Steve, Our IXA used to do a lot more, such as WINS, DNS, DHCP, file serving and a couple of other odd jobs. At the time it was the only Windows Server in the company. Our IXA is in an older 720, and is an Intel Pentium Pro 333 (if memory serves) so it is getting a bit long in the tooth. We moved most of the functions off of the IXA, and onto a newer xSeries server. As far as the integration between the OS/400 user profiles and the AD user profiles, the method we use to manage it is still manual. After the OS/400 user profile is created, we use the CHGNWSUSRA USRPRF(profile) WNTDMNLST((YourDomainNameHere *NONE *GLOBAL)) to initiate the synchronization and create the windows user profile. You could use a user profile as a template on which to base all of your new profiles (to assign them to user groups and such), but we don't. From that point on the OS/400 user profile is the "master" but as far as I can tell, it is a one way link. If the OS/400 user profile is disabled, the corresponding AD profile will be disabled. Also, when the user needs to change their password, they need to change it in OS/400, we have not found a way to have it propagate password changes from windows up to the AS/400 yet. If the OS/400 user profile is deleted, the AD profile is also deleted, but it takes a little while for the changes to propagate across other AD servers, so the profile may remain behind for a short period of time. If you are considering implementing this in a large organization, I would look into it further to see if there are some important elements that we missed when we originally set this up in v4r4. We are in the process of re-evaluating this methodology as I've seen a couple of possibilities in v5r2 that may allow a different setup. Ultimately, it's very simple, it does work, and it could be automated though either some CL or other scripting programming to reduce the number of manual steps. Good luck, and I hope that helps, Keith Blazek MIS Coordinator security400-bounces@xxxxxxxxxxxx wrote on 04/06/2004 11:58:49 AM: >> <keith@xxxxxxxxx> wrote in message >> news:OF552344ED.B291AB9E-ON85256E6E.0009BA2D-85256E6E.0009F5B0@xxxxxxxxxxxx >> >> "Not sure if you ever got your answer, but we do that here. We have a >> Windows 2000 Server setup as a (backward compatible) PDC and it runs active >> directory. When we disable an AS/400 account it is disabled network >> wide. Works pretty well, but your windows admins won't like it." >> >> Keith - > > Does your IXS/IXA do anything other than synchronize security between AD and > OS/400? > > If you delete an account on your 400, does it also delete the corresponding > AD account? > > If a user changes their AD password, does it also change the OS/400 > password? > > Why won't the Windows admins like it? > > Curious, > > Steve
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.