Professional Documents
Culture Documents
1
OPC Server and Trend Server
(October 2005)
1 Table of Contents
Page 2
2 Important Basic Settings on all Workstations
This section details the basis settings you have to make on all workstations in order run a
Freelance OPC Server or Trend Server.
Under Start -> Control Panel -> Windows Firewall select the “OFF” radio button.
Page 3
2.1.2 Required Local Security Setting
Make the local security settings detailed below on each PC accessing the OPC/Trend Server
and on the OPC / Trend Server itself. For this purpose, start the Local Security Policy
application with :
Start-> -> Control Panel ->Administrative Tools->Local Security Policy
Under
Security Settings -> Local policies -> Security Options -> Network access: Sharing and
Security Model for local Accounts select “Classic – local users authenticate as themselves”:
Page 4
2.1.3 Simple File Sharing
“Simple File Sharing“ is a new Windows XP feature controlling not only the file enable
dialog boxes, but also the user authentication behavior of the entire operating system.
Therefore, it must be switched off on all systems as follows:
Under Windows-Explorer -> Tools -> Folder Options -> View unselect the Use simple file
sharing check box (last item in the list box seen below).
Page 5
2.1.4 User Configuration in a Workgroup Environment
As there is no central user administration in a workgroup (similar to a domain controller for a
domain), it is important to use the same password for defining all user accounts and
passwords on all workgroup computers sharing client/server services. This means: A user
account requiring access permissions in the workgroup network must be defined on all
computers that enable services in that workgroup. Such services can be, for example, file and
print services, but also the DCOM permissions (see the DCOM configuration chapter).
Important:
The user account name and the corresponding password must be identical on all computers of
the workgroup. Also, it is mandatory that the passwords are not empty.
Recommendation:
Use passwords of at least 8 character consisting of both numbers and special characters.
Page 6
2.1.4.1 Required Local Windows User Accounts and Groups
Read from the following table which user accounts and groups should be created on the
individual workgroup computers:
* Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local
Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section
“DigiVis Operator operation without local administrator rights”.
** It suffices to create only those Operator user accounts on the DigiVis PC that are needed on the
corresponding DigiVis station.
*** It suffices to create only those Engineer user accounts on the CBF PC that are needed on the
corresponding CBF station.
Page 7
“Operators“ Group
If at least 2 operators with 2 different user accounts (e.g. operator1, operator2) shall work on a
DigiVis station without having local administrator rights, the “Operators” group should be
created. Since a couple of system settings have to be made on the DigiVis system in order to
bring the DigiVis to an executable state *, it is useful to assign these rights to the entire
“Operators” group rather than to individual operators.
“OPCUsers“ Group
The OPCUsers group is used to assign the corresponding DCOM communication rights on an
OPC and Trend Server. It is useful to create this group, because it is assumed that users with
different user accounts access the OPC or Trend Servers. As a result, it is possible to control
the DCOM permission assignment on the OPC / Trend Server using this group.
The OPC Server or Trend Server process is started under the “OPCService” user account.
Since the OPC Server or Trend Server process needs local administrator rights on the system,
this user account must become a member of the local Administrators group. Basically, the
following can be stated for the DCOM configuration on the OPC / Trend Server described
later in this document: All users in the “OPCUsers” group are authorized to start he DCOM
Trend Server process, which, as a rule, runs under the “OPCService” user account (no matter
if a user has logged on to the OPC Server / Trend Server or not).
Page 8
Example: One Trend Server (TRNSRV) and three DigiVis stations (VIS1 ,VIS2, VIS3) are
commissioned using Control Builder F (CBF). All DigiVis stations access the Trend Server.
Two operators (Operator1, Operator2) and one commissioning engineer (Engineer1) are
authorized to log on to the following computers:
VIS2:
Local group: Operators, member of Users
Local user: Operator1, member of Users (and Administrators, if required *) and Operators
Local user: Operator2, member of Users (and Administrators, if required *) and Operators
Local user: Engineer1, member of Administrators
Local user: OPCService, member of Users
VIS3:
Local group: Operators
Local user: Operator1, member of Users (and Administrators, if required *) and Operators
Local user: Operator2, member of Users (and Administrators, if required *) and Operators
Local user: Engineer1, member of Administrators
Local user: OPCService, member of Users
CBF:
Local user: Engineer1, member of Administrators
TRNSRV:
Local group: OPCUsers
Local user: Operator1, member of OPCUsers
Local user: Operator2, member of OPCUsers
Local user: Engineer1, member of OPCUsers, Administrators
Local user: OPCService, member of OPCUsers, Administrators
Page 9
2.1.4.2 Creating Local Users and Groups in the Workgroup Environment:
The users and groups mentioned above can be created on each workstation under:
Start-> Settings -> Control Panel-> Administrative Tools -> Computer Management ->
Local Users and Groups
T create a new user account, select: Users -> Right-click with the mouse -> New User:
Make the following important settings as seen in the above dialog window:
User cannot change password -> Yes (if a user is authorized to change the password locally
on his machine, it is no longer ensured that all passwords on all machines are identical)
Password never expires -> Yes
Account is disabled -> No
Page 10
Create a new group under: Groups -> Right-click with the mouse -> New Group:
By selecting Add…you can add the users created earlier (here: operator1 and operator2) when
creating the group (here: Operators).
Page 11
2.1.5 User Configuration in a Pure Domain Environment
Using a domain-based network environment considerably simplifies the user and group
administration in larger networks, as the user accounts and groups are stored centrally on the
so-called domain controller and have to be administered in one place, only. The following
table shows the groups and user accounts required for pure domain operation:
* Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local
Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section
“DigiVis Operator operation without local administrator rights”.
Proceed as described below to create users and groups on Windows 2000 or Windows 2003
Server controllers.
Page 12
3a) Create a user
On the OU (or Users) -> Right-click with the mouse-> New -> User
Next>
Important: The Password never expires option must be selected for the OPCService user
account. In mixed environments (domain and workgroup) it is recommended to set the
Page 13
“Password never expires“ option for all domain user accounts. The other user accounts can be
set as seen above.
After creating the OPCUsers and Operators groups enter the corresponding domain user
accounts in the above-listed table.
Page 14
2.1.6 User Configuration in a Mixed Domain and Workgroup Environment
Various scenarios are conceivable in mixed domain and workgroup environment. What is
important for the mixed configuration is that “Password never expires“ is set on the domain
controller for all user accounts and groups. Also refer to section Creating User Accounts and
Groups on the Domain Controller. Seen from the network security point of view the pure
domain model should be preferred to the mixed model. If, however, this is not possible, the
following two main scenarios are possible:
Scenario 1: The OPC Server or Trend Server workstation is a member of a domain, whereas
some (maybe all) DigiVis stations or CBF stations are not.
It is important in this scenario that, beside the OPSUser group needed in the pure domain
model, a new local OPCUser group must be created on the domain level of the OPC Server or
Trend Server. The OPCUsers domain group must be a member of the local OPCUsers group
on the OPC Server or Trend Server. Additionally, all user accounts in the workgroup must be
created on the OPC Server / Trend Server, using the same pattern, user name and password
and must be members of this new OPCUsers group. With this procedure it is possible to group
all workgroup users, similar to the domain users that are grouped in the OPCUsers domain
group. Refer to section DCOM Configuration later in this document; it describes how the
necessary DCOM permissions are assigned using this local group.
Page 15
* Special measures must be taken if you do not want the Operator type users (DigiVis) to join the local
Administrators group, in order to ensure reliable DigiVis operation. For details also refer to section
“DigiVis Operator operation without local administrator rights”.
Scenario 2: The OPC Server or Trend Server workstation is not a member a domain, whereas
the DigiVis stations and the CBF station are members.
In this case, all necessary domain user accounts must also be created locally on the OPC
Server or Trend Server. Additionally, a local OPCUsers group is needed on the OPC or Trend
Server, as described for Scenario 1. The locally defined user accounts must be added to this
group as new members. However, the “OPCUsers” group defined on the domain level and the
“OPCService” domain user account are not needed in this case.
Page 16
3 Setting Up CBF and DigiVis Stations
3.1 Required Basic Windows XP Settings
Make sure that all required settings stated in section Important Basic Settings on all
Workstations have been made:
- Windows Firewall switched off
- Local Security Settings made as specified
- Simple File Sharing switched off
- All required user accounts and group created locally and, if necessary, on the domain
controller
Page 17
3.3 Running DigiVis in Operator Mode without Local Administrator
Rights
If you do not want to assign Windows Administrator rights to the DigiVis operator on any of
the DigiVis stations, additional measures must be taken after having installed DigiVis. The
dialog windows seen in the following sections show how you can assign access rights a
local “Operators“ group. If, however, the corresponding DigiVis station is a domain
member, you must enter the “Operators” domain group instead.
Page 18
System Permissions: Setting the System Time
In order to enable a DigiVis station’s time synchronization, adapt the following local security
settings:
Control Panel -> Administrative Tools -> Local security policy -> Local policy, User right
assignment-> Change the system time:
- Double-click to add the “Operators” group. Under “Object Types”, select the “Groups”
for this purpose
Page 19
Setting Necessary Registry Permissions
Page 20
3.4 Standard DCOM Settings for CBF and DigiVis Stations
Usually, the standard DCOM settings under Windows XP Service Pack2 after a Windows XP
reinstallation are sufficient for DigiVis and CBF operation. All you have to do is check and, if
required, re-do the following settings in case they should be different from the standard
settings.
Select
Start -> Run …-> dcomcnfg to start the dcomcnfg application.
Then select
Component Services -> Computers -> My Computer – Right-click with the mouse - Properties
Check that the settings in the following dialog windows are as seen below:
Page 21
Page 22
Page 23
Check all four settings. Only the set permissions are shown here. The other check boxes must
be empty:
Page 24
3.5 Setting Up the OPCEnum DCOM Component
Beside making the standard DCOM settings you can also configure a special DCOM
component called OPCEnum using the “dcomcnfg” application.
If you should encounter any OPC or Trend Server access problems, you can use this
application to restore the standard settings. First select the component:
Page 25
Page 26
Caution: After having set up the OPC or Trend Server on the DigiVis or CBF station, the
permissions are not set to “Use Default” as seen above. However, you should select the
setting seen above when you have made/ checked the general DCOM settings according to
section “General DCOM Settings for CBF and DigiVis Stations”. Advantage: You can
centrally control all DCOM permissions by setting the “My Computer” properties. This kind
of central configuration and access permission assignment is very useful for DCOM
configurations of an OPC or Trend Server with many DCOM components.
Page 27
Page 28
4 Setting Up OPC or Trend Servers
4.1 Required Basic Windows XP Settings
Make sure that all required settings stated in section Important Basic Settings on all
Workstations have been made:
- Windows Firewall switched off
- Local Security Settings made as specified
- Simple File Sharing switched off
- All required user accounts and group created locally and, if necessary, on the domain
controller
Check all four settings. Only the set permissions are shown here. The other check boxes must
be empty (all non-standard Windows XP SP2 permissions are marked with a frame).
Important: Enter the “OPCUsers” domain group exclusively in a pure domain configuration.
Else, the “OPCUsers” group locally defined on the OPC or Trend Server must be entered!
Page 29
1) Access Permissions -> Edit Limits…:
ANONYMOUS LOGON -> Local Access ->Allow
Everyone -> Local Access -> Allow
Everyone -> Remote Access -> Allow
Page 30
4.3 Setting Up the OPC/Trend Server DCOM Components
Beside making the standard DCOM settings you can also configure special DCOM
components for the OPC / Trend Server using the “dcomcnfg” application. Additional DCOM
components are registered in the system for each instance of an OPC / Trend Server created
using the Configure Tool (indicate the Resource ID).
The following DCOM components are installed when the OPC/ Standard Trend Server
instances have been created:
All DCOM components listed above must have the same configuration. The DCOM
configuration for this instance must be repeated for each OPC or Trend Server instance added
later! Like on the DigiVis station or CBF station it is useful to configure standard settings.
However, there is one important difference from the DCOM component configuration on a
DigiVis or CBF station: In the Identity window you must enter the OPCService user
under “This User”.
Then select the following for all above-listed components, one after the other:
My Computer -> DCOM Config -> <Component Name>- >Right-click with the mouse->
Properties:
Page 31
Page 32
Caution: After having set up the OPC or Trend Server, the permissions are not set to “Use
Default” as seen above. “Use Default” as seen above. However, you should select the setting
seen above when you have made/ checked the general DCOM settings according to section
“General DCOM Settings on the OPC and Trend Server”. You can centrally control all
DCOM permissions by setting the “My Computer” properties. This simplifies the access
permission configuration, as the basic settings only have to be under “My Computer“.
Page 33
Page 34
Important: Enter the “OPCUsers” domain group exclusively in a pure domain configuration.
Else, the “OPCUsers” group locally defined on the OPC or Trend Server must be entered!
Page 35