LAN Manager Networking Concepts

Retired KB Content Disclaimer

This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.


The following information is taken from the "Getting Started with Microsoft LAN Manager Version 2.1" video included with the LAN Manager version 2.1 package.

More Information



[For more information, see Chapter 1 of the "Microsoft LAN Manager's
Administrator's Guide" (AG) and Chapter 2 of the "Microsoft LAN
Manager Installation and Configuration Guide" (ICG).]

A PC local area network consists of two or more PCs that have network
adapter cards installed and are connected to each other by a system of
communication media such as twisted pair telephone wiring or optical fiber.

In addition to the base operating system, network software, such as
LAN Manager, must be installed to facilitate communication and shared
resource access among these networked PCs.


[For more information, see Chapter 2 of the AG and Chapter 2 of the
"Microsoft LAN Manager Administrator's Reference" (AR).]

LAN Manager is implemented as a series of services built around a core
network communications engine.

Standard Services

Each service performs a major network function. The standard LAN
Manager package includes all of the services listed here:

- Server
- Workstation
- Netlogon
- Replicator
- Timesource
- Alerter
- Messenger
- Netpopup
- Netrun
- Remoteboot
- Fault Tolerance
- NVAlert
- Netware Connectivity
- Tape Backup

Included among these are the Server service, which enables a PC to
make its resources available to users on other network PCs; and the
workstation service, which enables network users to access the
server's shared resources.

Optional Services and Utilities

In addition to the standard services, the LAN Manager product line
includes a number of optional services and utilities that may be
purchased separately:

- Services For Macintosh
- Remote Access Service
- TCP/IP Utility Suite with Socket API
- 3Com Migration Toolkit
- LAN Manager Programmer's Toolkit
- LAN Manager Visual Basic Programmer's Toolkit

The Remote Access Service (RAS), for example, supports dial-in network
access from remote workstations.

Custom Services and Applications

Because the LAN Manager architecture is based on standard operating
systems such as MS-DOS, Windows, and OS/2, you can use the LAN Manager
programmer's toolkits (LAN Manager Programmer's Toolkit and LAN
Manager Visual Basic Programmer's Toolkit) to quickly and easily
develop your own custom network services and applications:

- My Service
- Your Service
- His Network Application
- Her Network Application

In fact, Microsoft and its development partners have used the LAN
Manager Programmer's Toolkit to develop a couple of client-server
network applications that Microsoft is pretty proud of:

- Microsoft SQL Server
- DCA/Microsoft Comm Server


[For more information, see Chapters 1 and 2 of the AG.]

As you install LAN Manager on each PC, you'll select the services you
want to run on that computer. All network PCs will be configured to
run at least the Workstation service, which enables access to network

When the Workstation service is installed, a computer name (COMPUTERNAME)
must be provided that will uniquely identify the PC on the network.
Examples of computer names are WORK1, SERVER1, and WORK2.


[For more information, see Chapters 2 and 3 of the AG.]

At least one of the PCs on your network will be configured to run the
Server service. Although a PC running the Server service is often referred
to as a "server," it's important to note that with LAN Manager, when a PC
is running the Server service, it also continues to run the Workstation
service and thus retains full functionality as a network workstation.

The Server service enables the PC to make its resources, such as
disks, printers, and modems, available to users on other workstations.

An important feature of LAN Manager is the ability of the Server
service to make a very special resource available. This is the Inter-
Process Communication (IPC) resource, which enables networked Named

A Named Pipes connection between two network PCs allows applications
running on the two computers to exchange information directly, without
having to write to, or read from the file system. Named Pipes are the
foundation for LAN Manager's superior client server architecture.

In LAN Manager, setting up a server resource to make it available to
network users is called "sharing" the resource. A shared resource, or
"share," is assigned a name called the "share name." For example, the
WORDDATA directory on SERVER1's hard disk might be shared with the
share name WDOC.

Share List:

Share Name Resource
---------- --------

WDOC c:\worddata

Users connect to the share by specifying a local device identifier,
such as a drive letter or a printer port, along with the server name
and the name of the share to which they want to associate the specified
device identifier. This local device connection to a shared server
resource is called "using" the share, and the resulting connection is
referred to as a "USE." For example, to connect to the WDOC share on
SERVER1, a user on WORK2 specifies the unused local drive letter H, the
server name SERVER1, and the share name WDOC. The user on WORK2 can now
access the directories and files within SERVER1's WORDDATA directory just
as if they were being accessed from a locally installed H drive:

USE List:

Local Drive Letter Server Name Share Name
------------------ ----------- ----------



[For more information, see Chapters 3, 4, and 5 in the AG.]

Because connection to the network potentially allows any network user
to access the server's shared resources, the server must control this
access to ensure that only users who have the proper permission can
access these resources.

When you install LAN Manager, you will be able to choose between two
available security schemes to implement this access control. These two
schemes are share level and user level security.

Share Level Security

[For more information, see Chapter 5 in the AG.]

Share level security is a simple security scheme whereby the server
allows optional assignment of a password to each share. Any network
user that can supply the correct password can then access the share.

Owing to the minimal security offered by share level, this security
scheme is typically not recommended, and will not be covered in this
article. If you need more information on share level security, refer
to Chapter 5 of the AG.

User Level Security

[For more information, see Chapters 3 and 4 in the AG.]

User level security permits a much higher level of control over access
to server resources. With user security, you can control which users
have access to which resources.

A user security server maintains a user accounts database with an account
for each network user who may want to access the server's resources. The
user account contains the user name, password, and other information such
as privilege level, which is referred to later in this article. For
example, the SERVER1 user accounts database:

Name Password
---- --------

Jill jillpass
Ted tedpass

To make administration easier, group names can be established in the
user accounts database, with selected users with similar resource
access needs assigned as members of a specific group.

In addition to the user accounts database, an access control list is
maintained for each server resource. This list specifies what permissions
a user or group has been given for the resource.

For example, the SERVER1 user accounts database's access control list

User Account Access Permissions
------------ ------------------

Jill Read only
Ted Read, Write, Create, and Delete

When a user attempts to connect to or "use" a server share, the server
first checks to see if the user's name exists in the user accounts
database. If so, the user's password is checked. If both of these
security checks pass, the connection completes and the user is allowed
access to the shared resource according to the user's permissions in
the resource's access control list.

For example, users Jill and Ted could both successfully connect to the
WDOC share because their names and passwords passed the initial
security test. However, user account Jill has been assigned read-only
permissions to the WORDDATA directory, so Jill cannot make any changes
to files within that directory. User account Ted, on the other hand,
has been assigned read, write, create, and delete privileges to the
same directory.

Local Security

[For more information on local security, see Chapters 3 and 4 in the

An extension of user security is the LAN Manager local security feature.
Local security extends the control of user-level security to users working
directly on the server. Thus, user security with local security enabled
imposes the same resource access control on all users, even those who have
direct access to the server's keyboard.


[For more information, see Chapters 3 and 4 in the AG.]

In addition to controlling which users can access which resources, LAN
Manager must also control which users have rights to perform server
administration functions such as creating shares, adding users, and
assigning resource access permissions.

When user accounts are created, each user is assigned one of three
privilege levels: administrator, user, or guest.

Admin Privilege

The administrator, or admin privilege, is the highest privilege level
on a LAN Manager network. An admin can stop and start server services,
establish and modify user accounts and groups, create and delete resource
shares, and assign user and group permissions for accessing shared

By default, admins have full access permissions on all server resources.
For the admin's convenience, LAN Manager has been designed to allow server
administration procedures to be performed not only at the server itself,
but also remotely from any workstation on the network.

User Privilege

User privilege is the default privilege level and is the one that is
assigned to most users. This privilege allows a user to use shared server
resources (subject, of course, to the user's assigned access permissions)
view information about these resources, and send and receive messages.

Guest Privilege

The guest privilege is similar to user privilege, but is intended to
be assigned to infrequent or temporary users of the server. Each
server has a special user account called GUEST. An administrator may
explicitly assign resource access permissions for the special GUEST

When a user with guest privileges accesses a share, that user will
automatically inherit the resource access permissions that have been
assigned to the special GUEST account.

Article ID: 86899 - Last Review: Sep 30, 2003 - Revision: 1