Please use caution with your Windows Domain account by doing the following:
This section will leave the scope of Windows 2000 and talk about passwords in general.
Every NCAR/UCAR employee probably has a half dozen passwords. This section will help you to manage all those passwords. For an MMM employee, you may have passwords for:
We are participating on the CIT Windows Domain. Your password on the Domain is separate from other passwords.
Your password can be changed from any Windows 2000/XP system that is on the CIT Domain. To change your password, you need to issue the Ctrl-Alt-Del command. Then select Change password from the menu. Your password must conform to the CIT Windows Domain password policy.
For more information on the CIT Windows Domain password and the policy, see Chapter 1.
In order to facilitate the process of changing passwords on the Unix desktop systems, a new utility mmmpasswd is now available. From any Unix desktop you can execute the command mmmpasswd.
Syntax: mmmpasswd
You will be prompted for your old password, new password, and verification of the new password. Password information will not be displayed to the screen as it is entered. The password information will then be propagated to all other desktop systems within a half hour. This information is also available in Chapter 3 of the Unix Computing Guide.
The Gatekeeper and Timecard system share the same password. The Gatekeeper system (gate.ucar.edu) is used to remotely log into UCAR. Many of you may be familiar with using ssh to connect to gate.ucar.edu. The Timecard system is used to submit your bi-weekly timecard.
To change this password, telnet to gate.ucar.edu and type the command password. Follow the on-screen instructions.
More detailed information can be found on the CSAC web pages.
If you use a POP (Post Office Protocol) email client like Eudora or Netscape Messanger to read your email, then you have yet another password called your POP account password. This password should be the same as your MMM UNIX password. If it is not, please submit an assist request. Both Eudora and Netscape Messenger have features that allows the email program to save your password so you do not need to enter it each time it checks for email.
If you use the NCAR Remote Access Server (RAS), please read the Usage Policy. Your RAS or dialup account has yet another password. To change this password, you need to send email to dialup@ucar.edu.
You will be contacted by SCD Staff and will need to tell someone what you want your password to be. For this reason, it is highly recommended that you use a RAS password that is different from all your other passwords.
To obtain a RAS account, you can access the form on the RAS web site located at http://www.scd.ucar.edu/cpg/ras/new.htm
Many of you have accounts on systems that reside in other divisions. The SCD supercomputers, the Bi-Tech system, and Meeting Maker are great examples. Contact Sudie Kelly (kellys@ucar.edu) if you want an account on the SCD computers.
For the Bi-Tech systems, refer to the following web page for contact information http://www.fin.ucar.edu/it/bitech/btbasics/btcontacts.htm
For the Meeting Maker software, you can change your password within the Meeting Maker application. Open Meeting Maker and log onto the application. Under the Edit menu, select Preferences. The screen that is displayed will allow you to reset your password. If you cannot log into Meeting Maker or have forgotten your password, you can either submit an assist request or send email to calendar@ucar.edu.
For other systems in other divisions, contact the system administrator in that division.
The MMM web server and the compute servers do not get the password file propagated to them. When you request an account your entry in the password file is copied over to the systems, but they are not maintained by the propagation scheme. In order to keep these systems consistent with your other passwords, you must log into the system and change your password using the passwd command.
On the MMM web server, there are some web pages that we only want internal staff and visitors to access. These pages are protected by yet another username and password. If you will be accessing these pages from outside the MMM network, contact a member of the Systems Management group to obtain the username and password.
It is a good idea to apply a screen saver and you can set it to be password protected. If this is set you will need to enter your password to turn off the screen saver. To set the Screen Saver and Screen Saver Password, right-click on the Desktop and select Properties. Click on the ScreenSaver tab. Select a screen saver from the pull down menu and click on the box next to Password Protected (on Windows XP, this is labeled On resume, password protect). This password will be the same as your Windows Domain password.
Windows 2000/XP offers a nice security feature that allows you to lock your screen. It is a good practice to do this when you leave your office. To lock the screen, issue the Ctrl-Alt-Del command. The upper left button is the lock screen button. It is usually highlighted, so you can just press the enter key to lock the screen.
When you wish to unlock it, you will need to issue the Ctrl-Alt-Del command and enter your password. This password will be the same as your Windows Domain password.
The information presented in this section is valid for Windows 2000/XP systems that have NTFS formatted disks, which is the default in MMM.
You can set File and Folder permissions when you want to share files with others. You can allow others to view your files, modify your files, create new files, and even delete files. You can even restrict access to your files. For more information about where to place files for sharing see Chapter 4.
Permissions can be set on folders and files. If permissions are set on folders, then by default all subfolders and files inherit those permissions. More information about inherited permissions is located below. Permissions can be given to users or groups. The groups can exist throughout UCAR, not just MMM. If you need a group created for you, please enter an assist request and include the names of the users who need to be in that group. The naming convention for groups, must begin with MMM.
The permissions that can be set include:
Full Control
Be careful granting someone full control permissions. Do this only if you do not want to own the files anymore because someone with Full Control permissions can deny permissions to you. Granted Full Control for a folder, users can delete files and subfolders within that folder regardless of the permissions protecting them. If you select this permission, the other permissions are also selected. The other permissions are listed below.Modify
If you select Modify, then Read & Execute, Read, Write, and List Folder Contents (if the permission is set on a folder) are also selected. This permission gives others the rights to read, write, create and also delete files.Read & Execute
If you select Read & Execute, then Read and List Folder Content (for folders) are also selected. Read & Execute permissions on folders will allow someone to traverse a folder. Executable files are programs that you run such as Word and Excel. For the most part, you will not own any executable files. But if you do, then you'll need to give people the Read & Execute permissions.List Folder Contents
These permissions are only valid for folders not files. These permissions allow people to see the files listed in a directory. It does not give permissions to open files, just to see what files are in the directory. To allow others to view the files, use the Read & Execute permission.Read
Read permissions will give users permission to open files and view contents within a folder.Write
If you wish to give someone Write permissions, you must also select Read permissions. Write permissions will allow others to modify files, and create new files.Special Permissions
When viewing permissions on a Windows XP system, you will also see a permission labeled Special Permissions. For the scope of this document, this feature will not be described.
It was mentioned earlier that permissions are inherited. This means that if permissions are set on folders, then by default all subfolders and files inherit those permissions. This is the default setting, and you can tell if it is in effect if the check boxes under the permissions are shaded (or greyed-out). The example below shows that Everyone has inherited permissions, because the boxes are shaded and the check marks cannot be removed by clicking on them.
If you wish to remove the inheritance and modify the permissions, view the Security properties of a folder or file and simply remove the check mark in the box labeled "Allow inheritable permissions from parent to propagate to this object" . You will be prompted to Copy or Remove the current permissions. Always select Copy.
Now you are allowed to modify the permissions.
To set permissions on a folder or file, right-click on it and select Properties. Click on the Security Tab. This displays the security properties of a folder or file. From this screen you can set or view permissions.
Removing Permissions
To remove permissions, highlight the person or group for whom you wish to restrict permissions, and remove the checkmark in the Allow column. Avoid using the Deny option. You can also select the user or group and click on the remove button.
Granting Permissions
To grant a user or group permissions, they must appear in the top half of the security properties. If they do, you can highlight the user or group and select the permissions that you wish to grant them.
To get someone listed in the top, click on the Add button. The following window will be displayed:
Make sure that in the Look In field cit.ucar.edu is listed. If it is not, select it from the pull-down menu.
This will bring up a very long list of users, groups, computers and more that reside in the domain. The easiest way to sort the long list is to click on the In Folder heading. Then you can scroll down to the cit.ucar.edu\Divisions\MMM\users or cit.ucar.edu\Divisions\MMM\groups to locate the users or group that you want to grant permissions. Keep in mind that you can grant permissions to others not in MMM. Once you locate who you want to grant permissions, highlight that user and click on Add.
Instead of selecting the users or groups, you can also type in names of the people or groups in the bottom and select Check Names to verify that you have entered them correctly.
When you are finished selecting the users or groups, click on OK. This will put you back in the Security Tab window. From here, highlight each user or group and select the permissions that you want to grant to them.
To select permissions, click on the check boxes under the Allow column.
Warning: Avoid using the Deny option. If you do not want someone to
access a file, simply remove their permissions.
Copyright © UCAR 2002 - Disclaimer - mmminfo@ucar.edu
Last Modified: 23-Jan-2003