Microsoft KB Archive/62938

= Common Misconceptions About OS/2 LAN Manager =

Article ID: 62938

Article Last Modified on 9/30/2003

-

APPLIES TO


 * Microsoft LAN Manager 2.0 Standard Edition
 * Microsoft LAN Manager 2.1 Standard Edition
 * Microsoft LAN Manager 2.1a
 * Microsoft LAN Manager 2.2 Standard Edition

-



This article was previously published under Q62938



SUMMARY
Below is a list of some common misconceptions about OS/2 LAN Manager versions 2.x:

 The use of &quot;/passwordreq:no&quot; in LANMAN.INI does NOT mean that a password is not required!

The &quot;/passwordreq:no&quot; entry means that the password doesn't follow the UAS models (maxpwage, minpwage, uniquepw, minpwlen, and so on). This option is used for backward compatibility with version 1.x users In OS/2 LAN Manager 1.x, these settings didn't exist; therefore, the setting of &quot;/passwordreq:no&quot; informs the UAS not to check the password for expiration date, length, or uniqueness.

An account that has been set to &quot;/passwordreq:no&quot; and has set a password requires a password.

Note: A NULL password in version 2.0 or 2.1 can potentially be dangerous as well as advantageous. If an account has a NULL password such as:

net user joe &quot;&quot; /add

-or-

net user joe /add

Joe can use ANY password to access this account. This feature is useful for the GUESTACCOUNT. See item 2 for more information on this topic. The GUESTACCOUNT is NOT equivalent to a user with GUEST privileges.

The GUESTACCOUNT is a mechanism for specifying a generic account that anyone can log into. The initial GUESTACCOUNT is set at build time as GUEST (with a password of PASSWORD). A &quot;guestaccount=GUEST&quot; entry is made in the [server] section to specify the GUESTACCOUNT. On a user-level server, anyone who is not in the NET.ACC file and uses the password of &quot;PASSWORD&quot; is logged on as GUEST. Here is how this relates to item 1:

Add a user with admin privileges and no password. Change LANMAN.INI so that GUESTACCT equals the user you just added, and start the server in user-level security.

Once this is done, anyone who isn't in your NET.ACC file and supplies any password (including no password) is now an admin on your system. This is NOT a good idea. If, however, you lower &quot;/priv:&quot; to USER, this might be a handy tool for a user-level server, inasmuch as it makes it seem like a share-level server.

There are three privileges in OS/2 LAN Manager, and every account must be set to one of them: ADMIN, USER, GUEST. If you don't specify a privilege, an account defaults to USER.

ADMIN privilege level: ADMIN can do anything it wants to. The access control lists (ACLs) do not restrict the user of an account with ADMIN privilege: the user can execute any net command and any API call.

USER privilege level: The user of an account with USER privilege is limited by ACLs and limited to certain net commands: USER cannot add users, stop a server, change other people's passwords, and so on. This type of account can only execute API calls that USER account types are allowed to (usually this varies by the level that the API call is called at, rather than the API call itself).

GUEST privilege level: the user of an account with GUEST privilege is also limited by ACLs, and limited to certain net commands. A GUEST account can execute fewer (almost none) API calls than a USER account.

To summarize this information, a GUESTACCOUNT is not necessarily a user with GUEST privileges.

Final note: Just because you change the entry in LANMAN.INI for GUESTACCOUNT, this does not mean that the account has been created. The account must be created by someone logged in with ADMIN privileges. NETLOGON is not equivalent to NET LOGON.

Simply put, NETLOGON is a service and NET LOGON is a net command for logging on the network. This can be confusing when discussing this information on the phone, or in a normal conversation. When it is written down, it is very obvious. SWAPPATH=C:\OS2\SYSTEM ### does not mean SWAPPER.DAT can grow only to ###K in size.

The number (###K) refers to the amount of free space left on the disk before it stops swapping. If this number is too high or too low, you experience a substantial decrease in system performance. At this time, the only way to determine the optimum SWAPPATH size is by trial and error.

Additional query words: prodlm 2.00 2.10 2.10a 2.20

Keywords: KB62938

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.