scripts for Windows 98 on Windows NT networks.
Logon scripts are batch files or executable files that run automatically when a user logs on to a computer running either Windows NT, Windows 98, or MS-DOS. Logon scripts are often used to configure users' working environments by making network connections and starting applications.
There are several reasons that you might want to use logon scripts:
You want to manage part of the user environment (such as network connections) without managing or dictating the entire environment.
You want to create common network connections for multiple users.
To assign a user a logon script, designate the path name of the logon script file in the user's account on the server. Then, whenever that user logs on, the logon script is downloaded and run. You can assign a different logon script to each user or create logon scripts for multiple users.
To create a batch-file logon script, create an MS-DOS batch file. (For more information about creating batch files, see your MS-DOS documentation.)
A logon script is always downloaded from the server that validates a user's logon request. For users with accounts on Windows NT server domains that have one or more backup domain controllers and a primary domain controller, any one of the domain controllers can authorize a user's logon attempt. To ensure that logon scripts always work for users, you should be sure that logon scripts for all user accounts in a domain exist on every primary and backup domain controller in the domain. You can do this by using the Windows NT Replicator service.
Home directories on Windows NT networks are used to store user profiles and can also serve as private storage spaces for users. To ensure access to user profiles, you should assign each user a home directory on a server. You can also assign users home directories on their own workstations (although this means that users will not have access to their user profiles from other computers).
Using the Windows Script Host to Run Logon Scripts
The Windows Script Host is a tool that allows you to run scripts natively on Windows 95, Windows 98, or Windows NT version 4.0 or later. If you are a network administrator and you want to run a logon script on Windows NT Server 4.0 or later, you can write that script using the Microsoft Visual Basic Scripting Edition or the Microsoft JScript scripting engine, then run it using the Windows Script Host. The Windows Script Host supports several features commonly used in logon scripts, such as mapping drives and printers and managing your users' environments, so it can help you automate routine logon tasks.
For more information about the Windows Script Host, see Chapter 23, "System and Remote Administration Tools."
Using Login Scripts on NetWare Networks
NetWare clients that support NDS use the NDS login script when connecting to NDS. When connecting in bindery mode, they use the bindery login script. Bindery clients always use the bindery script.
Login scripts are stored differently on NetWare 3.x servers using bindery services than on NetWare 4.x servers using NDS. On a bindery server, the system login script is stored in the Net$log.dat file in the \Public directory, and individual user login scripts are stored in the Login file in Mail subdirectories that correspond to the users' internal IDs. On an NDS server, the Container, Profile, and User login scripts are stored in the NDS database as properties of those objects.
The network administrator can use SYSCON for NetWare 3.x bindery-based servers or NETADMIN or NWADMIN for 4.x servers to edit login scripts for any NetWare-compatible client running under Windows 98.
The issues related to running login scripts depend on whether the computer is configured with Client for NetWare Networks or uses a Novell-supplied network client.
Running Login Scripts with Client for NetWare Networks
If the computer is running Client for NetWare Networks, the special Windows 98 Login Script Processor runs the login script after the user completes entries in the network logon dialog box during system startup. If you are also running Service for NetWare Directory Services, your computer can make NDS-based connections and can use the NDS login script if you log on as an NDS user. If you are not running Service for NetWare Directory Services, Client for NetWare Networks makes only bindery connections.
When a computer running Client for NetWare Networks but not Service for NetWare Directory Services connects to a NetWare 4.x server, the server must be running bindery emulation, so that the login scripts can be accessed in the same way as on a bindery server. If bindery-type login script files are not available, you can create login scripts by enabling bindery emulation on the server, then using NETADMIN to create accounts.
The Windows 98 Login Script Processor runs NetWare system and user login scripts, using commands in these scripts, such as MAP and CAPTURE, to make global changes to the system environment. For example, a script might include SET statements or PATH statements to specify search drives.
The login script appears in a window if the user's login script contains the WRITE, DISPLAY, FDISPLAY, PAUSE, or WAIT commands.
You can use any NetWare or MS-DOS command (in conjunction with NetWare login script commands) in a login script, except those that load TSRs. The Windows 98 Login Script Processor operates in protected-mode, so loading real-mode TSRs from a login script is not possible because login scripts are run after all real-mode actions are completed at system startup. Any TSR that is run from a login script is loaded in a single virtual machine, which is subsequently shut down when login script processing is completed. In these cases, the Login Script Processor displays an error message.
For loading components, such as backup agents, you can use protected-mode equivalents in Windows 98 instead of running TSRs. If you need to run a TSR to support an application, use one of the options described in the Table 18.2.
Table 18.2 Loading TSRs with Client for NetWare Networks
What the TSR must support |
Where to load the TSR |
|---|---|
With NDIS 3.1 drivers: |
|
All applications created for MS-DOS or Windows, without IPX/SPX support |
Autoexec.bat |
All Windows-based applications that require IPX/SPX support1 |
Winstart.bat in the \Windows directory |
All MS-DOS- based applications that require IPX/SPX support2 |
At the command prompt before running the application |
With ODI drivers: |
|
All applications created for MS-DOS or Windows with IPX/SPX support |
After the entry that loads IPXODI in Autoexec.bat or Winstart.bat |
1 The IPX/SPX-compatible protocol (NWLINK) is loaded after real mode is complete but before login scripts are processed, so this protocol is available for TSRs loaded from Winstart.bat.
2 The TSR must be loaded in each separate virtual machine for each application that requires that TSR before the application is loaded. This can be done in a batch file used to run the application.
The network administrator might want to warn users that, in the following circumstances, the Login Script Processor can display special windows and messages, and that this is not an error condition:
When the login script runs, a message announces that the operating system is processing login scripts. The user can click a button to see details. However, if any statement in the script writes to the screen or if there is a PAUSE statement, the Login Script Processor window appears and displays all subsequent statements as they run.
If a #DOS_command statement is included in the script, a special virtual machine is used to process the command. An MS-DOS Prompt window appears while the command is running and then closes automatically when the command is complete.
The following list presents some tips for testing and running login scripts with Client for NetWare Networks:
Insert PAUSE statements frequently in the scripts you are testing so that you can study each screen of information as it appears in the Login Script Processor window.
While testing scripts, check carefully for script errors that appear in the Login Script Processor window.
Insert PAUSE statements following any text that you want the user to read during system logon.
Note The Windows 98 Login Script Processor can handle any documented NetWare login script commands. Any undocumented variations on NetWare commands might not be processed as legal statements.
You can make persistent connections (using the same drive letter each time) to NetWare volumes and directories by using the Windows 98 user interface. Using persistent connections eliminates the need for some NetWare MAP commands in login scripts. However, if persistent connections are made to a server, you should avoid using the ATTACH command in login scripts.
Running Login Scripts with Novell-Supplied Clients
If a computer is running the Novell-supplied Novell Client for Windows 95/98, login scripts are processed when you log on to a NetWare network. (Logging on is different from authenticating to either a NetWare server or an NDS tree, which you can also do after logging on to the network.)
If you are running Novell Client for Windows 95/98, if you run an external command in your login script, such as "send /a=n" the MS-DOS box does not automatically close when the program terminates.
If a computer is running the Novell-supplied NETX or VLM networking client, login scripts are processed as they were before Windows 98 was installed.
With NETX or VLM, login scripts are run in real mode during system startup. Therefore, all statements and TSRs will run as expected and be available globally for all applications created for Windows or MS-DOS.
Important Users running a Novell-supplied real-mode client should always log on to the NetWare server before running Windows 98. Otherwise, many operational problems will occur. For example, if a user instead logs on at the command prompt while already running Windows 98, then all the drive mappings created by the login scripts will be local only to that virtual machine.
User Profiles and Windows 98 Logon
The notes in this section provide a brief overview of the logon process in Windows 98. User profiles can be enabled in three ways:
From the Users option in Control Panel.
From the Passwords option in Control Panel.
From the System Policy Editor.
If user profiles are enabled, then a network or Windows logon dialog box will always appear at system startup (even if the user's password is blank) because the user must be identified so the operating system can load the correct profile.
If user profiles are not enabled, what happens in the logon process depends on the setting specified in the Primary Network Logon box in the Network option in Control Panel. If the Primary Network Logon setting is for a network provider, such as Client for NetWare Networks or Client for Microsoft Networks, then an Enter Network Password dialog box will always appear at system startup if the network is active. These network providers cannot allow automatic logon without the user entering a password because the provider does not know which network account the user wants to use.
If the user selects Windows Logon as the value in the Primary Network Logon box in the Network option in Control Panel, then the Windows Logon dialog box will appear first, followed by logon dialog boxes for any other network providers. In this case, if the user has entered a Windows password but has cached the network passwords, the user needs to enter only the Windows password. If the user has configured the computer to perform an automatic logon by using password caching, the user will not need to enter a password to gain access to Windows 98 or the network. (For more information about password caching, see "Understanding System Logon," earlier in this chapter.)
If the user selects Microsoft Family Logon from the value in the Primary Network Logon box in the Network option in Control Panel, and user profiles are enabled, then the Microsoft Family Logon dialog box appears.
Note The administrator can use system policies to restrict users' access to the Passwords option in Control Panel or to require a minimum password length to prevent automatic logon using blank passwords.
Browsing
This section describes how to configure browsing.
For more information about browsing, see the Microsoft Windows NT Server Resource Kit (for Windows NT Server version 4.0).
Understanding Browsing
Browsing in Windows 98 is the same for all network providers, whether the network is based on Windows NT Server, Novell NetWare, another network, or Windows 98 itself.
Users can browse network resources to connect to them. For example, users on NetWare networks can see NetWare servers and printers, plus computers running File and Printer Sharing for NetWare Networks. Users on Microsoft networks can find network resources by scrolling through a list of available workgroups, a list of available computers in a given workgroup, and a list of available resources on a given computer.
For technical details about network computing with Windows 98 on Microsoft and NetWare networks, see "Browsing on Microsoft Networks" and "Browsing on NetWare Networks" later in this chapter.
Using Network Neighborhood
When you use Network Neighborhood, you can access shared resources on a server without having to map a network drive. Browsing and connecting to the resource consists of a single step: clicking an icon.
For more information about what happens internally when Network Neighborhood is used to browse multiple networks, see the description of the multiple provider router in Chapter 29, "Windows 98 Network Architecture."
Using Workgroups in Windows 98
On Microsoft networks, computers are logically grouped in workgroups for convenient browsing of network resources. If share-level security is used, each computer in the workgroup maintains its own security system for validating local user log on and access to local resources.
NetWare networks do not use the workgroup concept, so computers running Windows 98 with only VLM or NETX clients cannot be members of workgroups. However, computers running File and Printer Sharing for NetWare Networks with Workgroup Advertising enabled can appear in workgroups.
To set the workgroup for a computer, click the Identification tab in the Network option in Control Panel and type a name.
For more information about using Network Neighborhood, see online Help.
To browse a server quickly without mapping a drive
From the Start menu, click Run, and then type the server name. For example:
\\nwsrv1
To browse any shared directory in the window that appears, double-click its icon.
To browse this server's workgroup, press BACKSPACE. This is the equivalent of clicking the Up One Level button on the toolbar.
To create a shortcut on the desktop to a network resource
In Network Neighborhood, find the network resource for which you want to create a shortcut.
Click the right mouse button and drag the icon for that resource onto the desktop.
In the context-sensitive menu, click Create Shortcut.
Double-click the shortcut icon to view the contents of the network directory in a new window. This shortcut is available every time you start Windows 98.
As the network administrator, you can use system policies to create a custom Network Neighborhood for individuals or multiple users. As part of the custom Network Neighborhood, you can create shortcuts using UNC names for any network connections, including Dial-Up Networking connections. However, do not place directories in the custom Network Neighborhood. Neither the Up One Level icon nor the BACKSPACE key will return the user to the Network Neighborhood from a directory. In System Policy Editor, enable the policy named Custom Network Neighborhood:
Use Registry mode to enable this option on a local or a remote computer.
Use Policy mode to create or modify a policy file for one or more users.
You can also set system policies to control users' access to built-in Windows 98 browsing features. For more information, see "Restricting Access to Shell Settings" in Chapter 8, "System Policies."
Connecting to Drive and Printer Resources
You can connect to network drives from the Map Network Drive dialog box, which you can display in one of two ways.
To connect to network drives
Right-click Network Neighborhood, and then select Map Network Drive from the context-sensitive menu.
– Or –
In Windows Explorer, select the Tools menu and then click Map Network Drive.
In this dialog box, you can type the name of a network server and shared directory using the UNC name. For example, the UNC name for the server CORP and the shared directory DOCS is \\CORP\DOCS. On NetWare networks, you can also type any remote computer name understood by the network (for example, TRIKE/SYS:public). However, you cannot type a remote computer name understood by a NetWare network from other places in the operating system, such as the Run dialog box or a common control.
.gif "Cc768188.ch18_01(en-us,TechNet.10).gif")
You can make a persistent connection to any drive (that is, you can store its name and automatically reconnect to it at startup) by clicking the Reconnect at logon check box in the Map Network Drive dialog box. Persistent connections are restored to the same drive letters each time Windows 98 is started.
When installing a new printer, you can specify a shared printer resource by using the UNC name or the Point and Print method. For example, for the shared printer named HP_III on the server CORP, the UNC name is \\CORP\HP_III. For more information about Point and Print, see Chapter 11, "Printing, Imaging, and Fonts."
You can also map drives and printers by using the Windows Script Host to execute scripts to map drives and printers. For more information about Windows Script Host, see Chapter 23, "System and Remote Administration Tools."
Browsing with the Net Commands
Browsing network resources at the command prompt is handled by the real-mode networking components. You can use the net view command to perform most of the same browsing actions as Network Neighborhood or Windows Explorer, except that it cannot provide a list of workgroups.
To get help for the net view command
- At the command prompt, type net view /?.
You can use the net use command to connect and disconnect from shared resources, such as shares and printers. Additionally, you can see all the servers that you are connected to.
To get help for the net use command
At the command prompt, type net use /? | more.
For specific notes about using the net commands on NetWare networks, see "Using Commands to Connect to NetWare Servers" later in this chapter.
Browsing on MS Networks
The Windows 98 browsing scheme for Microsoft networks is based on the scheme currently used for Windows NT and Windows for Workgroups. The Windows 98 browse service attempts to minimize the network traffic related to browsing activity, while also providing an implementation that scales well to support both small and large networks.
This section describes how the browse service designates browse servers and maintains the browse list. It also provides information about connecting to network resources on Microsoft networks.
For more information about how browsing works on Windows 98 networks, see the Microsoft Windows NT Resource Kit for Windows NT Server Version 4.0.
Designating a Browse Master for MS Networks
The Windows 98 browse service maintains a list of all the available servers in a given workgroup. This list is called the browse list. One server, called a master browse server, maintains the browse list for the workgroup and responds to queries from client computers. To minimize network traffic to the master browse server, one or more backup browse servers can also be designated to resolve some query requests. The master browse server periodically sends copies of the browse list to the backup browse servers.
When Windows 98 starts on a computer, the computer first checks to see if a master browse server is already present for the given workgroup. If a master browse server does not exist, an election creates a master browse server for the workgroup. To determine which computer in a workgroup will become the master browse server, if a computer boots up and either does not find a master browse server or has the Browse Master option enabled, then an election occurs in which the highest ranked server version becomes the browse master. For example, Windows NT is a higher version than Windows 98, so a Windows NT computer will be chosen before a Windows 98 computer.
If a master browse server already exists, Windows 98 checks the number of computers in the workgroup, and the number of browse servers present. If the number of computers in the workgroup exceeds the defined ratio of browse servers to computers in a workgroup (usually one browse server for every 15 computers), an additional computer in the workgroup might become a backup browse server.
The Browse Master parameter provides a mechanism for controlling which computers can become browse servers in a workgroup. If this parameter is set to Automatic, the master browse server can designate that computer as a backup browse server when needed, or that computer can be elected as master browse server.
Tip It is a good idea to set the Browse Master parameter to Disabled on computers that are frequently powered off or removed from the network, such as laptop. This helps you ensure that a browse server is always available.
For information about configuring the Browse Master parameter, see "Using File and Printer Sharing for Microsoft Networks" later in this chapter.
Using the Net View Command to Check the Browse Server
The net view command is a valuable troubleshooting tool if you suspect the browse list maintained by a browse server is incomplete or inaccurate. You can use net view /workgroup: workgroupname at the command prompt to get the list of known computers directly from the master browse server. The request is not handled by a backup browse server.
If the list of computers returned by a master browse server is inaccurate, you can reset the master browse server by shutting it down. Another computer will then be promoted to master browse server for the workgroup.
Building the Browse List for MS Networks
In Windows 98, the browse service maintains an up-to-date list of domains, workgroups, and computers, and provides this list to applications when requested. The user sees the list in the following types of circumstances:
If a user requests a list of computers in a workgroup, the browse service on the local computer randomly chooses one of the browse servers it is aware of and sends the request.
If a user selects a workgroup to which the computer does not belong, Windows 98 requests a list of computers defined in the selected workgroup from a browse server in the selected workgroup.
The selected browse server also sends a list of the other workgroups it knows about that are defined on the network, along with a list of computers in the workgroup to which the user belongs. The browse list is displayed anywhere that Windows 98 presents lists of browsable resources. The browse list can also be displayed by using the net view command. The list can contain the names of domains, workgroups, and computers running the file and printer sharing service, including the following:
Computers running Windows 98, Windows 95, Windows for Workgroups, and Windows NT Workstation.
Windows NT domains and servers.
Workgroups defined in Windows 98, Windows 95, Windows for Workgroups, Windows NT Server, and Windows NT Workstation.
Workgroup Add-on for MS-DOS peer servers.
LAN Manager 2.x domains and servers.
Adding New Computers to the Browse List
When a computer running Windows 98 is started on the network, it announces itself to the master browse server for its workgroup, and the master browse server adds that computer to the list of available computers in the workgroup. The master browse server then notifies backup browse servers that a change to the browse list is available. The backup browse servers then request the new information to update their local browse lists. It might take as long as 15 minutes before a backup browse server receives an updated browse list, and new computers on the network do not show up in a user's request for a browse list until then.
Removing Computers from the Browse List
When a user shuts down a computer properly, the operating system informs the master browse server that it is shutting down. The master browse server then notifies backup browse servers that a change to the browse list is available. The backup browse servers then request the changes to the browse list.
If a user turns off the computer without shutting down, the computer does not get a chance to send the message to the master browse server. In this case, the computer name might continue to appear in the browse list until the name entry times out, which can take up to 45 minutes.
Technical Notes on Browsing on MS Networks
This section includes a table of NetBIOS special names and presents some brief notes related to browsing on Microsoft networks.
NetBIOS Special Names
When a computer connects to the network, it receives a NetBIOS special name that indicates what role it will play in browsing for the network. For example, a computer might have a special name to indicate that it is a master browse server. Table 18.3 shows those names. You can use the utility nbtstat to find your computer's special names, and you can use Network Monitor to find special names for other computers on the network.
For more information about nbtstat, see "Technical Notes on TCP/IP" in Chapter 15, "Network Adapters and Protocols." For more information about Network Monitor, see Chapter 23, "System and Remote Administration Tools."
Table 18.3 NetBIOS special names
Special name |
Description |
|---|---|
computer\0x00 |
Used by Microsoft networking workstations to receive second class mailslot requests. All workstations must add this name in order to receive mailslot requests. This is the computer name registered for workstation services by a WINS client. |
computer\0x03 |
Used as the computer name that is registered for the messenger service on a computer that is a WINS client. |
computer\0x20 |
Used as the name that is registered for the peer server service on a Windows 98 computer (or the server service on a Windows NT computer) that is a WINS client. |
computer\0xBe |
Used as the unique name that is registered when the Network Monitor agent is started on the computer. |
computer\0x1f |
Used as the unique name that is registered for Network dynamic data exchange (DDE) when the NetDDE service is started on the computer. |
Registered group names: |
|
.._MSBROWSE_. |
Used by master browser servers to periodically announce their domain on a local subnet. This announcement contains the domain name and the name of the master browser server for the domain. In addition, master browser servers receive these domain announcements to this name and maintain them in their internal browse list along with the announcer's computer name. |
domain\0x00 |
Used by workstations and servers to process server announcements to support Microsoft LAN Manager. Servers running Windows 98, Windows NT, Windows NT Server, and Windows for Workgroups do not broadcast this name unless the LMAnnounce option is enabled in the server's properties. |
domain\0x1b |
Used to identify the domain master browser name, which is a unique name that only the primary domain controller (PDC) can add. The PDC processes GetBrowserServerList requests on this name. WINS assumes that the computer that registers a domain name with the \0x1b character is the PDC. |
domain\0x1c |
Used for the Internet group name, which the domain controllers register. The Internet group name is a dynamic list of up to 25 computers that have registered the name. This is the name used to find a Windows NT computer for pass-through authentication. |
domain\0x1d |
Used to identify a master browser (not a domain master browser). The master browser adds this name as a unique NetBIOS name when it starts. Workstations announce their presence to this name so that master browsers can build their browse list. For peer servers, this name has the form workgroup\0x1d. |
domain\0x1e |
Used for all workgroup or domain-wide announcements by browser servers in a Windows network workgroup or Windows NT Server domain. (Notice, however, that workstations use the domain\0x1d form, not \0x1e.) This name is added by all browser servers and potential servers in the workgroup or domain. All browser election packets are sent to this name. |
computer\0xBf |
Used as the group name that is registered when the Network Monitor agent is started on the computer. If this name is not 15 characters in length, it is padded with plus (+) symbols. |
username\0x03 |
Used to register the name of the currently logged on user in the WINS database, so that users can receive net send commands sent to their user names. |
Other Notes
Microsoft LAN Manager – compatible networks, such as IBM LAN Server and Microsoft LAN Manager for UNIX support browsing of servers, and shared directories using the Windows 98 user interface or net view.
Digital PATHWORKS is an example of a Microsoft LAN Manager – compatible network that does not support browsing. AT&T StarLAN is an example of a Microsoft Network – compatible network that is not based on Microsoft LAN Manager and that does not support remote browsing of servers and shared directories. These servers do not appear in Network Neighborhood; with Windows 98, however, users can still access the servers and shared directories through a network connection dialog box.
When a known slow network connection is used (for example, the remote access driver), Windows 98 is automatically configured not to designate that computer to be a browse server for the network connection. The SlowLanas parameter in the registry identifies the network LANA numbers for which the local computer will not serve as a master browse server. However, the user can still request a list of available workgroups and computers on the network across the slow network connection.
Browsing on NetWare Networks
The Windows 98 user interface includes support for browsing and connecting to network resources on Novell NetWare and other networks. Except for workgroups, this support is the same whether you use Client for NetWare Networks or a Novell-supplied client. After you connect to a NetWare volume or a computer running File and Printer Sharing for NetWare Networks, you can drag and drop directories and files to move and copy them between your computer and the NetWare server.
For more information about printer connections, see Chapter 11, "Printing, Imaging, and Fonts."
Using Network Neighborhood on NetWare Networks
Network Neighborhood is the primary way you can browse the network. What you see using Network Neighborhood depends on which network client you are using.
If you are using Microsoft Client for NetWare Networks without Service for NetWare Directory Services, or if you are using a real-mode Novell NetWare Client, you can see all the NetWare bindery-based servers your computer is connected to. You will also see all computers running File and Printer Sharing for NetWare Networks that use Workgroup Advertising.
If you have installed Service for NetWare Directory Services, you will also see all the NDS objects in the current context. For more information, see "Browsing the NDS Tree Using Service for NetWare Directory Services" later in this chapter.
If you have installed Novell Client for Windows 95/98, you will see bindery-based servers and computers running File and Printer Sharing for NetWare Networks, but you will also see a separate folder for the NDS tree and workstation context. You can click this icon to browse the network as usual.
Clicking the Entire Network icon displays a list of all NetWare servers on the network. This list also contains a list of workgroups that include computers running File and Printer Sharing for NetWare Networks. You can view the contents of any server without having to map a network drive.
If you are running Service for NetWare Directory Services and you are logged on to the NDS tree, clicking the Entire Network icon will also display the NDS tree. If you are running Novell Client for Windows 95/98, you will see NetWare servers and NDS trees in separate folders.
If your computer has both Client for Microsoft Networks and Client for NetWare Networks installed, then you will also see a list of computers running Windows for Workgroups, Windows 98, and Windows NT. The list of NetWare servers is along with the list of workgroups or domains in the Entire Network window.
In both the Network Neighborhood and Entire Network views, you can open a server to access its contents without having to map a network drive. If you are running Service for NetWare Directory Services or Novell Client for Windows 95/98 and you are authenticated to the NDS tree, you will not need to enter a password if you are connecting to a NetWare 4.x server. However, if you are not running Service for NetWare Directory Services, you are not authenticated to the NDS tree, or you are connecting to a NetWare 3.x server, you may be asked to enter a password. If you are running Client for NetWare Networks, you can choose to save your password in the password cache so that you will not have to type it again.
If the computer is running Client for NetWare Networks, drive mappings are limited to the available drive letters. However, Windows 98 supports unlimited UNC connections. (If the computer is running NETX or VLM, it is limited to only eight server connections.)
Connecting to Resources Using Client for NetWare Networks
This section describes how to connect to resources using Client for NetWare Networks. The procedures in this section assume that you are logged on using Client for NetWare Networks.
To connect to a bindery-based NetWare server in Network Neighborhood
In Network Neighborhood, right-click a bindery-based NetWare server.
In the context-sensitive menu, click Attach As. Then type a user name and password, and click OK.
If you want to map a directory on this server, double-click the server icon. Right-click the volume you want to map, and click Map Network Drive in the context-sensitive menu. Select a drive, and click OK.
Tip You can also create a shortcut to frequently used resources. For information, see "Using Network Neighborhood" earlier in this chapter. When you double-click a shortcut, you have to supply only a password to connect to it.
You can also use the Map Network Drive dialog box to specify the name of a NetWare server and volume (or directory) that you want to map to a drive letter.
To connect to a directory as the root of the drive
In Network Neighborhood, right-click a directory on a NetWare server.
In the context-sensitive menu, click Map Network Drive.
If you are connecting to a bindery-based server and if you see the option Connect as Root of the drive, select that option.
Click OK.
With this option enabled, if you switch to this mapped directory in a command prompt window, you will see the prompt as drive:\> not drive:\directory>. You cannot go further up the directory tree from the command prompt.
The context-sensitive menu for a NetWare server shows everything you can do with the related server, volume, or directory. To view the context-sensitive menu, in Network Neighborhood, right-click a NetWare server.
Table 18.4 describes the commands available on the context-sensitive menu.
Table 18.4 Shortcut commands for NetWare servers
Command |
Description |
|---|---|
Open |
Connects to that server. |
Explore |
Shows the resources available on that server without making a connection. |
Who Am I |
Specifies whether the user is logged on or attached to the server; if a user is logged on and the computer is attached, specifies that user's name. |
Detach |
Logs the user off a bindery-based server. |
Attach As |
Presents a dialog box for typing a password to log on to a bindery-based server. This dialog box allows the user to connect to the server by using a different user name from the one used to log on to the network. |
Map Network Drive |
Presents a dialog box for mapping a network drive to a drive letter. |
Create Shortcut |
Creates a shortcut on the desktop for the selected server. |
Properties |
Shows the properties for the server. Listing the properties of a NetWare server creates an attachment without logging on, thereby using up one of the allowable connections. |
If a computer running File and Printer Sharing for NetWare Networks has been configured to allow remote administration, and if you have the authority to administer that server, you can use the administration options in the computer's properties. To do this, in Network Neighborhood, right-click the computer's icon. In the context-sensitive menu, click Properties, and then click the Tools tab. Use the buttons to run Net Watcher or System Monitor, or to administer the file system.
.gif "Cc768188.wrk0z55(en-us,TechNet.10).gif")
For more information about preparing computers for remote administration under Windows 98, and about using Net Watcher and other tools, see Chapter 23, "System and Remote Administration Tools."
Browsing the NDS Tree Using Service for NetWare Directory Services
If your computer is running Service for NetWare Directory Services and you are logged on to the NDS tree, you will be able to see NDS objects. The following NDS objects are visible in Network Neighborhood:
Organizations
Organizational unit
Servers
Volume objects
Directory maps
Printers
Print queues
Aliases for NDS objects
If you are logged on to the NDS tree, you are automatically logged on to all servers in that tree. Therefore, you do not need to use the ATTACH command to connect to those servers.
Service for NetWare Directory Services also enables you to change your preferred logon server and your current context.
To change contexts
In Network Neighborhood, click the Organization or Organizational Unit you want to change your current context to.
Click File.
Click Set Current Context.
To specify a preferred server
In Control Panel, double-click Network.
Click Client for NetWare Networks.
Click Properties.
In Preferred Server, type the name of the server.
Note You can change your preferred server only if it is a 4.x server in the same NDS tree you are logging on to.
Browsing the NDS Tree Using Novell Client for Windows 95/98
If your computer is running Novell Client for Windows 95/98, you can see the same NDS objects that are listed in "Browsing the NDS Tree Using Service for NetWare Directory Services" earlier in this chapter. From within Network Neighborhood you will see bindery-based servers and computers running File and Printer Sharing for NetWare Networks, as well as a separate folder for the NDS tree and workstation context.
If you are logged on to the NDS tree, you are automatically logged on to all servers in that tree. Therefore, you do not need to use the ATTACH command to connect to those servers.
With Novell Client for Windows 95/98, you can be authenticated to multiple NDS trees. However, not all applications can use multiple trees. To support those applications, Novell Client for Windows 95/98 enables you to specify a "current tree," that is, the tree that applications will use if they cannot use multiple trees.
Novell Client for Windows 95/98 also enables you to change your current server and your current context.
To view the current tree and current server
From the Windows 98 desktop, right-click Network Neighborhood.
Click NetWare Connections.
To change the current tree
From Network Neighborhood, right-click the tree you want to change to.
In the context-sensitive menu, click Set Current Tree.
To change the current server
From the Windows 98 desktop, right-click Network Neighborhood.
In the context-sensitive menu, click NetWare Connections.
Click the server you want to change to.
Click Set Current.
To change the current context
From Network Neighborhood, right-click the tree you want to change to.
In the context-sensitive menu, click Change Context.
Enter the context under Enter New Default Context.
Click Change.
To see the new context, refresh Network Neighborhood by pressing F5.
Managing Connections with Client for NetWare Networks
With Client for NetWare Networks, you can manage connections to the NetWare network by using Network Neighborhood and common network-connection dialog boxes, such as Open and Save. (These are the same techniques used for Microsoft networks.)
With Client for NetWare Networks, you can define persistent connections (which use the same drive letter each time the computer starts) to NetWare volumes and directories. Using persistent connections eliminates the need for NetWare MAP commands in login scripts; however, you can still use MAP, ATTACH, and other commands at the command prompt or in login scripts, as described in the following section.
Using Commands to Connect to NetWare Servers
If you are running Client for NetWare Networks, all NetWare commands run in the same way as they do for a Novell-supplied networking client.
Note the following about certain Novell-supplied commands:
If you are running Service for NetWare Directory Services and you are logged on to the NDS tree, you do not need to use the ATTACH command to connect to servers in the NDS tree.
For the ATTACH command, configure the networking client to use SAP browsing. You can configure SAP browsing from the Properties window for File and printer sharing for NetWare Networks.
It is recommended that you do not use the LOGIN utility to create an attachment to a computer running File and Printer Sharing for NetWare Networks. Use the ATTACH command instead.
For the MAP command, drive mappings in Windows 98 are global to all sessions.
You can also use the Microsoft networking net commands at the command prompt or in login scripts to manage connections on NetWare networks.
For Client for NetWare Networks or Novell real-mode clients, you can use the Windows 98 net view command to perform the same function as the NETX SLIST or VLM NLIST SERVER commands.
The net view command creates an attachment without logging on. Viewing a NetWare server or a computer running File and Printer Sharing for NetWare Networks does not show print queues. However, viewing a computer running File and Printer Sharing for Microsoft Networks shows both shared directories and shared printers.
To get help for the net view command
- At the command prompt, type net view /?.
You can use the net use command to do the following:
Perform the same functions as the NetWare ATTACH and MAP commands. The net use command maps only to the root of a volume.
Supply similar functionality to the CAPTURE utility for printing when programs require printing to a specific port, and the ENDCAP utility for deleting a print connection.
To get help for the net use command
- At the command prompt, type net use /? | more.
The following brief procedures show built-in Windows 98 commands that can be used at the command prompt or in scripts to manage resource connections.
The net command in Windows 98 does not support the following:
The functionality of the NetWare MAP ROOT command or search drive mappings.
Any of the command-line options of the CAPTURE command, except the equivalents for specifying port, server name, and queue name. To use specific CAPTURE options, use the Novell CAPTURE command.
The functionality of the Novell NetWare print job designations (the J=jobname parameter for the CAPTURE command).
Note You can still use the NetWare commands SLIST and NLIST instead of net view, MAP instead of net use, or CAPTURE instead of net use to connect to a printer. With Service for NetWare Directory Services, you can map drive letters to NDS objects, such as directory map objects and volume objects.
Using Windows NT to Connect to NetWare Servers
If your site includes both a Novell NetWare network and a Windows NT Server network, computers using Microsoft networking will need to communicate and share resources with the NetWare network. This section summarizes several options using Windows NT.
For more information about these features, contact your Microsoft sales representative.
NWLink. With NWLink, Microsoft's IPX/SPX-compatible protocol, you can give NetWare-compatible clients access to Windows NT Server – based applications, such as Microsoft SQL Server™ and Internet Information Server. You can also give Windows 98 clients access to databases running as NetWare Loadable Modules on NetWare servers.
Windows NT Gateway Service for NetWare. For Microsoft networking clients that cannot use multiple protocols, you can configure a computer running Windows NT Server 3.5 or later as a file or print gateway using Windows NT Gateway Service for NetWare to connect to and share NetWare resources. Windows NT Gateway Service for NetWare acts as a translator between the server message block (SMB) protocol used by Microsoft networks and the NetWare Core Protocol (NCP), used on NetWare networks. With Windows NT Server 4.0, Gateway Service for NetWare also supports Novell Directory Services (NDS) and login scripts.
Because access over the gateway is slower than direct access from the client for computers running Windows 98 that require frequent access to NetWare resources, Client for NetWare Networks is a better solution.
Notice that a Microsoft Windows NT Client Access License is required if the computer will be connecting to servers running Windows NT Server. For information, contact your Microsoft reseller. For more information about setting up a Windows NT Server computer with Gateway Service for NetWare, see the Microsoft Windows NT Server Networking Guide in the Microsoft Windows NT Server Resource Kit (for Windows NT Server version 4.0).
Microsoft File and Print Services for NetWare. This utility for Windows NT Server provides users running a NetWare-compatible client with access to basic NetWare file and print services and to powerful server applications on the same Windows NT Server – based computer, without changing users' network client software.
Microsoft Directory Service Manager for NetWare. This utility for Windows NT Server allows you to maintain a single directory for mixed Windows NT Server, NetWare 2.x and 3.x servers, and bindery-based NetWare 4.x servers .
Peer Resource Sharing
This section describes how to configure and use peer resource sharing.
Understanding Peer Resource Sharing
When a computer is running file and printer sharing services, other users running a compatible network client can connect to shared printers, volumes, CD-ROM drives, and directories on that computer by using the standard techniques for connecting the network resources, as described in "Browsing on Microsoft Networks" and "Browsing on NetWare Networks" earlier in this chapter.
Using computers running Windows 98 as peer servers allows you to add secure storage space and printing to the network at a low cost. The peer service is based on a 32-bit, protected-mode architecture, which means all the Windows 98 benefits for robust, high performance are available. In addition, administrators can take advantage of tools, such as system policies (included in the Windows 98 Resource Kit) and Net Watcher (included in Windows 98) to centrally administer peer servers. In addition, user-level security is available as an additional enhancement beyond the peer server capabilities built into Windows for Workgroups.
Tip Using Net Watcher, a network administrator can remotely monitor and manage files on any computer running file and printer sharing services if remote administration has been enabled for that computer.*** Net Watcher allows an administrator to disconnect users, change access rights, and administer the file system on remote computers. ***For more information, see Chapter 23, "System and Remote Administration Tools."
Installing Peer Resource Sharing
If you use custom setup scripts, you can specify that file and printer sharing services be installed with Windows 98. Otherwise, you can add the service later by using the Network option in Control Panel.
Tip For a computer that will share resources with other users on the network, choose which file and printer sharing service to install based on what other users require:
If most users who need to share these resources are running NETX, VLM, or Client for NetWare Networks, then install File and Printer Sharing for NetWare Networks.
If most users who need to share these resources are running Client for Microsoft Networks, Windows NT, Windows for Workgroups, or Workgroup Add-on for MS-DOS, then install File and Printer Sharing for Microsoft Networks.
To install file and printer sharing after setup
In Control Panel, double-click Network, and then click Add.
In the Select Network Component Type dialog box, double-click Service, and then click Add.
If you are installing File and Printer Sharing for Microsoft Networks, select File and printer sharing for Microsoft Networks, and then click OK.
– Or –
If you are installing File and Printer Sharing for NetWare Networks, select File and printer sharing for NetWare Networks, and then click OK.
For information about enabling file and printer sharing in custom setup scripts, see Chapter 3, "Custom Installations." For information about controlling peer resource sharing capabilities using system policies, see Chapter 8, "System Policies."
Implementing Security for Peer Resource Sharing
Figure 18.1 shows how Windows 98 supports share-level and user-level security for File and Printer Sharing for Microsoft Networks. Windows 98 supports share-level security similar to the security provided with Windows for Workgroups.*** This level of security associates a password with a shared disk directory or printer. ***Share-level security for peer resource sharing can be implemented in a Windows 98 – only peer-to-peer network or on a network supported by Windows NT or other Microsoft Windows network-compatible servers.
.gif "Cc768188.wrk0z02(en-us,TechNet.10).gif")
Figure 18.1 Security for peer resource sharing under Windows 98
For file and printer sharing services on both Windows NT and NetWare networks, Windows 98 supports user-level security by linking a peer server directly to another server for user account validation.*** For network administrators, the user account list is centrally controlled at the Windows NT domain controller or NetWare server; on a Windows NT network, the user account list on a single server can also be used for validation. The resources on the Windows 98 peer server can be accessed only by users with accounts in the central database. Users can also be assigned specified access rights in Windows 98 for particular resources. ***For more information about using and managing security, see Chapter 9, "Security."
The 32-bit, protected mode-network client and the file and printer sharing service are separate network processes, but they share connection information and pass requests to each other when validating a user-level security request.
For user-level security on a computer running either version of file and printer sharing service, you specify the server that contains the database of user accounts that are allowed to connect to this peer resource sharing server. You can do the following to customize access to a shared resource:
You can use the Windows 98 user interface to specify which users can access the shared resources and which rights they have. For details, see "Controlling Access to Peer Server Resources on NetWare Networks" later in this chapter.
For File and Printer Sharing on NetWare Networks, you can set up user rights remotely on the computer running Windows 98 by using NetWare utilities.
For File and Printer Sharing on Microsoft Networks, you can set up user rights remotely with User Manager for Windows NT.
You can use Net Watcher to monitor, add, and remove shared resources, as described in Chapter 23, "System and Remote Administration Tools."
When a user requests access to a shared resource under user-level security, Windows 98 checks for the user's logon name against the list of user accounts maintained on the server.*** If this is a valid user logon name, Windows 98 then checks whether this user has access privileges for this resource. ***If the user has access privileges, then the requested operation is allowed.
For an example of how pass-through validation works with peer resource sharing, see Chapter 9, "Security."
Using File and Printer Sharing for MS Networks
File and Printer Sharing for Microsoft Networks is the 32-bit, protected-mode Windows 98 SMB server (Vserver.vxd) that supports all networking products that use the SMB file-sharing protocol, including Windows for Workgroups, Windows NT, LAN Manager, Samba, IBM LAN Server, IBM OS/2 Warp Server, and DIGITAL PATHWORKS 32. Windows 98 enhances the features of Windows for Workgroups peer services by providing administrative control over whether peer sharing services are enabled, by adding user-based security capabilities, and by supporting long file names.
The following summarizes some requirements for File and Printer Sharing for Microsoft Networks:
The computer must use Client for Microsoft Networks.
File and Printer Sharing for Microsoft Networks cannot run at the same time as NCP-based File and Printer Sharing for NetWare Networks.
If user-level security is used, a Windows NT domain controller must be used for authentication.
The default settings for File and Printer Sharing are correct for most installations. You should need to change these settings only in the following circumstances:
You need to set Browse Master properties, as described in "Browsing on Microsoft Networks" earlier in this chapter.
You want LAN Manager 2.x clients on your network to use resources on a computer running File and Printer Sharing for Microsoft Networks.
Use the Network option in Control Panel to configure the Browse Master and LM Announce parameters for the file and printer sharing service. For information about configuring security in the Access Control tab of the Network dialog box, see Chapter 9, "Security."
To specify Browse Master settings
In Control Panel, double-click Network, and then examine the list of installed components to see if File and printer sharing for Microsoft Networks is installed. If not, click the File and Print Sharing button and follow the instructions on the screen.
On the Configuration tab, double-click File and printer sharing for Microsoft Networks in the list of installed components.
In the File and printer sharing for Microsoft Networks dialog box, select Browse Master in the Property list.
Select an option in the Value list, as described in Table 18.5.
Table 18.5 Browse Master settings for Microsoft networks
Option
Description
Automatic
Specifies that this computer will maintain the browse list if Windows 98 determines that it is necessary. This is the default.
Disabled
Specifies that this computer is never used to maintain the browse list. Use this setting if the computer has little free memory, if it is connected by a slow link (such as a dial-up connection), if it is frequently disconnected from the network, or if other conditions create special performance problems.
Enabled
Specifies that this computer is to be used to maintain the browse list for computers in this workgroup.
At least one computer in the workgroup must have the value of Automatic or Enabled for this parameter to ensure the browse list is available to network computers. This parameter is equivalent to the MaintainServerList= entry in the [network] section of System.ini in Windows for Workgroups 3.11.
The LM Announce property controls whether a computer running File and Printer Sharing for Microsoft Networks can be seen by LAN Manager 2.x clients.
To specify LM Announce settings
In Control Panel, double-click Network, and then double-click File and printer sharing for Microsoft Networks in the list of installed components.
In the File and printer sharing for Microsoft Networks dialog box, select LM Announce in the Property list.
Select an option in the Value list, as described in Table 18.6.
Table 18.6 LM Announce settings for Microsoft networks
Option
Description
No
Specifies that you do not want this computer to broadcast its presence to other computers by using LAN Manager broadcast announcements. Setting this value to No minimizes the level of network traffic. The Browse Master ensures that this computer appears in its browse list.
Yes
Specifies that you want this computer to announce its presence to other Microsoft networking computers in the workgroup multiple times, because there is a LAN Manager 2.x domain on the network. This value should be set to Yes if other computers in your workgroup need to see this computer when browsing the network.
This parameter is the equivalent of the LMAnnounce= entry in the [Network] section of System.ini in Windows for Workgroups 3.11. This value should be No unless there is a LAN Manager 2.x domain on your network.
A LAN Manager 2.x domain is known by browse servers in a workgroup only if at least one computer running Windows 98 (or Windows NT in the domain) is a member of that LAN Manager 2.x domain.
To make a computer running Windows 98 a member of a LAN Manager 2.x domain
- Set the workgroup name for the computer to be the same as the LAN Manager 2.x domain name.
You can share a folder (or other resource) by selecting it in Windows Explorer or in My Computer and then configuring the related options. The following procedure describes how to share a directory on a computer where user-level security has been specified in the Network option in Control Panel. The steps for sharing resources with share-level security are similar to those for user-level security except that you do not select specific users. Rather, you specify the type of access and define a password for the shared resource.
To share a directory (folder) with user-level security
In Windows Explorer, right-click the icon for the directory you want to share. In the context-sensitive menu that appears, click Sharing.
On the Sharing tab, click the Shared As button, and then type a share name for the directory.
Tip If you add a dollar sign ($) to the end of the share name, the resource will not appear in Network Neighborhood or elsewhere when people browse network resources.
Click the Add button, and use the Add Users dialog box to specify which users can access the directory.
For more information about sharing folders on a Microsoft network, see Help.
Using File and Printer Sharing for NetWare Networks
If you want to use File and Printer Sharing for NetWare Networks:
The computer must use Client for NetWare Networks, rather than Novell-supplied client software.
Only user-level security (not share-level security) is available.
The service cannot run on the same computer as SMB-based File and Printer Sharing for Microsoft Networks.
For pass-through validation when user-level security is enabled, there must be a Windows_Passthru account (with no password) on the NetWare server that is used as the security provider.
A computer configured with File and Printer Sharing for NetWare Networks uses the NCP file-sharing protocol to share resources with MS-DOS- based Novell NetWare computers, computers running Windows NT, and computers that have Client for NetWare Networks installed.
File and Printer Sharing for NetWare Networks supports long file names and is Plug and Play – aware. This implementation differs from peer resource sharing in Windows for Workgroups in two fundamental ways:
File and Printer Sharing for NetWare Networks uses the NCP protocol instead of the SMB protocol. This means that any NetWare-compatible client (Client for NetWare Networks, Novell Client for Windows 95/98, NETX, or VLM) can connect to a computer running File and Printer Sharing for NetWare Networks.
File and Printer Sharing for NetWare Networks uses user-level security. Access to a shared resource is based on the user's identity instead of on a password associated with that resource. The user database for verifying user identity is the bindery on a specified NetWare server.
This feature means that hundreds of NetWare users can, for example, access a shared CD-ROM using a single NetWare server connection. Also, trustee or other access rights can be defined per directory for a shared CD-ROM.
When File and Printer Sharing for NetWare Networks is running on a computer, how that peer server appears to users browsing the network depends on how the peer server advertises itself:
For another computer running Microsoft Client for NetWare Networks, the resources on the peer server appear exactly as any shared resources on the network. If the peer server is using Workgroup Advertising, it appears in a workgroup. A peer server using SAP (the NetWare broadcasting protocol) will not appear in a workgroup, but it will appear in the Entire Network list.
For a computer running NETX or VLM, any shared directory on a peer server that uses SAP Advertising appear the same as volumes on any server. Any shared printers appear as print queues. Most NetWare administrative commands work as expected, including RIGHTS, FILER, SYSCON, MAP, SLIST, VOLINFO, PCONSOLE, and CAPTURE. If the peer server is not using SAP Advertising, then users running NETX or VLM cannot see or connect to the peer server when browsing the network.
You cannot access resources on a peer server if you are running Novell Client for Windows 95/98.
Sharing Resources on a NetWare Network
To allow NETX and VLM clients on the network to access resources on the peer server, you must enable SAP Browsing in the properties for File and Print Sharing for NetWare Networks. The computer then appears as a server in SLIST or NLIST, and users can map drives to connect to this computer. To see a list of volumes, users can use the VOLINFO command.
Note Administrative control over File and Printer Sharing for NetWare Networks is coupled with the printer sharing control — the option controlling the user's ability to share a local printer. If these sharing options are not selected in the Network option in Control Panel, then the file and printer sharing service is not loaded. However, if the administrator disables printer sharing or file sharing by setting the related option in a system policy file, the file and printer sharing service still runs on the computer, but the related sharing options are not available.
Configuring Browsing for Resource Sharing on NetWare Networks
After you install File and Printer Sharing for NetWare Networks, you must choose the method that computers browsing on the network will use to find this computer. You can browse by using either of two options:
Workgroup Advertising, which uses the same broadcast method as used by workgroups on Microsoft networks.
SAP Advertising, which is used by Novell NetWare 2.15 and later servers to advertise their presence on the network. You must enable this option if you want the shared resources to be available to computers running NETX or VLM.
Note SAP Browsing has a theoretical limit of 7000 systems for browsing, and a practical limit of about 1500 systems. For a large peer network, use Workgroup Advertising.
For a general discussion of browsing when using NetWare-compatible clients, see "Browsing on NetWare Networks" earlier in this chapter.
To specify the browsing preference
In Control Panel, double-click Network, and then double-click File and printer sharing for NetWare Networks in the list of installed components.
In the File and printer sharing for NetWare Networks dialog box, select Workgroup Advertising in the Property list, and then choose a value from the options listed in Table 18.7.
– Or –
If you want NETX and VLM clients to be able to connect to this peer server Select SAP Advertising and set the Value box to Enabled.
Table 18.7 Workgroup Advertising settings for NetWare networks
Option
Description
Disabled
This computer will not be added to the browse list, and it cannot be seen by other members of the workgroup using any method for browsing network resources.
Enabled: May Be Master
This computer is added to the browse list and can be promoted to master browse server if the preferred master is not available.
Enabled: Preferred Master
This computer is the master browse server for the workgroup.
Enabled: Will Not Be Master
This computer is added to the browse list by the master browse server, but it cannot be promoted to master browse server.
For more information about master browse server options, see "Building the Browse List for Microsoft Networks" earlier in this chapter.
Note If Workgroup Advertising is used, each workgroup must have a master browse server at all times to track names and addresses for computers in the workgroup.
If you select SAP Advertising, you can set the options shown in Table 18.8.
Table 18.8 SAP Advertising settings for NetWare networks
Option
Description
Disabled
This computer will not advertise its presence, and NETX or VLM clients cannot see it by using SLIST or other browsing options, and cannot connect to it. Users running Client for NetWare Networks can see it if Workgroup Advertising is enabled on the peer server.
Enabled
This computer will advertise its presence. It will appear in the Entire Network list. Users running VLM, NETX, and Client for NetWare Networks can see it by using any browsing methods, and they can connect to it as they do for any server.
By default, computers running File and Printer Sharing for NetWare Networks are placed in and browsed by workgroups. To specify the workgroup and computer name for the computer, in Control Panel, double-click Network, and then click the Identification tab.
Although computers that use SAP Advertising appear in the list of NetWare servers, you cannot use them in all the same ways that you use NetWare servers.
When using NETX, you cannot log on to a computer running Windows 98 at the command line, although you can attach to one and map drives to its directories.
When using VLM, you cannot log on to a computer running Windows 98 at the command line, but you can run a login /ns command and use the Login button in the NWUSER utility.
If you run SYSCON on a NetWare server, you can change the server to one of the computers running Windows 98. However, the computer running Windows 98 does not have a bindery, so when you display all the users (or groups) in SYSCON, you will see the user list (or group list) from the NetWare server that was selected as the user-level security provider.
If you run VOLINFO on a NetWare server, you can select one of the computers running Windows 98 and display its volume information (if you are attached to it). This shows all the available shared disk resources for the computer running Windows 98.
In Windows 98, you can do the same things to resources on computers running File and Printer Sharing for NetWare Networks as you can to any other network resource.
Note Each computer configured with File and Printer Sharing for NetWare Networks logs on to the NetWare server that provides security, to get access to the bindery, using the Windows_Passthru account. This logon process takes place in the background, without user intervention.
If a connection to the server already exists, Windows 98 uses that connection and makes a new connection only when required.
Controlling Access to Peer Server Resources on NetWare Networks
You can add to the list of users who can access the resources on the peer server. To do this, add the users to the NetWare pass-through server that provides security. You can then give these users access to the peer server by adding them to the Sharing properties associated with the shared resource.
Passwords for users' resources on the peer server are the same as those for the NetWare pass-through server. Passwords must be changed at that server, as described in "Unified System Logon Overview" earlier in this chapter.
To make sure all users have the required server access
- Make sure that one NetWare server on the network has the accounts for all users or all servers, and then set that server as the security provider for every computer configured with File and Printer Sharing for NetWare Networks.
To share a directory and specify users on a NetWare network
In Windows Explorer, right-click the directory you want to share. In the context-sensitive menu, click Sharing.
In the Sharing tab of the Properties dialog box, type a share name for the directory.
Click the Add button. In the Add Users dialog box, select the user name in the list on the left, and then click the related button to specify the kind of access that user is allowed.
.gif "Cc768188.wrk0z56(en-us,TechNet.10).gif")
Notice in the illustration that the list of users shown in the Add Users dialog box is from the SHRIKE server's bindery. This means two things:
All user management is done in the name space of the existing NetWare server. The NetWare server is administered by using all the same tools that are currently in place; Windows 98 has not added another name space to administer.
Only valid user accounts and groups on SHRIKE can be specified for shared resources on the peer server.
For more information about using the Add Users dialog box, see Help. For more information about specifying directory access rights, see Chapter 9, "Security."
When the computer running Windows 98 receives a request from a user attempting to access a shared device, Windows 98 uses the NetWare server to validate the user name or group membership. If the name or group membership is validated, Windows 98 then checks to see if this validated name or group has been granted access rights to the shared resource, and then it grants or denies the connection request.
Share Names Versus NetWare Volume Names
When you share resources on a local hard disk drive using File and Printer Sharing for NetWare Networks, the share name associated with the shared directory structure becomes a volume name in the Novell designation server/volume: or the UNC designation \\server\volume.
You can use the UNC designation with net commands to connect to and disconnect from \\server\sharename shares.
Windows 98 does not make the distinction between shares and volumes because all shares and volumes appear as directories (also called folders). This distinction becomes important when you use NETX or VLM and NetWare utilities. NetWare does not use or understand the concept of share names. NetWare uses volumes for drive resources and print queue names for print resources.
Therefore, for a shared drive or printer resource to be available to all the different types of clients, when a computer configured with File and Printer Sharing for NetWare Networks shares a drive resource, the share name becomes equivalent to a NetWare volume. When this same computer shares a printer resource, the share name becomes equivalent to the NetWare print queue.
DIRECTORY SHARE NAME ----> VOLUME PRINTER SHARE NAME ------> PRINT QUEUE
Using Bindery Emulation for Pass-through Security
File and Printer Sharing for NetWare Networks grants access to printers and directories on a per-user basis, which requires the name of the server to retrieve the names of users on a network. For NetWare versions 2.15 and 3.x servers, all the information for users, groups, passwords, and rights is stored in a database on the server called the bindery. NetWare version 4.x servers can appear to have a bindery using bindery emulation, which is enabled by default. Windows 98 can use the bindery of one NetWare server.
Usually, companies have multiple NetWare servers for different departments, and individual users log on to a different server by department. Problems can occur when the list of accounts differs between NetWare servers. For example, assume that Pat and Yoshi log on to the SALES server, and Hanna is on the R&D server. Pat can select only one server for pass-through validation, so she must select the SALES server, because that is where this account is located for log on. She can grant access to Yoshi, but not to Hanna.
Troubleshooting Logon, Browsing, and Resource Sharing
This section provides some general troubleshooting steps and explains how to solve common problems that might occur with logon, browsing, and resource sharing.
Troubleshooting Logon
This section describes common problems that might occur with system and network logon.
Setup does not run the logon script.
If the network logon server or domain controller is not validating the user account, the logon script will not run. Check the following:
The network connection
The user name
The user password
The basic network functionality
The domain or server logon validation
If the network logon server or domain controller is validating the user account, do the following:
Check the network connection.
Verify that the login script is present in the home directory (on a Windows NT network) or in the user's mail directory (on a NetWare network).
Check for enough memory on the client computer.
Check for and remove unnecessary drivers and TSRs, and then try to log on again.
Logon script net use command does not work.
If your Windows NT domain is organized into a multiple master domain and a user's logon script net use command does not work, verify that you do not have two user accounts with the same user name and different passwords.
Logon fails with Novell Client for Windows 95/98.
After installing Novell Client for Windows 95/98, if you do not see a NetWare logon screen and NetWare servers do not appear in Network Neighborhood, check the following:
Make sure the frame type conforms to your particular network.
In the Novell Client Properties pages, make sure the Preferred Server and Preferred Tree settings are correct.
Make sure the GUI logon utility Loginw95.exe is located on the local drive on the client workstation, not on a network server.
Troubleshooting Browsing
This section describes common problems that might occur with network browsing. As a general troubleshooting step, before performing the steps listed in this section, verify that you have a browsing problem rather than a problem with network connectivity.
To verify that you have a browsing problem
On the Start menu, point to Find, and then click Computer.
In the Named box, type the computer name for the network server you want to browse.
Click Find Now.
If you can find the computer, you have a browsing problem. If not, you have a problem with your network connection.
As another general troubleshooting step, verify that the master browse server is functioning correctly. At the command prompt, type
net view /workgroup:workgroup_name
If your workgroup name contains spaces, enclose the workgroup name in quotation marks.
This command retrieves a browse list from the master browse server. If you can retrieve a browse list, a backup browse server might not be functioning correctly or might not have an updated browse list. (It can take up to 15 minutes to retrieve an updated browse list.)
You can also test browse master functionality with the net use command. At the command prompt, type
net use \\server\share
If you can connect but not browse, you might have a problem with your master browse server.
For more information about troubleshooting browsing, see the Microsoft Windows NT Server Resource Kit (for Windows NT Server version 4.0).
You cannot browse to find SMB-based servers in the workgroup while using Client for Microsoft Networks.
There might be no SMB-based servers in the workgroup (computers running Windows NT, LAN Manager, or File and Printer Sharing for Microsoft Networks). Windows 98 does not support browsing in a workgroup that does not contain an SMB-based server if the computer is running Client for Microsoft Networks. The following presents a solution.
To make sure there is an SMB-based server in the workgroup
On a computer running File and Printer Sharing for Microsoft Networks, make sure the service is configured as the master browser server.
– Or –
Make sure that a Windows NT server computer is a member of the workgroup (or domain).
Samba server does not accept your password.
For security reasons, Windows 98 no longer allows you to send plain text passwords. It sends only encrypted passwords. However, Samba servers require plain text passwords, so you will not be able to connect to Samba servers unless you change a registry entry to enable plain text passwords.
Caution Enabling plain text passwords will decrease your computer's security.
To enable plain-text passwords, add the registry entry EnablePlainTextPassword (as a DWORD) and set the value to 1 in the following registry location:
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \VxD \Vnetsup
Access to an NCP-based server changes if SAP Advertising is defined.
Where you access an NCP-based peer resource server in Network Neighborhood can change, depending on whether the server is configured for Workgroup Advertising or SAP Advertising.
If the computer running File and Printer Sharing for NetWare Networks is configured for Workgroup Advertising, that peer server appears as a computer in its workgroup.
If the file and printer sharing server is configured for SAP Advertising, it appears with the other Novell NetWare servers at the beginning of the list of workgroups in the Entire Network window of Network Neighborhood.
To set SAP Advertising or Workgroup Advertising, follow the procedures in "Configuring Browsing for Resource Sharing on NetWare Networks" earlier in this chapter.
A user cannot connect to any network resource.
Verify that the user is connected to the network.
Check the network cable termination.
Verify that the correct network client is loaded.
Verify that a common NetBIOS protocol is installed. NetBIOS-compliant protocols include NetBEUI, TCP/IP, and IPX/SPX.
Check the workgroup assignment.
Check the domain or preferred server assignment for the protected-mode network client.
Check the rights for the user as defined on the domain or preferred server.
Use net view \\computer name to view shared resources.
Others cannot connect to my shared resources.
In Control Panel, double-click Network, and verify that the file and printer sharing service appears in the list of installed components.
Make sure other users are running a common protocol.
Network Neighborhood does not show servers.
Verify that at least one active server is on the local network.
Verify that the proper network clients are installed and, if necessary, reinstall them.
Verify that the user is logged on to the particular network.
Check the network protocol settings.
Check that the IPX Frame Type is set to Auto or to the same type as the server.
Check the network cable termination.
Verify that you are connected to the correct workgroup. If you do not know what the correct workgroup is, contact your network administrator.
You cannot connect to a specific server.
Check error message details, if available.
Verify that you can connect to any server.
Verify that you can connect to a specific server from other computers. If you cannot connect to the specific server from other systems, it probably indicates a problem with that server or the cabling or routing to it. Also verify termination of the local network cable.
The network redirector or server is not responding.
If the computer running Windows 98 is not responding properly as a client or server, use System Monitor to view statistics about the activity of the installed network servers and redirectors. If there is no activity, remove the client or server on the Network option in Control Panel, and then reinstall and try again.
You cannot see computers running Windows 98 on the other side of a router on a NetWare network.
This might be related to the IPX network number. An IPX client (such as a computer running Client for NetWare Networks) determines its network number by sending Routing Information Protocol (RIP) requests to the nearest IPX router. If the router is configured incorrectly, all IPX clients on that network can be adversely affected. Network numbers are assigned in the server's Autoexec.ncf file when the network adapter drivers are loaded and IPX is bound to the logical adapter.
Troubleshooting Resource Sharing
This section describes common problems that might occur with resource sharing.
Access is denied for Windows for Workgroups users trying to connect to shared resources on a computer running File and Printer Sharing for Microsoft Networks.
If the user with the Windows for Workgroups client computer is logging on to a different domain than the computer running file and printer sharing services (the peer server), then Windows 98 cannot confirm logon validation for access to shared resources. To solve this problem, do one of the following:
Upgrade the Windows for Workgroups clients to Windows 98 (recommended).
Switch to share-level security on the peer server.
Change the logon domain for the Windows for Workgroups clients.
This problem will not occur in these cases: if the client computers are running Windows 98 or Windows NT; if the peer server uses share-level security; or if the same domains are used for the client computer's logon domain and the domain specified for pass-through validation in the peer server's Access Control properties.
A user is incorrectly denied access to resources on a peer server on a Windows NT network.
If a user is denied access to resources on a computer running File and Printer Sharing for Microsoft Networks with user-level security, you should first determine which security provider is specified for the peer server. Then, see if the client can be validated by that security provider directly without going through the peer server.
If this is successful, verify that the user is on the access control list for the shared resource on the peer server.*** ***Remove that user from the list of users and then add the name back. If this is unsuccessful, reconfigure the peer server to use another security provider that you know can validate the user.
File and Printer Sharing for Microsoft Networks does not work.
If the Sharing command does not appear on the context-sensitive menu when you use the right mouse button to click a drive, folder, or printer, check the following items:
Verify that File and Printer Sharing for Microsoft Networks is installed.
Verify that File and Printer Sharing for NetWare Networks is not installed.
You need to manage SAP Advertising on computers running File and Printer Sharing for NetWare Networks.
The SAP Advertising option is disabled by default for File and Printer Sharing on NetWare Networks. If you need to enforce the configuration of the file and printer sharing service, you can set the Disable SAP Advertising policy under the Default Computer policies.
In general, you will want to enable SAP Advertising only on computers with resources, such as CD-ROM drives that you want to share with NETX and VLM clients. SAP Advertising is not required for sharing resources only among computers running Windows 98. Notice the following:
SAP Advertising is not required if you want to use Net Watcher to administer the file system on a computer running File and Printer Sharing for NetWare Networks.
Neither SAP Advertising nor File and Printer Sharing for NetWare Networks is required for remote registry administration. The only requirement is user-level security with a pass-through server specified.
Windows 98 peer servers with SAP Advertising enabled will respond to GetNearestServer broadcasts. If this causes a NETX or VLM client to attempt to log on to a peer server, Windows 98 makes sure these NETX and VLM clients connect to a real NetWare server by using a stub file named Login.exe in the \Windows\Nwsysvol\login directory. This directory is created automatically when File and Printer Sharing for NetWare Networks is installed, and it is automatically shared with read-only privileges whenever SAP Advertising is enabled on the peer server.
Additional Resources
For more information about |
See this resource |
|---|---|
Windows NT |
Microsoft Windows NT Server System Guide |
NetWare |