Manuales ECS Version 7

Reference Manual

ECS Document Map

FLS Automation A/S Hffdingsvej 34 DK-2500 Valby

Copenhagen Denmark

+45 36 18 27 00 Fax: +45 36 18 27 99

Printing History: Version SdrV7 $Revision:: 5 $Last modified $Modtime:: 12/05/01 3:29p $Author gfLast modified by $Author:: Ngb $Name of Word File $Workfile:: SDRDocumentMap30_English.doc $Index Range 0-1000

Disclaimer: Information in this document is subject to change without notice and does not represent a commitment on the part of FLS Automation A/S. The present documentation from FLS Automation A/S is subject to the content of the ordered, confirmed and supplied system configuration. Options specified and described in the FLS Automation A/S documentation as part of the general description but initially neither ordered by the customer nor confirmed by the seller - will not commit the supplier to any further and future supply and/or installation. FLS Automation A/S assumes no responsibility for any errors that may appear in this document. Copyright FLS Automation A/S. All rights reserved.

Reference Manual ECS Document Map ECS Document Map i

Contents

ECS Document Map................................................................................... 1 Introduction ................................................................................................................................... 1

ECS System Installation & Setup.......................................................................................... 1 Control System Configuration............................................................................................... 1 Operator Interface.................................................................................................................. 2

ECS System Installation & Setup................................................................................................. 2 Control System Configuration...................................................................................................... 4 Operator Interface ......................................................................................................................... 5

Index............................................................................................................ 7

Reference Manual ECS Document Map ECS Document Map 1

ECS Document Map

Introduction The ECS Document Map provides an overview of the manuals available to the ECS NTech user and a description of each. The document is used to identify the manuals required to install, configure and operate the system.

The ECS documentation is divided into three volumes: ECS System Installation & Setup, Control System Configuration, and Operator Interface. These volumes have been organized into two separate manuals: the SDR Reference Manual grouping the volumes: ECS System Installation & Setup and Control System Configuration, and the ECS User Manual holding the Operator Interface volume.

The information in each volume is presented in a format that is compatible with OnLine Help and paper copy. In most cases, the OnLine Help and paper copy present the same information. The major difference between the two formats is that OnLine Help minimizes the use of screen captures since the screens are normally available at the time OnLine Help is used.

ECS System Installation & Setup The manuals included in the SDR System Installation & Setup volume are used for the installation of the Microsoft Windows 2000 operating system and the FLSA ECS system. The system configuration assignments that are typically done only at installation time are also described in this section.

These manuals are intended for engineers who are experienced with the Microsoft Windows 2000 operating system, the ECS NTech system and the process application. Personnel responsible for workstation installation, system parameter modifications, and user account maintenance would refer to this volume set.

Control System Configuration The Control System Configuration volume defines the procedures used to configure the process system. This includes point database creation, point algorithm assignments, report configuration, graphic generation, etc.

These manuals are intended for system engineers responsible for the interface to the process application.

2 ECS Document Map Reference Manual ECS Document Map

Operator Interface The Operator Interface volume set describes the procedures used to access and manipulate the ECS displays. These manuals are used by anyone responsible for monitoring and controlling the plant operation.

ECS System Installation & Setup This volume set is used to prepare and configure a personal computer to be used in an FLSA process application. The manuals provide an introduction to the system, and a step by step description of the installation and setup procedure. During the installation and setup process, the manuals are used in the following sequence.

1. Before starting the installation and setup process, review the SDR Concepts manual for an introduction to the ECS system. The manual describes the point database, point-treatment, alarm handling, data archiving, and the report system. The manual also defines the terminology used in subsequent manuals.

2. The Installation & setup process assumes that the user is starting with a personal computer and no operating system. The process begins with the installation of the Microsoft Windows 2000 operating system described in the Windows 2000 Installation manual. The manual describes the installation procedure and addresses the specifics that apply to the ECS system.

3. The Windows 2000 operating system is now installed and the Windows 2000 security can be changed according to desired needs. This is described in the ECS Windows 2000 Security manual.

4. After Windows 2000 is installed on the PC, the FLSA ECS system CD-ROM is installed using the procedure described in the ECS W2K Installation manual.

5. After the installation of Windows 2000 and ECS systems, the user must log into the ECS system as described in the Starting the SDR System manual. The manual also describes the maintenance and run modes, startup and shutdown procedures, and login and logout procedures.

6. At this point in the installation and setup process, the SDR licenses installed during the ECS installation can be modified, if desired. The procedure is described in the SDR Maintenance manual. The manual also describes, SDR subsystem synchronization, and database backup / restore procedures.

7. While in the maintenance mode, Server partners (for dual systems only), Client/Server relationships, and subsystem assignments are made. These assignments are described in the SDR Partner Configuration manual.

8. While in the maintenance mode, other system parameters such as system and factory names, the database backup period, the number of database points, and the languages used for ECS displays are assigned.


These parameters are described in the Point System Configuration manual.

9. The system parameter assignments are now complete. The system is booted to the ECS Run Mode as described in the Starting the SDR System manual.

10. The control system can now be configured using the procedures described in the Control System Configuration volume set.

4 ECS Document Map Reference Manual ECS Document Map

Control System Configuration This volume set includes the manuals used to configure the ECS control system. The control system configuration parameters can be assigned or modified in any order. Therefore, the following manuals can be referenced as needed.

The SDR User Access Control Configuration manual describes how to grant access rights to new and existing users for the ECS system. System administrators can control access to the point, I/O, log, event, etc systems for an individual user or a group of users.

The Point System Configuration manual describes the configuration parameters associated with the point system. The point system is configured by assigning the following:

number of points and point treatment period

shift definitions and report hour assignment

control actions to be logged and contol action definitions

point state definitions

alarm reset scope

engineering units for the local and default language

department names

The procedures used to create, modify, copy and delete database points are described in the SDR Point Configuration manual. The manual also provides a description of the point configuration parameters, event algorithms, and report algorithms. The conversion algorithms that are assigned to A-points are identified and described in the A-Point Algorithms manual. The conversion algorithms assigned to B-points are created, modified, or reviewed using the editor described in the B-Point Algorithms Editor manual. The Point System Configuration manual describes the configuration parameters associated with the alarm system. These parameters include:

general alarm parameters such as alarm silence scope, alarm reset scope, alarm philosophy, etc.

department horn assignments

alarm log/department allocation

alarm entry in alarm list color

alarm entry in alarm header color

alarm header department button colors

The SDR Report Configuration describes the procedures used to configure plant reports and create and schedule report collections.

The ECS OpStation Editor manual describes the OpStation Editor details specific to FLSA. The standard functions are described in the SL-GMSDraw Users Guide (SL Corporation Part Number: DRAW-300519) which comes as a .PDF file located on the ECS Ntech Cdrom.

I/O Interface Manuals are specific to the DCS or PLC system used with the ECS system. Each manual describes the required configuration assignments to interface the I/O system with the SDR system.

After the control system is configured, the user can access the SDR applications and utilities to monitor and control the plant operation. The applications are described in the manuals contained in the Operator Interface volume set.


Operator Interface This volume set includes the manuals that describe the applications, utilities and displays used to monitor and control the process application.

The first time user may want to review the information presented in the SDR User Interface manual. This document provides an introduction to the ECS workstation and describes the workstation environment and the details associated with display windows and mouse operation. The manual includes the procedures to log into the SDR system and start and stop applications. The manual also provides a description of the operations and functions common to all SDR application windows and dialog boxes.

After logging into the SDR system, the operator may wish to see what languages are available. One of two languages (local or default) can be selected. The selected language is then used to present information in the display windows and dialog boxes. The language selection is described in the SDR Language Selection manual. The SDR Point List manual describes the procedure used to access and interface with the Point List display.

The SDR Point Parameters manual describes the procedure used to access and interface with the Point Parameters and Statistics display.

The SDR Alarm Header manual describes the details associated with alarm notification and response. The alarm header toolbar commands and department buttons are also described.

The Alarm List manual describes the procedure used to access and interface with the Alarm List display.

The SDR Trend manual describes the procedure used to access the Trend display and review and analyze historical data.

The SDR Plant Reports manual describes the procedure used to generate plant reports and report collections.

The ECS OpStation manual describes the procedures used to access process graphics and navigate the display hierarchy. The manual also describes the details associated with graphic elements (sliders, thermometers, faceplates, etc.). The manual includes a description of the display hierarchy and how the displays are accessed.

The ECS Opstation manual provides a description of the device group display and the procedures used to start and stop plant equipment using the display and the alarm header Start, Stop, Qstop, and Mstop commands.

The ECS Note Pad manual describes the functionallity of ECS Note Pad display.

6 Glossary of Terms Reference Manual ECS Document Map

Glossary of Terms

Reference Manual ECS Document Map Index 7

Index

A alarm header............................................................ 45 alarm list ................................................................. 4, 5 alarm philosophy ........................................................ 4 alarm reset scope ........................................................ 4 alarm silence scope..................................................... 4 A-Point Algorithms .................................................... 4

B B-Point Algorithms .................................................... 4

C Control System Configuration ...........1, 34, 34, 34

D default ..................................................................... 4, 5 department button colors ............................................ 4 department names ....................................................... 4

E ECS Note Pad ............................................................. 5 engineering units......................................................... 4

I I/O 4 I/O Interface Manuals................................................. 4 Installation & Setup........................................ 12, 1, 2

L language selection....................................................... 5 local 4, 5

M Mstop .......................................................................... 5

O Operator Interface .......... 12, 12, 12, 45, 45, 45 OpStation Editor .........................................................4

P Partner Configuration .................................................2 Plant Reports...................................................45, 4, 5 Point Configuration.....................................................4 point state definitions..................................................4 Point System Configuration........................................4

Q Qstop ...........................................................................5

S SDR Alarm Header.....................................................5 SDR Concepts.............................................................2 SDR Language Selection............................................5 SDR Partner Configuration ........................................2 SDR Point List ............................................................5 SDR Point Parameters ................................................5 SDR Reference Manual ..............................................1 SDR Report Configuration .........................................4 SDR System Configuration ........................................3 SDR System Installation & Setup ..............................1 Security .......................................................................2 shift definitions ...........................................................4 SL-GMSDraw Users Guide ......................................4 Start 5 Starting..................................................................23 Stop 5

T Trend Display..............................................................5

W W2K ............................................................................2 Windows 2000 Installation.........................................2

Reference Manual

ECS/SDR Concepts


Copenhagen Denmark

+45 36 18 27 00 Fax: +45 36 18 27 99

Printing History: Version SdrV7 $Revision:: 3 $Last modified $Modtime:: 7/11/01 9:36a $Author gfLast modified by $Author:: Ngb $Name of Word File $Workfile:: SDRConcepts30_English.doc $Index Range 0-1000


Reference Manual for SDR Concepts Contents i

Contents

ECS/SDR Concepts ................................................................................... 3 System Overview .......................................................................................................................... 3

Runtime Environment............................................................................................................ 3 PLC Interface......................................................................................................................... 3

Hierarchy Objects ......................................................................................................................... 4 Departments ........................................................................................................................... 4 Groups.................................................................................................................................... 4 Routes .................................................................................................................................... 4 Master points.......................................................................................................................... 4

Point Processing............................................................................................................................ 5 Database Point ....................................................................................................................... 5 Point Configuration Parameters ............................................................................................ 5 Point Algorithms.................................................................................................................... 5 Point Types ............................................................................................................................ 5 Point Values........................................................................................................................... 6 Point Status ............................................................................................................................ 6

A Point Status ..................................................................................................... 6 B Point Status...................................................................................................... 6

Point Processing Sequence.................................................................................................... 6 Alarm and Report Suppression.............................................................................................. 8

Point Alarm Suppression................................................................................... 8 Report Suppression ............................................................................................ 8 Hierarchical Alarm Suppression....................................................................... 8

Alarm System................................................................................................................................ 9 Alarm Types .......................................................................................................................... 9 Process Alarm Handling........................................................................................................ 9 System Alarm Handling ........................................................................................................ 9 Event Algorithm .................................................................................................................... 9 Alarm Notification................................................................................................................. 9 Alarm Response................................................................................................................... 11 Alarm Philosophy ................................................................................................................ 11 Alarm Priorities ................................................................................................................... 11

Event System............................................................................................................................... 11 Control Action ..................................................................................................................... 11

Data Log System......................................................................................................................... 12 Trend Value Logs ................................................................................................................ 12 Statistical Logs..................................................................................................................... 12 Log Data Access .................................................................................................................. 12

Glossary of Terms ................................................................................... 13

Index.......................................................................................................... 15

Reference Manual for SDR Concepts ECS/SDR Concepts 3

ECS/SDR Concepts

System Overview The ECS/SDR system is a software environment developed to support monitoring and control of industrial plants. It realises a set of basic facilities like data processing, alarm and event management, as well as data logging and report generation that are required to complement the services provided by a typical PLC control level. In that way the ECS/SDR system will act as a kind of interface between the PLC control level and the MMI (Man Machine Interface). Further, the ECS/SDR system will support the operation of some of the specialised control packages belonging to the ECS (Expert Control and Supervision) and QCX (Quality control by Computer and X-ray) product families.

Runtime Environment The ECS/SDR system is designed for running on a personal computer under the Microsoft Windows 2000 operating system. This computer can be part of a network environment where each node is assigned the role of Server computer (previously termed MOP computer) or Client computer (previously termed DOP computer). Here, a Server can establish and maintain communication with the PLC control level while a Client needs an associated Server through which it can receive data and excert its control actions. A special facility will enable a computer to be configured both as a Server and a Client whereby it can serve several purposes at the same time.

Normally, a network only requires one Server, however two may be used in a redundant configuration. In redundant applications, both Servers maintain communication with the PLC control level. When changes are made to common data administrated by one of the Servers, the database in the redundant Server is automatically updated.

PLC Interface The PLC interface enables the ECS/SDR system to interact with the plant. This is done by communicating data to and from the PLC's. The ECS/SDR system facilitates communication with the most common PLC families.

4 ECS/SDR Concepts Reference Manual for SDR Concepts

Hierarchy Objects The hierarchy objects in the system are Departments, Groups, Routes, Master points and Points. These are detailed below.

Departments Departments are plant divisions usually defined by operational boundaries. For example, in a cement plant, the kiln would be one department and clinker handling would be another. A single PLC can control several departments, but in typical applications, one PLC controls one department. Points do not belong directly to a department, they belong to a group. A PLC horn point can be associated with a department. Points are indirectly, through groups, members of departments.

Groups A department is further divided into groups. Groups are used to increase department granularity. Points are members of one and only one group. A group consists of equipment that controls a specific function within a department. A group can include motors and gates and different types of each. Devices that interact during the process operation and have common interlocks are often assigned to the same group. A B-point can be associated with a group. This point is called the "Group Point". The Group Point can be used to suppress the alarms of group member points, if the Group Point is in a "suppressing" state, eg stopped. The point value for the Group Point are normally read from the PLC, and reflects the state of the group. It is normally the operator who controls the Group Point. The Group Point must be a member of the group it controls.

Routes A route is a transport path. The route hierarchyobject is expedient because often there are multiple routes to deliver a material. Most often only one of these routes is used at a time. A group can have zero or more routes. A point can be a member of zero or more of these routes. Similar to groups, a B-point can be associated with a route. This point is called the "Route Point". The Route Point can be used to suppress the alarms of route member points, if the Route Point is in a "suppressing" state, eg stopped. The Route Point must be a member of the route it controls. The point value for the Route Point are normally read from the PLC, and reflects the state of the route. It is normally the operator who controls the Route Point.

Master points A Master Point is a parent point to one or more child points. A child point cannot be a Master Point. Master Points also provide increased point granularity. The Master Point can be used to suppress the alarms of master member points, if the Master Point is in a "suppressing" state, eg stopped.


Point Processing

Database Point A point is a record within the ECS/SDR database that represents an analog measurement point (A-point), digital measurement point (B-point), and internally calculated A-point or B-point. A point is identified by a unique pointcode also referred to as a point name or tag name.

Point Configuration Parameters The database point record includes information that enables the ECS/SDR system to locate the point, evaluate alarm conditions, log data, and post the current value and status on process graphics and other displays. The database record also includes processing details for value conversions and calculations. This information is referred to as the point configuration parameters.

Point Algorithms Point algorithms are used to convert raw input values (Conversion Algorithms), process point alarms (Event Algorithms), and perform statistical calculations (Report Algorithms). The user selects the algorithms to perform the desired functions when the database point is created.

When a point is processed, the values from the associated device or the value of another point is applied to the algorithm along with the point configuration parameters. The algorithm that is used depends on the point type (A or B) and the desired result.

Point Types A-points are used to interface with analog input and output devices, perform calculations, or connect to an analog controller located in a PLC. B-points are used to interface with digital input and output devices connected to the PLC.

Points can also be configured to accept a value from the operator. These points are called operator-inserted points. The algorithm in this case obtains the input value from the operator instead of the PLC or another point.


Point Values A point value is the result of the A or B-point conversion algorithm. After points are processed, their values are maintained in the memory resident database and posted in display lists, process graphics, and saved to disk for data archiving purposes. The result of an A-point algorithm is presented as a numeric value to represent temperatures, pressures, setpoints, etc.

B-point values are represented as a text string (Run, Stop, Open, etc.). These values are derived from a 16 bit Machine Status Word (MSW) received from the PLC and applied to the B-point conversion algorithm.

Point Status Point status defines the condition of a point value when it is processed. The status is determined by the point value, point configuration parameters, parent point status, and various suppression conditions.

A Point Status Normal Point value is within defined limits Alarm High Point value has reached or exceeded the assigned Alarm High limit

Alarm Low Point value has reached or exceeded the assigned Alarm Low limit PalmSu Point alarms are suppressed by parent point OalmSu Point alarms are suppressed by operator PrepSu Point report algorithm is suppressed by parent point HAlmSu Hierarchical alarm suppressed. The point is alarm suppressed by a Group Point, Route Point, and/or Master Point

B Point Status Normal Current MSW value has been defined as a normal condition. Alarm Current MSW value has been defined as an alarm condition. Error MSW value not defined Local MSW local bit is set PalmSu Point alarms are suppressed by parent point OalmSu Point alarms are suppressed by operator PrepSu Point report algorithm is suppressed by parent point HAlmSu Hierarchical alarm suppressed. The point is alarm suppressed by a Group Point, Route Point, and/or Master Point

Point Processing Sequence 1. Database point values are obtained from the PLCs or internal variables on a

periodic basis. The frequency is determined by system configuration parameters.


2. The value obtained from the PLC is then applied to the conversion algorithm assigned to the point.

3. The value of the point and the current parameter assignments are reviewed to determine the point status.

4. If the point is in an alarm state, the scan sequence must then determine if alarms for this point are suppressed.

5. If alarms are not suppressed, the points event algorithm is executed. Otherwise, the alarm state is ignored.

6. If a report algorithm is assigned and reports are not suppressed, the report algorithm is executed to obtain statistical information.


Alarm and Report Suppression During system operation, a specific process condition may cause nuisance alarms or cause invalid data to be calculated and logged. For example, a motor stop condition may cause another point to report an alarm condition. During normal operation, alarms must be processed for this point. For this motor stop condition however the alarms are expected and notification is not necessary. In addition, the motor stop condition may also cause invalid data to be used in the points report algorithm. In this case, it would be desirable to disable the points event and report algorithms. There are two types of alarm suppression techniques, (1) Point Alarm and Report suppression and (2) Hierarchical Alarm suppression. Both are point based.

The ECS system enables Point Alarm and Report suppression for individual points by assigning a parent point. Whenever the parent point status is not normal, alarms or reports for the child point are disabled. A parent point can be specified for alarm suppression and/or report suppression.

Reports and alarms for individual points can also be permanently suppressed.

Point Alarm Suppression During processing, if a parent point is specified for alarm suppression, alarms for the child point are not processed if any of the following are true:

The status of the parent point is not Normal

The parent point is point alarm suppressed (PAlmSu)

The parent point is operator alarm suppressed (OAlmSu)

Report Suppression During processing, if a parent point is specified for report suppression, The report algorithm is not executed for the child point if any of the following are true:

The status of the parent point is not Normal

The parent point report algorithm is suppressed (PRepSu)

Hierarchical Alarm Suppression Hierarchical Alarm Suppression is associated with Group, Route and Master point objects as mentioned earlier. A group and route can be assigned a B-point, the so-called Group Point and Route Point respectively. These points can then be used to suppress alarms from a group or route if the value of the group or route is "alarm suppressing", as defined by the B-point algorithm used by the Group or Route point. Group or route member points are thus alarm suppressed if their parent point is "alarm suppressing". The degree of hierarchical alarm suppression is configurable. For each of the object types (groups, routes and master points) you can choose three hierarchical suppression modes: 0 - no logging and no annunciation, 1 logging and no annunciation, and 2 logging and annunciation. For example is (0) is chosen then a point which goes into an alarm state, but which is hierarchical suppressed, then this will not be logged and not annunciated. If (1) is chosen it will be logged, but not annunctiated, and if (2) is chosen it will we logged and annunciated (another words hierarchical suppression is turned off).


Alarm System The ECS/SDR system encompasses an enhanced alarm system which decouples point state, event logging and alarm annunciation. The decoupling is configurable. A point value is the foundation to determine the point state. If the state is an alarm state this can lead to annunciation and event logging. Alarm annunciation consists of the Alarm Header, workstation acoustics, mimic color/blink, PLC horn, and standing alarm list. Eventing consists of logging the alarm/event in the event data base, viewing alarms/events in the alarm list, output on the alarm printer, and third party notification. Many aspects of annunciation and eventing are configurable. The ECS/SDR alarm system handles process and system alarms. When an alarm occurs, the date and time of the alarm is logged and the operator is notified of the condition.

Alarm Types Process alarms are generated when A-points exceed assigned limits or B-points report a value that has been defined as an alarm state. Alarm can be suppressed using a number of techniques as mentioned above.

System alarms are reported when problems such as communication errors, disk full, file not found, etc. occur within the ECS/SDR system.

Process Alarm Handling 1. If a point value has changed since the last poll, the current value is

compared to the defined alarm state or alarm limits. If an alarm condition exists, alarm suppression is verified.

2. If the point is alarm suppressed, alarm annunciation and event logging can end depending on how this is configured.

3. The alarm system records the occurrence into the alarm log. The log entry includes the point tag, the point text, the type of alarm, the value exceeded, and the time of the alarm (alarm on time).

4. When the point returns to a normal state, or another alarm state is entered, the alarm off time is written to the alarm entry.

System Alarm Handling 1. If a system type alarm condition exists, the alarm system records the

occurrence into the alarm log. The log entry includes the type of alarm and the time of the alarm.

2. The operator is notified of the system alarm.

Event Algorithm An Event algorithm is assigned to a point when it is created. The algorithm assigned determines if the alarm/event condition is logged and/or annunciated. For B-points the associated B-point algorithm also determines what B-point value changes are annunciated and whether or not these changes are information, warning or error events.

Alarm Notification When an alarm is reported, the operator is notified if alarms are enabled and an Event algorithm is assigned to the point. Several alarm annunciation techniques


are available. The system can be configured to audibly notify the user with display beeps and/or PLC horns. Different horns can be associated with each alarm priority in each department.

Visual indications can also be utilized. Different colors and flashing colors can be used to annunciate alarms and indicate the alarm in graphic displays, department buttons, and alarm lists.

The notification method used by the system can be configured by the user.


Alarm Response The operator responds to the alarm condition using the workstation Alarm Silence and Alarm Reset commands. The effect these commands have on display elements and audible alarms can be defined by the user to meet the specific needs of the process application.

Alarm Philosophy The alarm philosophy defines the details associated with alarm notification and response. This determines colors used to indicate alarms and the effect the Alarm Silence and Reset commands have on:

PLC Horns

Display Colors

PLC Messages

The scope of the effect can also be configured. These commands can affect the entire process (global) or individual departments (local).

Alarm Priorities Each point in the alarm system is assigned an alarm priority (1 5), where 1 is the highest priority and 5 is the lowest. The priority assignment is used to filter alarms in alarm list displays.

Event System A system event is generated when a user performs a control action. When a system event is reported, the occurrence is logged into the event log. The log can be reviewed from the ECS alarm list display. An event log report can also be generated on demand or scheduled on a periodic basis.

Control Action A control action is an action initiated by a user such as changing point parameters, resetting an alarm, or starting and stopping plant equipment. The actions to be logged are defined by the user during system configuration.


Data Log System The ECS/SDR Data Log system periodically saves point values and statistical information to historical data files. The historical data files are organized into two groups Trend Value Logs and Statistical Logs. The log files are accessed by other ECS/SDR utilities to generate point value trend displays, and plant, shift, and production reports.

Trend Value Logs The Trend Value Logs contain A-point values for a time period configured by the user. A log entry consist of the point name, the point value, and the date and time of the entry.

Statistical Logs The Statistical Logs include a Hourly Log, a Shift Log, and a Daily Log. These logs are used to save statistical data for each A and B-point at the end of the respective interval. A log entry consists of the point name, the date and time of the entry, and the following information for the specified point type:

A & B-Points

Alarm Count The number of alarms reported by the point for the hour, shift, or day.

Alarm Time The amount of time the point was in alarm for the hour, shift, or day.

Error Count The number of errors reported by the point for the hour, shift, or day.

A-Points only

Maximum Value The maximum value recorded for the hour, shift, or day. Minimum Value The minimum value recorded for the hour, shift, or day. Average Value The average of all point values recorded for the hour, shift, or day.

Calc. by Report Alg. The result of the report algorithm. Samples the number of samples for the hour, shift, or day.

B-Points only

Operating Hours The accumulated amount of time the point has been "ON" for the hour, shift, or day.

Log Data Access The ECS/SDR log data can be reviewed and analyzed from the ECS/SDR trend displays or by generating plant reports.

Reference Manual for SDR Concepts Glossary of Terms 13

Glossary of Terms

Client Client computer. A Microsoft Windows 2000 computer configured as an ECS/SDR client.

ECS Expert Control and Supervision. A suite of software packages providing advanced MMI and other process control facilities.

Server Server computer. A Microsoft Windows 2000 computer configured as an ECS/SDR server. A Server maintains the ECS point database and the link to the PLC control level.

Server partners Server pair configured for redundancy.

MSW Machine Status Word. 16-Bit word transferred between the ECS/SDR system and PLC to process digital values.

operator-inserted point A point whose value is supplied by an operator.

parent point A point used for alarm and report suppression of another point.

PLC Programmable Logic Controller. A computer developed particularly to interface and control industrial plants. Makes up a key item in the interface between the ECS/SDR system and the plant instrumentation.

ECS/SDR Expert Control System/System Development and Runtime. A software package providing a set of basic facilities for control of industrial plants like, for example data processing, alarm and event management, data logging and report generation. No process MMI has been included.

14 Glossary of Terms Reference Manual for SDR Concepts

Reference Manual for SDR Concepts Index 15

Index

A Accumulated Value, 11 Alarm Annunciation, 9 Alarm Count, 11 alarm on time, 9 alarm philosophy, 10 alarm priority, 910 Alarm Priority, 10 Alarm Processing, 9 Alarm Suppression, 89 Alarm System, 910 Alarm Time, 11 Alarm Types, 9 Average Value, 11

B B-points, 5, 9, 11

C child point, 8 Control Action, 10 Conversion Algorithms, 5

D Daily Log, 11 Data Log System, 11 Departments, 10 DOP, 3

E ECS Database Point, 5 ECS Workstation, 3 Error Count, 11 Event Algorithm, 6, 9 Event Algorithms, 5 event log report, 10

H Hourly Log, 11

L Log Data Access, 11

M Machine Status Word, 6 Maximum Value, 11 Minimum Value, 11 MOP, 3 MSW, 6

O OalmSu, 6, 8

P PalmSu, 6, 8 Point Algorithms, 5 Point Configuration Parameters, 56 point name, 5 Point Processing, 56 Point Status, 6, 8 Point Types, 5 Point Values, 6, 11 pointcode, 5, 11 PrepSu, 6, 8 Process alarm, 9

R Report Algorithms, 5, 8 Report Suppression, 8

S SDR, 34, 5, 9 SDR/PLC Interface, 4 Shift Log, 11 Spot Value Log, 11 statistical data, 11 Statistical Logs, 11 Status, 56, 8 System alarm, 9 System Overview, 3

T tag name, 5

Reference Manual

Windows 2000 Installation


Copenhagen Denmark

+45 36 18 27 00 Fax: +45 36 18 27 99

Printing History: Version SdrV7 $Revision:: 6 $Last modified $Modtime:: 19-07-01 13:04 $Author MBHLast modified by $Author:: Mbh $Name of Word File $Workfile:: W2KInstallation30_English.doc $Index Range 0-1000


Reference Manual Windows 2000 Installation Contents i

Contents

Windows 2000 Installation........................................................................ 1 Introduction ................................................................................................................................... 1 Preparation .................................................................................................................................... 1

Hardware................................................................................................................................ 1 Software Media...................................................................................................................... 2 Configuration Information..................................................................................................... 2

Windows 2000 Installation Procedure.......................................................................................... 3 How to create a Windows 2000 Domain...................................................................................... 3

Introduction............................................................................................................................ 3 Creating a Domain................................................................................................................. 3

Making a computer member of a Domain.................................................................................... 3 Adding an additional Domain Controller ..................................................................................... 3

Introduction............................................................................................................................ 3 Adding a Domain Controller................................................................................................. 3

Service Pack Installation............................................................................................................... 3 Printer Installation......................................................................................................................... 3

Installing a Local Printer ....................................................................................................... 3 Installing a Network Printer .................................................................................................. 3

Glossary of Terms ..................................................................................... 3

Index............................................................................................................ 3

Reference Manual Windows 2000 Installation Windows 2000 Installation 1

Windows 2000 Installation

Introduction The procedures used to install the Microsoft Windows 2000 operating system on a personal computer are described in the following sections:

Preparation

Windows 2000 Installation Procedure

How to create a Windows 2000 Domain

Adding an additional Domain Controller

Service Pack Installation

Printer Installation

Preparation

Hardware Verify the following before starting the Windows 2000 installation.

1. The personal computer is in the Microsoft Windows 2000 HW Compatibility List

2. The computer includes:

- A minimum of 128/256 Mbytes of RAM (Professional/Server)

- A minimum of 4/8 Bytes of system disk space (Professional/Server)

- A bootable CDROM drive

- A floppy drive

3. The computer is properly connected to the network (10/100 Mbit twisted pair).

2 Windows 2000 Installation Reference Manual Windows 2000 Installation

Software Media Locate the following before starting the Windows 2000 installation.

For Windows 2000 Professional installation: 1. The following compact disks:

- Microsoft Windows 2000 professional

- Microsoft Windows 2000 Service Pack

Refer to the ECS SW product for the required level of Windows 2000 Service Pack

For Windows 2000 Server installation: 2. The following compact disks:

- Microsoft Windows 2000 Server

- Microsoft Windows 2000 Service Pack

Refer to the ECS SW product for the required level of Windows 2000 Service Pack

Configuration Information Obtain the following information from your network administrator:

Computer name

Workgroup or Domain name

TCP/IP address

TCP/IP subnet mask

In order to browse network resources the following information is also required:

TCP/IP address for DNS server


Windows 2000 Installation Procedure The following describes the Microsoft Windows 2000 installation procedure used by FLS Automation.

The installation procedure depends on the recommendation suggested by FLS Automation for your specific site.

During the installation procedure, the user is prompted for specific information. Enter the default response unless instructed to do otherwise in the following steps.

1. Insert the Windows 2000 CD and reboot the system. (Make sure the BIOS of the computer are set to boot from the CD-rom.)

2. If your computer is equipped with a special hard disk controller e.g. a special SCSI or RAID controller, press the key when the Windows 2000 Setup screen appears. You will be prompted for a support disk from the hardware supplier. Refer to the documentation for the computer.

3. When the Welcome to Setup screen appears, press the key. (To setup Windows 2000 now, press Enter.)

4. To accept the licensing terms, press the key.

5. Delete any old partitions and create a new one of a least 4 GB for a Windows 2000 professional and 8 GB for Windows 2000 Server.

6. Select Format the partition using the NTFS file system.

The file system must be formatted using NTFS to take advantage of all NT security features.

7. Enter the following directory for the installation.

\\WINNT

8. After the partition is formatted and the setup has copied files to the hard disk, the computer restarts by itself.

9. At the Regional Settings prompt, select Customize for the keyboard layout. Select Add and choose your current Input locale: e.g. French. Click Set as default for your new Keyboard layout.

10. Enter a friendly name of the administrator and a friendly company or plant name.

Name: For example: Administrator

Organization: For example: FLS Automation

11. For Windows 2000 Server Setup only.

Set licensing Mode to: Per Server. Number of concurrent connections:

Enter the number of connections that your license allows.

12. Enter Your Product Key.

The Product Key is included in the Windows 2000 kit, either on the CD cover or a label on the computer.

13. Enter the computer name, e.g. ECS755SVR1

14. Enter the Administrator account password

15. For Windows 2000 Server Set-up only.

Windows 2000 Components choose default and Next.

16. Adjust Date & Time and Time Zone.


The Time Zone must be the same on all computers, and there must be a checkmark in Automatically adjust clock for daylight saving changes.

17. Networking Settings choose Custom Settings.

18. In Networking Components the following components must be installed and there must be a checkmark with each component:

Client for Microsoft Networks

File and Printer Sharing for Microsoft Networks

Internet Protocol (TCP/IP)

19. Mark Internet Protocol (TCP/IP) and click Properties

Click Use the following IP address: and enter an appropriate IP address, Subnet mask and Default gateway. If there is a DNS server on your network enter the IP address in Preferred DNS server.

20. If the computer is member of a workgroup click No, this computer is not on a network, or is on a network without a domain. Type a workgroup name in the following box.

Workgroup or computer domain: For example: ECS755

If the computer is member of a Domain click Yes, make this computer a member of the following domain:

Workgroup or computer domain: For example: ECS755

Enter the User Name and Password, for a user that has the ability to add computers to the domain.

User Name For example: Administrator

Password For example: password

21. Click Finish to reboot the computer

22. The Network Identification Wizard starts.

Click Next

Choose Users must enter a user name and password to use this computer.

Click Next

Click Finish.

23. Login to Windows 2000 as Administrator and install additional device drivers not recognised by Windows 2000 setup, e.g. Video adapters, Sound Cards, ATA-100 IDE controllers etc.

Refer to the documentation for the computer.


How to create a Windows 2000 Domain

Introduction Due to the complexity of installing, configuring and maintaining a Windows

2000 Domain we highly recommend to use a Workgroup installation for a ECS system instead of a Domain installation.

When you install a Window 2000 server you install it as a stand-alone server in a workgroup or as Member server in a domain. After the installation you promote the server to a Domain Controller (DC) and create the domain if it does not exist. If there is no other domain on the network, or the Domain will not be a child to an existing domain, the domain you create is called a Root Domain. The DNS (Domain Name System) name of a Root Domain must contain a . (dot), e.g. ecs755.flsa . Furthermore there must be at least one DNS Server on the network.

To create a Domain and Domain Controller you must:

Set the computer to use itself as the DNS server

Set the primary suffix to the DNS

Install and configure a DNS server

Run dcpromo.exe to create the domain and promote the computer to a Domain Controller

Creating a Domain Set the computer to use itself as the DNS server

1. Right click My Network Places and select Properties.

2. Right click Local Area Connection and select Properties

3. Select Internet Protocol (TCP/IP) and click Properties

4. Under Preferred DNS server: type the IP address of the computer


5. Click Advanced and DNS

6. In DNS suffix for this connection: type the name of the domain you are about to create, e.g. ecs755.flsa


Set the primary suffix to the DNS

7. Right click My Computer and select Properties

8. Under Network Identification click Properties and More

9. In Primary DNS suffix of this computer: type the name of the domain you are about to create, e.g. ecs755.flsa

10. Reboot the computer when asked


11. Start Add/Remove Programs and click Add/Remove Windows Components

12. Select Networking Services and click Details


13. Set a checkmark in Domain Name System and click OK

14. Select Start/Programs/Administrative Tools/DNS

15. Right click the computer and select Configure the server

16. Select This is the first DNS server on the network

17. Select Yes, create a forward lookup zone

18. Select Standard Primary

19. In Zone Name type the name of the domain, e.g. ecs755.flsa

20. Check Create a new file and click Next

21. Check Yes, create a reverse lookup zone, and click Next

22. Check Standard primary and click Next

23. In Network ID: type the first part of the subnet and click Next.

If your subnet mask is 255.0.0.0 you type the first number e.g. 10, if your subnet mask is 255.255.0.0 you type the first 2 numbers e.g. 10.26 etc.


24. Check Create a new file with this file name: and click Next

25. A summary will be displayed and click Finish to complete the installation.

26. In the DNS MMC expand the Forward Lookup Zones, right click the domain and select Properties

27. Under General set Allow dynamic updates? to Yes and click OK

28. Expand Reverse Lookup Zones and right click the subnet and select Properties

29. Under General set Allow dynamic updates? to Yes and click OK

Run dcpromo.exe to create the domain and promote the computer to a Domain Controller

30. Select Start/Run, type dcpromo and click OK

31. Click Next to start the wizard and check Domain controller for a new

domain. Click Next

32. Check Create a new domain tree, and click Next

33. Check Create a new forest of domain trees, and click Next

34. In New Domain Name type the full name for the domain, e.g. ecs755.flsa, and click Next


35. In NetBIOS Domain Name choose default and click Next

The NetBIOS name is used later when you add a computer to the domain. In this example the NetBIOS name of domain ecs755.flsa is ECS755.

36. In Database and Log Locations click Next

37. In Shared System Volume click Next

38. Check Permissions compatible only with Windows 2000 servers and click Next

39. In Directory Services Restore Mode Administrator Password type the password of the administrator account

Password: For example: password

40. Click Finish to the summary window to complete the creation of the domain and promotion of the computer to a Domain Controller

41. Click Restart Now

42. You are now ready to make other computers member of the newly created domain.

Making a computer member of a Domain If you did not make the computer a member of an existing domain during installation you can join the computer to a domain after the installation of Windows 2000 is complete.

1. Right My Network Places on the desktop and click Properties

2. Double click Local Area Connection and click Properties

3. Mark Internet Protocol(TCP/IP) and click Properties

4. Ensure that the correct DNS server(s) are listed


5. Right click My computer on the desktop and click Properties

6. Choose Network Identification and Properties

7. In Member of click Domain and type the NetBIOS name of the domain.

The NetBios name of a domain is the default name you choose during creation of the domain, e.g. the NetBIOS name of domain ecs755.flsa is ECS755.

8. Click OK

9. Enter the User Name and Password, for a user that has the ability to add computers to the domain



10. Click OK and OK to reboot the computer.

11. At the Log on to Windows expand Options

12. In Log on to: choose the domain e.g. ECS755, type the password for the account and click OK

Adding an additional Domain Controller

Introduction In a Windows 2000 Domain there is no Backup Domain Controllers, all Domain

Controllers are Primary. To install an additional Domain Controller you join the computer to the Domain and then promote the computer to a Domain Controller. In order to gain full redundancy you have to install a DNS server on the second Domain Controller as well.


To add an additional Domain Controller to a Domain you must:

Join the computer to the domain.

Set the computer itself as Alternate DNS server


Run dcpromo.exe to promote the computer to a Domain Controller

Adding a Domain Controller Join the computer to the Domain

1. If the computer was not joined the Domain during installation do it now. See earlier chapter

2. Right click My Network Places and select Properties.

3. Right click Local Area Connection and select Properties

4. Select Internet Protocol (TCP/IP) and click Properties

5. Under Alternate DNS server: type the IP address of the computer


6. Start Add/Remove Programs and click Add/Remove Windows Components

7. Select Networking Services and click Details

8. Set a checkmark in Domain Name System and click OK

9. Select Start/Programs/Administrative Tools/DNS

10. Right click the computer and select Configure the server

11. Select Yes, create a forward lookup zone



13. In Zone Name, type the name of the Domain, e.g. ecs755.flsa

14. In Zone File click Next

15. In Reverse Lookup Zone select Yes, create a reverse lookup zone


17. In Network ID: type the first part of the subnet and click Next.

If your subnet mask is 255.0.0.0 you type the first number e.g. 10, if your subnet mask is 255.255.0.0 you type the first 2 numbers e.g. 10.26 etc.

Run dcpromo.exe to promote the computer to a Domain Controller

18. Select Start/Run, type dcpromo and click OK

19. Click Next to start the wizard and check Additional domain controller for an existing domain. Click Next

20. In Network Credentials type the user name and password of the administrator



21. In Additional Domain Controller click Next

22. In Database and Log Locations click Next

23. In Shared System Volume click Next

24. In Directory Services Restore Mode Administrator Password type the administrator password, e.g.

25. In the Summary window click Next

26. Click Reboot to complete the installation of an additional domain controller.


Service Pack Installation After installation of Windows 2000 you have to apply the current service pack. If you after the installation install additional Windows 2000 components you also have to apply the service pack.

1. Locate the service pack, either on a CD-Rom, on your local hard disk or on the network

2. Open Windows Explorer and browse to locate the service pack directory \i386\update

3. Double click update.exe

4. Select Accept the License Agreement and click Install

5. Click Restart when asked

Printer Installation A printer can be installer either as a Local printer or as a Network printer. A Local printer is connected directly to a port on the computer (LPT or COM) or to a Standard TCP/IP Port you create. A Network Printer is connected to a shared printer on another computer.

Installing a Local Printer Installing a Plug and Play printer only works if the printer is connected directly to a LPT or COM port on the computer.

1. Run Start/Settings/Printers

2. Double click Add Printer

3. Select Local Printer and Next

4. If no Plug and Play printers found click Next

5. Choose the port the printer is connected to and click Next

a) If the printer is connected to a print server on the network select Create a new port:

b) In the dropdown select Standard TCP/IP Port and click Next

c) Type the IP address of the print server and a port name.


d) Click Next and Finish

6. Choose a printer from the list. If the printer is not listed you must have a driver from the printer manufacturer and click Have DiskClick Next

7. Type a friendly name for the printer. Click Next

8. Select Do not share this printer and Click Next

9. Click yes to Do you want to print a test page? Click Next

10. Click Finish to the summary window.

Installing a Network Printer Before you can connect to a network printer, you must have an account on the computer sharing the printer and have the proper privileges to use the printer. Furthermore you must be logged in with that account on your computer to access the printer.

1. Run Start/Settings/Printers

2. Double click Add Printer

3. Select Network Printer and Next

4. Select Type the printer name, or click Next to browse for a printer

5. Browse for the printer you want to install and click Next.

6. Click Finish to the summary window

Reference Manual Windows 2000 Installation Glossary of Terms 17

Glossary of Terms

Reference Manual Windows 2000 Installation Index 19

Index

Error! No index entries found.

Reference Manual

SDR W2K Security


Copenhagen Denmark

+45 36 18 27 00 Fax: +45 36 18 27 99

Printing History: Version SdrV7 $Revision:: 2 $Last modified $Modtime:: 20-09-01 16:19 $Author Last modified by $Author:: Mbh $Name of Word File $Workfile:: SdrNtSecurity30_English.doc $Index Range 0-1000


Reference Manual SDR W2K Security Contents i

Contents

SDR W2K Security ..................................................................................... 1 Introduction ................................................................................................................................... 1 SDR W2K groups and user accounts ........................................................................................... 1

SDR W2K user account creation .......................................................................................... 4 W2K policy editor......................................................................................................................... 5

Setting up user policies.......................................................................................................... 5 Control panel, Display........................................................................................................... 6 Desktop .................................................................................................................................. 6 Shell, Restrictions.................................................................................................................. 7 System, Restrictions .............................................................................................................. 8 Windows NT Shell, user interface ........................................................................................ 8 Windows NT Shell, Custom folders ..................................................................................... 8 Windows NT Shell, Restrictions........................................................................................... 9 Windows NT System........................................................................................................... 10

Special user restrictions .............................................................................................................. 11 Change the system time....................................................................................................... 11 Program groups.................................................................................................................... 11

Active Directory.......................................................................................................................... 11 Introduction.......................................................................................................................... 11 Example 1. ........................................................................................................................... 12 Example 2. ........................................................................................................................... 13

Appendix A ............................................................................................... 15 Set up locally-based system policies .......................................................................................... 15

Glossary of Terms .........................................Error! Bookmark not defined.

Index................................................................Error! Bookmark not defined.

Reference Manual SDR W2K Security SDR W2K Security 1

SDR W2K Security

Introduction SDR W2K security is based on the following:

Windows 2000 security, including Users and Passwords, Local Security Policy DCOM security.

Windows 2000 Active Directory, including Active Directory Users and Computers

Windows 2000 policy editor.

SDR User Access Control (UAC).

In a workgroup installation you use the Local Security Settings mmc snap-in to control the settings for the computer e.g. who can change the system time. With Local Security Settings you can only set security settings for one user. To control security for different user on one computer you use the policy editor (poledit.exe), e.g. restrict access to the desktop

In a Windows 2000 Domain you use the Active Directory Users and Computers to control the security settings for the computer and different users.

The SDR user access control (SDR-UAC) system is used to edit access rights to SDR control functions. Procedures for performing these operations are given below.

SDR W2K groups and user accounts When SDR is installed user groups and default user accounts are created.

The W2K groups and default user accounts are explained below. Please note that the settings described below are accurate at the time of this writing. However, the settings made by the installation program are the most up to date, and should not be tampered with.

Local Groups The following local groups are defined, "Flsa Users" and "Flsa Administrators". The "Flsa Users" group allows access to SDR-NT COM servers, shares, registry, etc. The "Flsa Administrators" is used for grouping Flsa administrator accounts.

The attributes of the "Flsa Users" group are:

Rights: No special rights.

The attributes of the "Flsa Administrators" group are:


2 SDR W2K Security Reference Manual SDR W2K Security

Global Groups Two global groups are defined when installing the ECS/SDR system in a domain.

Global groups can only be created in a domain. The groups are added to Active Directory Users and Computers.

Domain members that need access to ECS/SDR product are added to the global groups. The global groups gain access to the secure objects through their membership of the local groups.

Do not directly add the global groups to any secure objects ACL. Route their access through the local group. No special rights are set for global groups.

"Flsa Domain Admins"

This global group is used for grouping Flsa administrator accounts. A user does not get administrator rights by being added to this group.

The attributes of the Flsa Domain Admins global group are:

Member of: Local group "Flsa Administrators".

"Flsa Domain Users"

This global group is used for grouping Flsa user accounts

The attributes of the Flsa Domain Users global group are:

Member of: Local group "Flsa Users" and local group Server Operators. Server Operators is needed to allow access to shares.

User accounts The following default user accounts are created when SDR-NT is installed:

FlsaServer The FlsaServer account is used for SDR COM servers, which run in the FlsaServer security context. The attributes of the FlsaServer account are:

W2K workgroup: Member of: "Flsa Users", Power Users and Users. Power Users is needed to allow access to shares.

W2K domain: Member of: "Flsa Domain Users" and Domain Users.

Password: Hard coded by SDR-NT installation program to 918273645".

Rights: Log on as batch job. Log on as service.

Flags: UF_SCRIPT,UF_PASSWD_NOTREQD, UF_PASSWD_CANT_CHANGE, UF_DONT_EXPIRE_PASSWD, UF_NORMAL_ACCOUNT.

FlsaMain The FlsaMain account (main for maintenance) is used by the SDR-NT manager to perform

SDR maintenance functions.

The attributes of the FlsaMain account are:

W2K workgroup: Member of: "Flsa Users", "Flsa Administrators" and "Administrators".


W2K domain: Member of: "Flsa Domain Users", Flsa Domain Admins, "Domain Users" and Domain Admins.

Password: User given at SDR W2K installation, but defaulted to password.


Flags: UF_SCRIPT, UF_DONT_EXPIRE_PASSWD, UF_NORMAL_ACCOUNT.

Profile type: Can be roaming if domain account. Profile path = "%LOGONSERVER%\NETLOGON\FlsaMain".

Flsa The Flsa account is the default user account created during SDR W2K installation, and the

template to create other user accounts.

The attributes of the Flsa account are:

W2K workgroup: Member of: "Flsa Users", Power Users and Users.. Power Users is needed to allow access to shares.

W2K domain: Member of: "Flsa Domain Users" and Domain Users.

Password: SDR installation sets to blank.

Rights: Domain member accounts needs the right "Log on locally" to log on at the Active Directory.

Flags: UF_SCRIPT,UF_PASSWD_NOTREQD, UF_PASSWD_CANT_CHANGE, UF_DONT_EXPIRE_PASSWD, UF_NORMAL_ACCOUNT.

Profile type: Can be roaming if domain account. Profile path = "%LOGONSERVER%\NETLOGON\Flsa".


SDR W2K user account creation The steps for creating a SDR W2K user account are described in detail below. There are two scenarios when creating user accounts, one for a domain environment and one for a workgroup environment.

Creating a new workgroup account. Normally the procedure must be repeated for each client PC (DOP) that the user must access, as well as each server PC (MOP).

With the Users and Passwords do the following:

The Users and Passwords can be found in Start menu, Settings Control Panel.

Login as Administrator.

Invoke the User Manager.

Add a new user. (In W2K workgroup you cant copy a user)

Include the new user in the following groups: FlsaUsers, Power Users and Users.

Do not change the default rights.

Repeat this procedure for each client PC (DOPs) that the user must access, as well as each server PC (MOP).

Creating a new domain account. With the Active Directory Users and Computers do the following:

The Active Directory Users and Computers can be found in Start menu, Programs, Administrative Tools.

Login as Administrator.

Invoke the Active Directory Users and Computers.

Right click User and select New/User.

Or expand Users and right-click a user and select Copy.

Include the new user in the following groups: Flsa Domain Users and Domain Users.

Do not change the default rights.

Tailoring the new account's ECS Start Menu..

The administrator should log into the new account.

The ECS NTech start menu is automatically created at first login. If not, or if it has been deleted, a copy of the start menu is found in flsadev\profiles\Start menu.

Use Start/Settings/Taskbar to customise the default ECS NTech start menu.

Logoff.

Using the Policy editor (described in next section) to customise the new accounts desktop.

Login as administrator.

Invoke the Policy Editor. The Policy Editor is described latter.

Logoff

The new account is now ready for use. Remember to repeat the procedures for each client PC (DOP) that the user need to access, as well as each server PC (MOP).


W2K policy editor

The W2K Policy editor can be used to tailor the W2K desktop in a workgroup installation. For example it can be configured so that a user account is denied access to the Run dialog in the Start menu, or to the Control Panel. This section will describe the procedures setting users policies, and setting locally based system policies.

Setting up user policies To enable Locally Based system policies on a Windows 2000 professional or standalone server refer to Appendix A.

Start the Policy Editor by typing poledit.exe at Run

Use the Windows 2000 policy editor to create user policies.

If poledit is not installed, run the ADMINPAK.MSI found in \FLSADev\ToolsNT\SvrTools

If first time select, New policy.

Note! Be careful when editing Default Computer or Default Users. You might get a situation where you cannot enter with administrative rights.

To enter a policy for a user, click on add user and add the user in question. Note! Group policies do not work for local groups. After the user has been added, the properties for the user can be set. Double click on the user to get the Properties window.

Figure 1. Windows 2000 Policy Editor, Poledit.exe, here shown is Default Computer and Default Users.

Once the properties window appears, the Policies tab with an expandable list becomes available. This list contains different desktop control mechanisms. By expanding the structure, desktop control restriction selection boxes will appear. For example, by expanding Control Panel, Display, there is a Restrict display box, selecting this box will prevent the Control Panel from displaying.

Some policies have detailed restrictions; these policies can have specific restrictions, which the administrator can choose from in the lower list. For example, the Control Panel, Display, Restrict display can have selective restrictions concern the display of different tabs.

After you have edited the policies, save your policy to: Winnt\sysvol\Scripts\Ntconfig.pol.

The following pictures show an example of an flsa user setup.


Control panel, Display Do not display the control panel.

Figure 2. Properties window for the flsa user, in this figure we have configured the policy such that the flsa user will have no access to the Control Panel.

Desktop The user can select wallpaper and Color scheme.

Figure 3. Properties window for user flsa, controlling desktop properties such as Wallpaper and Color scheme.


Shell, Restrictions Remove Run command from Start menu, prevents the user from running programs directly.

Remove folders from Settings on Start menu, prevents the user from access to printer configuration.

Remove Taskbar from settings menu, prevents the user from changing the taskbar layout and from changing the Start Menu Programs setting.

Remove Find command from Start menu, prevent the user from finding and running programs.

Hide drives in My computer, prevents the user from accessing drives.

Hide Network Neighbourhood, prevents the user from accessing the network neighbourhood.

No entire Network in Network neighbourhood prevents the user from browsing the network neighbourhood.

No workgroup contents in Network Neighbourhood, prevents the user from browsing the workgroup.

Hide all items on the desktop, prevents the user access to desktop icons.

Disable Shut Down command, prevents the user from shutting down the computer.

Don't save settings at exit, changes made by the user will not be saved at exit.

Figure 4. In this figure, more restrictions can be applied to the Start menu, and etc


System, Restrictions Disable Registry editing tools, prevents the user from altering the contents of the registry.

Run only allowed Windows applications, prevents the user from running any programs other than allowed. Note if this entry is selected the program Systray.exe must be included or the user will get an error at logon.

Figure 5. Access to applications can also be controlled as seen in this figure. Use the Show button to see a list of allowed applications as seen in the figure 6.

Windows NT Shell, user interface The user interface can be defined.

Windows NT Shell, Custom folders The user access to folders and content of folders can be defined here.


Windows NT Shell, Restrictions Only use approved shell extensions, prevents user from use of other shell extensions than defined.

Remove File menu from explorer, prevents the user from use of the file menu in the explorer.

Remove common program groups from Start menu, prevents the user from access to the common program group in the Start menu.

Disable context menus from the taskbar, prevents the user from access to the taskbar context menu.

Disable Explorer's default context menu, prevents the user from access to explorer's default context menu.

Remove the "Map Network Drive" and "Disconnect Network Drive", prevents the user from mapping and disconnecting network drives.

Disable link files tracking, prevents links to files from being tracked.

Figure 7. Windows NT Shell, Restrictions for flsa user, some restriction selection boxes are filled, e.g. Only use approved shell extensions, this indicate that there is partial restriction, select the restriction to see more details in the lower list.


Windows NT System Parse Autoexec.bat, environments parameters from autoexec.bat to be included.

Run logon scripts synchronously, wait for logon script to complete before starting the shell.

Disable Task Manager prevents the user from access to the task manager.

Show welcome tips at logon, the user will get welcome tips at logon.

Figure 8. Restrictions of the Windows NT System for the flsa user.


Special user restrictions

Change the system time To restrict users from changing the system time open the Local Security Settings /Local Policies/ User Rights Assignment and remove the right "Change the system time" from the group where the user is member.

For restricting "Flsa" users remove the right "Change the system time" from the group "Power Users" where "Flsa" users are members.

Program groups To remove programs from the users programs folder, edit the "Programs" folder for the user in question. Use the explorer and in the folder "Document and settings\flsa\Start Menu\Programs\" remove unwanted programs, substitute "flsa" with the user in question.

Active Directory

Introduction

In a domain installation all user rights and security settings are managed through the Active Directory Users and Computers. During installation several groups and users are added to the active directory. These users and groups are default located at Users in Active Directory Users and Computers. If you want to assign special rights or restrictions to a user or a group you create an Organizational Unit (OU) and assign it a specific Group policy. Then you move the user to the new OU and the user will inherit the group policy from the OU.

1. Open the Active Directory Users and Computers

2. Right click the domain and select new/Organizational Unit

3. Type a name for the new OU, e.g. Operators

4. Right click the new OU and select Properties

5. Click the Group Policy tab.


6. Click New and type a name for the new group policy, e.g. Operator

7. Select the new policy and click Edit

8. Make the changes to the policy you want and close the Group Policy and the

Properties window.

9. In Users right click the user you want to assign the new policy and click Move

10. Select the newly created OU and click Ok.

11. The user will now inherit the Group Policy from the OU.

Example 1. How to remove all icons from a users desktop.


1. Select Properties/Group Policy/Edit for the OU, which contains the user for who you want to remove all the icons on the desktop.

2. Expand User Configuration/Administrative Templates and select Desktop.

3. Right click Hide all icons on Desktop and click Properties.

4. Click Enabled and Ok.

Example 2. How to remove the Run command from a users start menu.

1. Select Properties/Group Policy/Edit for the OU, which contains the user for who you want to remove all programs in the start menu.

2. Expand User Configuration/Administrative Templates and select Start Menu & Taskbar.

3. Right click Remove Run menu from Start menu.

4. Click Enabled and Ok.

Reference Manual SDR W2K Security Appendix A 15

Appendix A

Set up locally-based system policies To enable Locally Based system policies on a Windows 2000 professional or standalone server (not a domain controller), follow the following procedure:

1. Create a folder winnt\sysvol\script and share it as NETLOGON with permissions everyone read and administrator full access.

2. Open System Policy Editor (poledit.exe)

3. On the File menu click New Policy

4. On the Edit me

Documents

Manuales ECS Version 7