Industrial IT Quality Control 4.0: Powered by 800xa Extended Automation

Industrial IT Quality Control 4.
0
powered by 800xA extended automation

Administrator's Guide
System Version 4.0

NOTICE
The information in this document is subject to change without notice and should not be construed as a
commitment by ABB. ABB assumes no responsibility for any errors that may appear in this
document.
In no event shall ABB be liable for direct, indirect, special, incidental or consequential damages of
any nature or kind arising from the use of this document, nor shall ABB be liable for incidental or
consequential damages arising from use of any software or hardware described in this document.
This document and parts thereof must not be reproduced or copied without written permission from
ABB, and the contents thereof must not be imparted to a third party nor used for any unauthorized
purpose.
The software or hardware described in this document is furnished under a license and may be used,
copied, or disclosed only in accordance with the terms of such license.
This product meets the requirements specified in EMC Directive 89/336/EEC and in Low Voltage
Directive 72/23/EEC.

Copyright 2005 ABB
All rights reserved.
Release: J anuary 2005
Document Number: 3BUS208217 R4001

3BUS208217 R4001

TRADEMARKS
Registrations and trademarks used in this document include:
Windows is a registered trademark of Microsoft Corporation.
Acrobat Reader is a registered trademark of Adobe Systems Inc.
Industrial
IT
is a trademark of ABB.

3BUS208217 R4001

About This Book
General
This book describes the configuration and maintenance of Industrial IT Quality Control 4.0 for the
Windows platform. This book is a supplement to the Industrial IT System 800xA Administrators
Guide. The Industrial IT System 800xA Administrators Guide contains information on configuring
and maintaining the base Industrial IT System 800xA software.
As a system administrator you should have a thorough knowledge of using and maintaining Windows
software and hardware. In addition, you must have Windows Administrator privileges to be able to
perform the tasks described in this book.
Intended User
The intended user for this book is people who administer networking and configuration to the PC-
based systems. Amongst topics covered are:
Section 3, Configuration, offers guidelines for the Configuration Wizard, descriptions of the main
windows and step-by-step instructions for the procedures involved in system configuration. The
chapter also handles miscellaneous configurations that should not normally be performed.
Section 4, Operation, describes how to work with the Import and Export Tool, System Messages and
System Status and other system tools.
Section 5, Maintenance, describes fault finding & user repair and backup/restore procedures.
Use of Warning, Caution, Information, and Tip Icons
This publication includes Warning, Caution, and Information where appropriate to point out safety
related or other important information. It also includes Tip to point out useful hints to the reader. The
corresponding symbols should be interpreted as follows:
Electrical warning icon indicates the presence of a hazard, which could result in electrical shock.
Warning icon indicates the presence of a hazard, which could result in personal injury.
Caution icon indicates important information or warning related to the concept discussed in the text. It
might indicate the presence of a hazard, which could result incorruption of software or damage to
equipment/property.
Information icon alerts the reader to pertinent facts and conditions.
Tip icon indicates advice on, for example, how to design your project or how to use a certain function.
Although Warning hazards are related to personal injury, and Caution hazards are associated with
equipment or property damage, it should be understood that operation of damaged equipment could,
under certain operational conditions, result in degraded process performance leading to personal
injury or death. Therefore, comply fully with all Warning and Caution notices.

3BUS208217 R4001

Document Conventions
The following conventions are used for the presentation of material:
The words in names of screen elements (for example, the title in the title bar of a window, the
label for a field of a dialog box) are initially capitalized.
Capital letters are used for the name of a keyboard key if it is labeled on the keyboard. For
example, press the ENTER key.
Lowercase letters are used for the name of a keyboard key that is not labeled on the keyboard. For
example, the space bar, comma key, and so on.
Press CTRL+C indicates that you must hold down the CTRL key while pressing the C key.
In this case, CTRL+C copies the selected object.
Press ESC E C indicates that you press and release each key in sequence. In this case, ESC E
C copies the selected object.
The names of push and toggle buttons are boldfaced. For example, click OK.
The names of menus and menu items are boldfaced. For example, the File Menu.
The following convention is used for menu operations: MenuName >MenuItem >
CascadedMenuItem. For example: select File >New >Type.
The Start menu name always refers to the Start menu on the Windows Task Bar.
System prompts or messages are shown in the Courier font. For example, if the user enters a value
out of range, the system might reply with the following message:
Entered value is not valid. The value must be 0 to 30.
User responses or inputs are shown in the boldfaced Courier font. For example, a user may be
required to enter the string TIC132 in a field. The string is shown as follows in the procedure:
TIC132
Variables are shown using lowercase letters.

sequence name
Terminology
The following is a list of terms associated with the Administrator's Guide that you should be familiar
with. The list contains terms and abbreviations that are unique to ABB or have a usage or definition
that is different from standard industry usage.

Term Description
ActiveX Microsoft standard for integration of user interface components, based on
definition of software interfaces.
Aspect An aspect is a description of some properties of a real world entity. The
properties described could be mechanical layout, how the object is controlled, a
3BUS208217 R4001

Term Description
live video image, name of the object etc. In the Aspect Integrator Platform is an
aspect residing in an Aspect Object. Some examples are circuit diagram,
process display, and control logic.
Aspect Objects A computer representation of a real world entity like a pump, a valve, an order
or a virtual object like a service. This computer representation is implemented
by the Aspect Integrator Platform. An Aspect Object works like an information
container for its aspects.
Aspect Server PC server that hosts the various QCS Object/Aspects and serves as the
primary gateway to external aspects systems.
Connectivity
Server
PC server that hosts Measure
IT
and Control
IT
applications and serves as the
primary connection between the QCS LAN and the outside world.
Industrial
IT
Industrial
IT
is ABBs solution, that creates a business enterprise where your
plant automation, asset optimization, and collaborative business systems are
seamlessly linked in real time.
Industrial IT
Quality Control 4.0
ABBs Quality Control Solution consisting of Measure
IT
Scanners/Sensors,
Control
IT
controllers (AC450, AC800M, and/or PC), Profile
IT
actuators, Operate
IT

Process Portal consoles, and Measure
IT
/Control
IT
software applications.
Integrated with Pulp and Paper Making Suite 3.0.
Node A computer communicating an a network e.g. the Internet, Plant, Control or IO
network. Each node typically has a unique node address with a format
depending on the network it is connected to.
OPC An application programming interface defined by the OPC Foundation. The
standard defines how to access large amounts of real-time data between
applications. The OPC standard interface is used between automation/control
applications, field system/devices and business/office applications.
Operate
IT
The name for the collection of products for daily operation and supervision of an
automated process.
Plant Explorer An application that is used to create, delete and organize Aspect Objects and
Aspects within the Aspect Integrator Platform. The plant explorer organizes the
Aspect Objects in structures of the plant.
Process Portal A Product containing functionality for efficient control and supervision of an
automated process. Key functions are presentation of process graphics,
process dialogs and presentation of alarms and trends.
Property A data field on an aspect on Aspect Object that can be accessed through OPC
using the standard Aspect Object reference syntax. A data field on an ActiveX
control accessible from the Visual Basic editor.
Structure A hierarchical tree organization of Aspect Objects. Each structure is used to
define a certain kind of relation between Aspect Objects. The functional
structure for example, defines how a function can be divided into sub functions,
the location structure defines how different objects are executed by tasks,
controllers etc. An Aspect Object can be located in several structures, for
example both in a functional structure and in a location structure.
View An Aspect can have several ways to be presented depending on the task
performed, like viewing or configuration. Each presentation form is called a
view.

3BUS208217 R4001

Abbreviations
Term Description
CD Compact Disk
CPU Central Processing Unit
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
DPI Dots per inch
GB GB Gigabyte
IP address Internet Protocol address
MB Megabyte
Mbps Megabits per second
MHz Megahertz
NetBIOS Network Basic Input Output System
NTFS NT File System
OEM Original Equipment Manufacturing
OPC OLE for Process Control
OLE Object Linking and Embedding
OS Operating System
PC Personal Computer
RAM Random Access Memory
SCSI Small Computer System Interface
SVGA Super Video Graphics Adapter
TCP/IP Transmission Control Protocol/Internet Protocol
WINS Windows Internet Name Services

3BUS208217 R4001

Related Documentation
Category Title Description
Industrial IT, 800xA System
Version 4.0, Automated
Installation
3BSE034679R4001
Version 4.0, Installation
3BSE034678R4001
Version 4.0, Upgrade and
Installation
3BSE036342R4001
800xA System
Installation
Version 4.0, Post
Installation Setup
3BUA000156R4001
800xA System
Administration
Industrial IT, 800xA
System, Administration and
Security
3BSE037410R4001
System, Automation
System Network Design
and Configuration
3BSE034463R4001
System, System Guide
3BSE038018R4001
800xA
Software
System, Release Notes
3BSE038357R4001
Industrial IT Quality Control
4.0, Installation Guide
3BUS208220R4001 -This book describes how
you install the Industrial IT Quality Control 4.0
4.0, Upgrade Guide
3BUS208226R4001 -This book describes how
you upgrade from Industrial IT Quality Control
3.0 to Industrial IT Quality Control 4.0
4.0, Administrators Guide
3BUS208217R4001 - This book describes how
you configure the Industrial IT Quality Control
4.0 application and how you then perform
maintenance.
4.0, Operations User Guide
an operator can control and operate Industrial
IT Quality Control 4.0.
4.0, Engineering Methods
Reference Manual
3BUS208218R4001 - This book is a guide for
plant engineering functions related to Industrial
IT Quality Control 4.0.
Industrial IT
Quality Control
4.0 Installation
4.0, Theory of Operation
Guide
3BUS208222R4001 - This book describes the
theory of operation for Industrial IT Quality
Control 4.0 and provides troubleshooting
guidance.

3BUS208217 R4001

Category Title Description
4.0, CD Tuning Guide
to setup and tune the Industrial IT Quality
Control 4.0 CD Control feature.
4.0, MD Tuning Guide
to setup and tune the Industrial IT Quality
Control 4.0 MD Control features.
4.0, Service Workstation
Getting Started Manual
to install and configure the Industrial IT Quality
Control 4.0 Smart Platform Service Workstation
4.0, Coat Weight &
Computed Sensors Manual
to configure and verify coat weight, calculated
measurements and synchronized scanning.
4.0, Color Control Guide
to configure, verify and tune Color Controls.
4.0, Multi-Ply Controls
Tuning Guide
to configure, verify and tune Multi-Ply Controls.
Industrial IT
Quality Control
4.0 Features
4.0, Color Measurement
Operations Use Guide
to operate Color Measurement.

3BUS208217 R4001

Table of Contents
CHAPTER 1 INTRODUCTION....................................................................................................................1
1.1 Product Overview ...............................................................................................................................................1
1.2 Prerequisites and Requirements........................................................................................................................1
CHAPTER 2 INSTALLATION.....................................................................................................................2
CHAPTER 3 CONFIGURATION.................................................................................................................3
3.1 Network Configuration.......................................................................................................................................3
3.1.1 Overview..................................................................................................................................................3
3.1.2 Connectivity Requirements......................................................................................................................3
3.1.3 Network Diagram.....................................................................................................................................4
3.1.4 IP Address Configuration.........................................................................................................................5
3.1.5 Network Verification...............................................................................................................................5
Performance.............................................................................................................................................5
3.2 System Software User Settings...........................................................................................................................6
3.3 Active Directory Configuration.........................................................................................................................6
3.4 Security Policy Configuration............................................................................................................................6
3.5 Industrial IT System 800xA System Configuration.........................................................................................6
3.6 License Management ..........................................................................................................................................6
3.6.1 License Installation..................................................................................................................................6
3.6.2 Viewing License Information...................................................................................................................7
CHAPTER 4 OPERATION..........................................................................................................................9
CHAPTER 5 MAINTENANCE...................................................................................................................10
5.1 Fault Finding and User Repair ........................................................................................................................10
5.2 Backup/Restore Procedures .............................................................................................................................10
5.2.1 Industrial IT Quality Control 4.0 Backup / Restore...............................................................................10
SQL Database Backup / Restore............................................................................................................10
File Backup / Restore.............................................................................................................................10
Full Industrial IT Quality Control 4.0....................................................................................................10
Partial Industrial IT Quality Control 4.0................................................................................................11
Grade Files.............................................................................................................................................11
Shade Files.............................................................................................................................................12
5.3 Windows 2000 Server and Domain Installation.............................................................................................13
5.3.1 Promoting a Windows 2000 Server to a Domain Controller .................................................................13
5.3.2 Create Organizational Units (OU)..........................................................................................................14
5.3.3 Create Groups.........................................................................................................................................14
5.3.4 Create Users...........................................................................................................................................14
5.3.5 Create Computers...................................................................................................................................15
5.3.6 Enable Local User to Logon to the PC in which the Domain Controller resides...................................16
5.4 Windows 2000 Operator Security Policy ........................................................................................................17
5.4.1 Creating and Configuring the Group Policies........................................................................................17
5.4.2 Configuring a Custom Console for a Group Policy...............................................................................18
Configuring a Custom Console..............................................................................................................18
Adding snap-in Active Directory Users and Computers........................................................................18
Adding the snap-in Group Policies........................................................................................................18
5.4.3 Linking a Group Policy Object to an Organizational Unit.....................................................................20
5.4.4 Managing Group Policy.........................................................................................................................21

3BUS208217 R4001

5.4.5 Editing a Group Policy Object...............................................................................................................22
5.4.6 Opening Group Policy from Active Directory Users and Computers....................................................23
5.4.7 Group Policies created for typical ABB Operator and Engineer functions............................................23

ii 3BUS208217 R4001

List of Figures
Figure 3-1 Normal System Configuration...........................................................................................................5
Figure 3-2 Industrial IT Quality Control 4.0 License Utility to add, show and delete license .............................7
Figure 5-1 Use Windows Backup to make a normal backup of directory structure .........................................11
Figure 5-2 Active Directory Users and Computers...........................................................................................15
Figure 5-3 Enabling local logon to the Domain Controller................................................................................17
Figure 5-4 Creating a group policy...................................................................................................................19
Figure 5-5 Group Policy MMC Console............................................................................................................20
Figure 5-6 Operators Properties.......................................................................................................................21
Figure 5-7 Group Policy Snap-in......................................................................................................................23
Figure 5-8 Desktop Group Policy locks down desktop.....................................................................................24
Figure 5-9 Control Panel Group Policy locks down control panel ....................................................................25
Figure 5-10 Startup Group Policy locks down Startup Menu and Taskbar ......................................................25
Figure 5-11 System Group Policy locks down games, drives, and other PC auxiliary items...........................26
Figure 5-12 Windows Explorer Component Group Policy locks down Windows Explorer ..............................27

3BUS208217 R4001

List of Tables
Table 3-1 Table Network Connectivity ...............................................................................................................4

iv 3BUS208217 R4001

Chapter 1 Introduction
1.1 Product Overview
Industrial IT Quality Control 4.0 is a set of features for measurement and control of the paper
making process. Industrial IT Quality Control 4.0 is packaged as an Industrial
IT
extension.
1.2 Prerequisites and Requirements
For information on the prerequisites and requirements for Industrial IT Quality Control 4.0,
refer to the corresponding Installation Guide (3BUS208220R4001). This document assumes
that you have installed Industrial IT System 800xA Process Portal A following the
instructions in the Industrial IT System 800xA Installation Guide (3BSE034678R4001).

3BUS208217 R4001 1

Chapter 2 Installation
Refer to the Industrial IT System 800xA Installation Guide (3BSE034678R4001 System
Installation).
Refer to the Industrial IT Quality Control 4.0 Installation Guide (3BUS208220R4001)
installation information.
2 3BUS208217
R4001

Chapter 3 Configuration
Refer to the Industrial IT System 800xA Administrators Guide (3BSE037410R4001) for
information on configuring and maintaining the base Industrial IT System 800xA system.
3.1 Network Configuration
3.1.1 Overview
The tested networking configuration for Industrial IT Quality Control 4.0 is illustrated in the
diagram below. A network switch is used to isolate network traffic. The Industrial IT Quality
Control 4.0 Aspect Server and each Connectivity Server (if more than one) are connected to a
separate switch port. The AC800M Controller is also connected to a separate switch port.
Scanning Platforms and ABB Actuators can share a switch port through a hub. Industrial IT
System 800xA PPA Clients may share switch ports. It may be possible to improve
performance by limiting the number of clients on each switch port. The diagram shows up to
four clients sharing one switch port.
To separate AC800M controller, Scanners, Actuators more completely from the client
workstations and mill network it may be desirable to use VLANs (Virtual LAN) or separate
network segments isolated by routers or dual-homed PCs.
3.1.2 Connectivity Requirements
Consult the table below for the connectivity requirements between the PC nodes and devices.
Use the table as guide if you decide to isolate the AC800M Controller, Scanners, Actuators,
etc. using VLANs or separate network segments.

3BUS208217 R4001 3

Table 3-1 Table Network Connectivity

AC800M
Controller
Scanners
and
Actuators
Process
Portal
Aspect
Server
QC
Connectivity
Server
AC800M
Connectivi
ty Server
Process
Portal
Clients
AC800M
Controller
X X
Scanners
and
Actuators
X
Process
Portal
Aspect
Server
X X X
QC
Connectivity
Server
X X X X
AC800M
Connectivity
Server
X X X
Process
Portal
Clients
X X
3.1.3 Network Diagram
The following diagram illustrates one possible network configuration for the Industrial IT
Quality Control 4.0.
4 3BUS208217
R4001

Plant Network
Connection via Router or Bridge
CISCOSYSTEMS
24 Port 10/100 Switch
PPA Aspect Server
PPA Clients
100/1000MB
Com 3
Hub
100MB
100MB
100MB
Up to 4
PPA
Clients
per Switch
Port
Com 3
Hub
100MB
Combined
Quality Control Connectivity Server
AC800M Connectivity Server
100MB
100MB
Each server on separate port.
Large configurations may require
a separate AC800M connectivity
server.
Very large configurations may
require a secondary Quality
Control Connectivity Server for
CD Control.
Smart Platform Smart Actuator
10MB 10MB
ASI Devices
may share
single switch
port
AC800M
10MB
AC800M controller on
separate switch port
Optional
Normal System Configuration

Figure 3-1 Normal System Configuration
3.1.4 IP Address Configuration
Each PC and device on Industrial IT Quality Control 4.0 must be assigned a unique IP
address.
3.1.5 Network Verification
Take time to verify the network connectivity before beginning system software configuration.
Use the ping command from a command prompt to verify the connectivity in both
directions between the PC application nodes and devices marked with an X in the
connectivity table in the preceding section. Ping using the computer name rather than the IP
address to verify correct DNS (Domain Name Server) operation.
The AC800M Connectivity Server and Industrial IT Quality Control 4.0 Connectivity Server
usually run in the same PC node.
Performance
Verify that all PC Network Interface Cards are set for 100MB. This assumes that the devices
that operate only at 10MB (Scanning Platforms, ABB Actuators, AC800M Controllers) are
connected by way of auto-sensing switches or hubs as described in the Appendix A of this
document.

3BUS208217 R4001 5

3.2 System Software User Settings
Add users to the Industrial
IT
groups as documented in the Industrial IT System 800xA
Installation Guide (3BSE034678R4001 System Installation).
3.3 Active Directory Configuration
Active Directory is used to manage computer and user accounts. Industrial IT System 800xA
requires Active Directory except for the case where there is a single PC solution (Aspect
Server, Connectivity Server and Client on one PC). Refer to the Industrial IT System 800xA
Installation Guide for general information on Active Directory setup requirements and refer
to Appendix A for detailed examples.
If ABB is providing the Active Directory functionality it can reside in the same PC as the
Aspect Server. Windows Server 2003 is required.
3.4 Security Policy Configuration
To Lock Down the PC so that the Operator can only access the Operator Workplace a
Group Policy must be created. This Group Policy defines Access Controls like what the user
sees on the Desktop and what items he/she has access to on the Start Button and Task Bar.
There can be multiple Group Policies and each User can be assigned to all or some of these
Policies. Refer to Windows 2003 Operator Security Policy, Appendix A for detailed
examples on how to create a Group Policy.
3.5 Industrial IT System 800xA System Configuration
Refer to the Industrial IT Quality Control 4.0 Installation Guide (3BUS208220R4001) for
information on creating a System, adding the System Extensions and adding the AC800M /
Quality Control Connectivity node.
3.6 License Management
3.6.1 License Installation
Install the Industrial IT Quality Control 4.0 Licenses on the Quality Control Connectivity
Server using the License Manager Utility. From the Start menu select the ABB Industrial
IT800x ->Quality Control Solutions->License Manager ->Add Show Licenses command
to run the utility.
To add new licenses select the Add New Licenses command from the Edit menu and
browse to the location of the license files (normally floppy diskette) and add the licenses (this
can take some time to process depending on the number of features).
6 3BUS208217
R4001

Figure 3-2 Industrial IT Quality Control 4.0 License Utility to add, show and delete license
3.6.2 Viewing License Information
The License Manager Utility will display all licenses currently installed on the system

3BUS208217 R4001 7

8 3BUS208217
R4001

Chapter 4 Operation
A complete guide to operating the system is located in the Industrial IT Quality Control 4.0
Operation Users Guide (3BUS208221R4001).

3BUS208217 R4001 9

Chapter 5 Maintenance
maintenance procedures for the base Industrial IT System 800xA system.
5.1 Fault Finding and User Repair
Refer to the Industrial IT Quality Control 4.0, Theory of Operation Guide
(3BUS208222R4001) for information on Fault Finding and User Repair.
5.2 Backup/Restore Procedures
general backup and restore information including complete system backup and Industrial IT
System 800xA backup strategies. The following section contains those backup and restore
procedures related to the Industrial IT Quality Control 4.0
5.2.1 Industrial IT Quality Control 4.0 Backup / Restore
Refer to the Industrial IT Quality Control 4.0, Engineering Methods Reference Manual
(3BUS208218R4001) for guidelines on navigating the Industrial IT Quality Control 4.0 file
system structure and the location of key configuration files.
SQL Database Backup / Restore
Refer to the Industrial IT Quality Control 4.0, Engineering Methods Reference Manual
(3BUS208218R4001) for information on SQL database Backup/Restore procedures.
File Backup / Restore
The Industrial IT Quality Control 4.0 configuration files, including the grade, shade, coldstart,
OPC Transport configuration and Tag Lookup configuration files should be backed up on
regular basis. The Windows Backup tool can be used for this purpose. The Windows Backup
tool can backup files to a tape or to a file. A common method is to backup the files to folder
on a separate physical disk drive and to then periodically copy the backup files to a CD-R.
The backup tool is normally started from the Start menu as follows:
Start->Programs->Accessories->System Tools->Backup
Windows Backup has options for performing full, incremental or differential backups and for
scheduling the backups. Refer to the Windows Backup help and to Microsoft documentation
for more information on using Windows Backup.
Full Industrial IT Quality Control 4.0
The following figure illustrates using Windows Backup to make a normal (full) backup of the
entire Quality Control directory structure:
10 3BUS208217
R4001

1
2
3
Figure 5-1 Use Windows Backup to make a normal backup of directory structure
1. Chose all applicable files to be backed up from Windows Backup pop-up above.
2. After choosing the files, browse for the backup media or file name desired then
3. Chose Start Backup to begin backing up the software.
Partial Industrial IT Quality Control 4.0
Grade Files
Routine maintenance of the grade code files is possible in an offline environment or on PCs
other than the Quality Control server. The mechanism for doing this is to copy the grade code
files to a removable medium (diskette or CD-R) and subsequently to the target PC where the
offline maintenance utility has been installed (refer to the Engineering Methods Reference
Manual). Restoring newly modified grade code files is the reverse of this procedure.
Copy all of the following files as a complete set, as the maintenance utility requires each of
them to reside in a common directory.
All grade code .xml files (minimum of 3 consisting of one grade file, one model file,
and one directory file)
QCSGradeCodeDirectory.xsd
QCSGradeCodeModel.xsd
QCSGradeCode.xsd

3BUS208217 R4001 11

Shade Files
Routine maintenance of the color shade files is possible in an offline environment or on PCs
other than the Quality Control server. The mechanism for doing this is to copy the shade files
to a removable medium (diskette or CD-R) and subsequently to the target PC where the
offline maintenance utility has been installed (refer to the Engineering Methods Reference
Manual). Restoring newly modified shade files is the reverse of this procedure.
Copy all of the following files as a complete set, as the maintenance utility requires each of
them to reside in a common directory.
All color shade .xml files (minimum of 4 consisting of one shade file, one shade help
file, one model file, and one directory file)
QCSGradeCodeDirectory.xsd
QCSGradeCodeModel.xsd
QCSGradeCode.xsd
Identifying Software Versions
12 3BUS208217
R4001

Appendix A Active Directory and Security
Policy Examples
5.3 Windows 2000 Server and Domain Installation
This chapter walks you through the setup of a Domain Controller and the generation of Group
Policies. It is these Group Policies that define what access to the PC a given User has.
NOTES
4. The System Volume (C Drive) MUST be a NTFS Partition BEFORE a Windows 2000
Server system can be promoted to a Domain Controller. To convert to NTFS, at the
Command Prompt type:
CONVERT C: /FS:NTFS /V
5. DO NOT UPGRADE THE PARTITIONS TO A DYNAMIC DISK. This procedure
cannot be reversed and imposes restrictions like you cannot resize the partition with
Partition Magic and use Ghost to backup the partition. If the PC has a second drive, use
this drive as a backup of the active drive.
6. The Server MUST be connected to a Hub/Switch and have static TCP/IP address setup
for the Mill Lan Network Interface Card (NIC) BEFORE it can be promoted to a Domain
Controller.
5.3.1 Promoting a Windows 2000 Server to a Domain Controller
To Convert a Windows 2000 Server Machine to a Domain Controller walk through the
Configure Your Server Wizard. Invoke this wizard from Start Button, Programs,
Administrative Tools, Configure Your Server Now navigate this wizard as follows:
1. Select This is the only Server on My Network.
2. Answer Next,
3. Answer Next,
4. Enter the Domain Name ABB-QCS-PM1
5. Enter Internal Domain Name local
6. Answer Next
7. Answer Next.
8. Setup Active Directory
To setup and administer accounts on a Domain Controller you must install and configure an
Active Directory. Configure the Active Directory by invoking:
Start Button Programs Administrative Tools Active Directory Users and Computers.

3BUS208217 R4001 13

5.3.2 Create Organizational Units (OU)
To create organizational units (OU), follow the following procedure:
1. Right Click On ABB-QCS-PM1.local
2. Select New
3. Select Organizational Unit
4. Enter Name Accounts
5. Right Click On Accounts
6. Select New
7. Organizational Unit
8. Enter Name Customer Name Paper Machine One.
Repeat the above to create the following OUs under Customer Name Paper Machine One:
Engineering
Operator
Service
These OUs will later be associated with the corresponding Group Policies.
5.3.3 Create Groups
To create groups, use the following procedure:
1. Right Click on Users,
2. Select New
3. Select Group.
4. Enter the Group Name IndustrialITUser.
Repeat for IndustrialITAdmin.
5.3.4 Create Users
1. Right Click on the OU Operator,
2. Select New
3. Select User.
4. Enter Full Name Operator1,
14 3BUS208217
R4001

5. Enter User Logon Name Operator1.
6. Enter the password.
7. Select Password Never Expires
8. Select User Cannot Change Password.
Repeat for the User Engineer1 in the OU Engineering. These Users now need to be added
to Groups. Right Click on the OU Operator, click Add Members to a Group. Select the group
IndustrialITUser, OK, Yes. Repeat by adding Engineering to the group Industrial
IT
Admin.

Figure 5-2 Active Directory Users and Computers
5.3.5 Create Computers
Drill down to ABB-QCS-PM1, Computers. Right click on Computers and select New
Computer. Enter the computer name to be added to the domain. (i.e PM1SVR21).

3BUS208217 R4001 15

5.3.6 Enable Local User to Logon to the PC in which the Domain Controller
resides
When the Domain Controller PC doubles as an Engineering Station it is necessary to enable
the PC so that local users (Not the Domain Administrator) can log on. The use of the Domain
Controller PC as an Operator Station is NOT recommended. (see figure 3.3):
Open the Domain Controller Security Policy MMC by clicking on:
1. Start Button
2. Programs
3. Administrative Tools
4. Domain Controller Security Policy
5. Next, drill down to Security Settings Local Policies User Rights Assignment
6. Double click on Log On locally
7. Drill Down to Add Browse
8. Select Engineer1.
9. Close PopUps.
10. At the Command Line Prompt enter the command: Secedit /refreshpolicy user_policy
/enforce
11. Test the local logon by logging on to the Domain Controller PC as Engineer1.

16 3BUS208217
R4001

Figure 5-3 Enabling local logon to the Domain Controller
5.4 Windows 2000 Operator Security Policy
To Lock Down the PC so that the Operator can only access the Operator Workplace a
Group Policy must be created. This Group Policy defines Access Controls like what the user
sees on the Desktop and what items he/she has access to on the Start Button and Task Bar.
There can be multiple Group Policies and each User can be assigned to all or some of these
Policies. Use the Group Policy Snap In to the Machine Management Console (MMC) to
create these Group Policies.
5.4.1 Creating and Configuring the Group Policies
Group Policy is tied to the Active Directory service. The Group Policy snap-in extends the
Active Directory management tools using the Microsoft Management Console (MMC) snap-
in extension mechanism.
The Active Directory snap-ins set the scope of management for Group Policy. The most
common way to access Group Policy is by using the Active Directory User and Computers
snap-in, for setting the scope of management to domain and organizational units (OUs). You
can also use the Active Directory Sites and Services snap-in to set the scope of management
to a site. These two tools can be accessed from the Administrative Tools program group; the
Group Policy snap-in extension is enabled in both tools. Alternatively, you can create a
custom MMC console, as described in the next section. These Policies will be created on the
Domain Controller. These policies are invoked by each PC on the Domain when a user
belonging to the Group IndustrialITUser logs on.

3BUS208217 R4001 17

5.4.2 Configuring a Custom Console for a Group Policy
The examples in this document use the custom MMC console that you can create by
following the procedure in this section. You need to create this custom console before
attempting the remaining procedures in this document.
Configuring a Custom Console
1. Log on to the ABB-QCS-PMX.local domain controller server as an administrator.
2. Click Start,
3. Click Run,
4. Type mmc, and
5. Then click OK.
Adding snap-in Active Directory Users and Computers
1. On the Console menu, click Add/Remove Snap-in
2. Click Add.
3. In the Available standalone snap-ins list box, click Add,
4. Click Active Directory Users and Computers, and
5. Then click Add followed by Close.
Adding the snap-in Group Policies
1. On the Console menu, click Add/Remove Snap-in,
2. Click Add.
3. In the Available standalone snap-ins list box, click Group Policy, and then click Add.
4. In the Select Group Policy object dialog box, Local computer is selected under Group
Policy object. Click Browse,
5. Select the domain that you want in the Look in box.
6. Click the New Group Policy Button or right Click in the list box and select New.
7. Name the Policy (e.g. Desktop Group Policy Object).
Repeat this until you have the following policies to be created:
Desktop Group Policy Object
Windows Components Group Policy Object
Startup Group Policy Object
18 3BUS208217
R4001

Control Panel Group Policy Object
System Group Policy Object
Now, while in the Browse for a Group Policy Object Window, you will have your five
GPOs plus the Default Domain Policy. Select the first GPO and click on Ok, Finish. Repeat
this sequence (Add, Browse, Select, Ok and Finish) until you have all GPOs in the Add /
Remove Snap-in Window. Click on Close followed by Ok.

Figure 5-4 Creating a group policy
Saving console changes
In the MMC console, on the Console menu, click Save As. In the Save As dialog box, drill
down to C:\Winnt\System32\Group Policy and in the File name text box, type Multiple
Group Policies, and then click Save. Create a Desktop Shortcut to this file.
The console should appear similar as in Figure 3.4.1.1b below:

3BUS208217 R4001 19

Figure 5-5 Group Policy MMC Console
5.4.3 Linking a Group Policy Object to an Organizational Unit
The Group Policy settings you create are contained in a Group Policy Object (GPO) that is in
turn associated with selected Active Directory objects, such as sites, domains, or
organizational units (OUs).
To Link a GPO to an Organizational Unit, open the Multiple Group Policys MMC console.
1. Drill down to Active Directory Users and Computers ABB-QCS-PMX.local
Accounts Customer Paper Machine One.
2. Next Right-click Operators
3. Select Properties from the context menu.
4. In the Operators Properties page, click the Group Policy tab.
5. Click Add,
6. Select Customer Paper Machine One in the Look in drop down box.
7. Select Desktop Group Policy Object from the list box, then Ok. Repeat for each GPO.
The Operators Properties page should appear as in Figure 3.4.2 below:
20 3BUS208217
R4001

Figure 5-6 Operators Properties
If you have more than one GPO associated with an Active Directory folder, verify the GPO
order; a GPO that is higher in the list has the highest precedence. Note that GPOs higher in
the list are processed last (this is what gives them a higher precedence). GPOs in the list are
objects; they have context menus that you use to view the properties of each GPO. You can
use the context menus to obtain and modify general information about a GPO. This
information includes Discretionary Access Control Lists (DACLs, which are covered in the
Security Group Filtering section of this document), and lists the other site, domain, or OUs to
which this GPO is linked.
Do the same for the Engineer OU, but do not include the Control Panel and Desktop GPOs.
Best Practice You can further refine a GPO by using user or computer membership in
security groups and then setting DACLs based on that membership. This is covered in
the Security Group Filtering section below.
5.4.4 Managing Group Policy
To manage Group Policy, you need to access the context menu of a site, domain, or OU,
select Properties, and then select the Group Policy tab. This displays the Group Policy
Properties page. Please note the following:
This page displays any GPOs that have been associated with the currently selected site,
domain, or OU. The links are objects; they have a context menu that you can access by
right-clicking the object. (Right-clicking the white space displays a context menu for
creating a new link, adding a link, or refreshing the list.)
This page also shows an ordered GPO list, with the highest priority GPO at the top of the
list. You can change the list order by selecting a GPO and then using the Up or Down
buttons.
To associate (link) a new GPO, click the Add button.

3BUS208217 R4001 21

To edit an existing GPO in the list, select the GPO and click the Edit button, or just
double-click the GPO. This starts the Group Policy snap-in, which is how the GPO is
modified. This is described in more detail later in this document.
To permanently delete a GPO from the list, select it from the list and click the Delete
button. Then, when prompted, select Remove the link and delete the Group Policy
object permanently. Be careful when deleting an object, because the GPO may be
associated with another site, domain, or OU. If you want to remove a GPO from the list,
select the GPO from the links list, click Delete, and then when prompted, select Remove
the link from the list.
To determine what other sites, domains, or OUs are associated with a given GPO, right-
click the GPO, select Properties from the context menu, and then click the Links tab in
the GPO Properties page.
The No override check column marks the selected GPO as one whose policies cannot be
overridden by another GPO.
Note: You can enable the No Override property on more than one GPO. All GPOs that are
marked as No override will take precedence over all other GPOs not marked. Of those
GPOs marked as No override, the GPO with the highest priority will be applied after all the
other similarly marked GPOs.
The Disabled check box simply disables (deactivates) the GPO without removing it from
the list. To remove a GPO from the list, select the GPO from the links list, click Delete,
and then select Remove the link from the list in the Delete dialog box.
It is also possible to disable only the User or Computer portion of the GPO. To do this,
right-click the GPO, click Properties, click either Disable computer configuration
settings or Disable user configuration settings, and then click OK. These options are
available on the GPO Properties page, on the General tab.
The Block policy inheritance check box has the effect of negating all GPOs that exist
higher in the hierarchy. However, it cannot block any GPOs that are enforced by using
the No override check box; those GPOs are always applied.
Note Policy settings contained within the local GPO that are not specifically overridden by
domain-based policy settings are also always applied. Block Policy Inheritance at any level
will not remove local policy.
5.4.5 Editing a Group Policy Object
To edit a Group Policy Object (GPO)
Click Start, point to Programs, click Administrative Tools, and then select Multiply
GPs.
Click the + next to Active Directory Users and Computers, click the ABB-QCS-
PMX.NET domain, and then click the Accounts OU.
Right-click Operators, select Properties, and then click the Group Policy tab. Desktop
GP in the Group Policy object links list box should be highlighted.
Double-click the Desktop GP GPO (or click Edit).
22 3BUS208217
R4001

This opens the Group Policy snap-in focused on a GPO named desktop GP, which is linked to
the OU named Operators. It should appear as in Figure 5 below:

Figure 5-7 Group Policy Snap-in
You can use the appropriate Active Directory tools to access Group Policy while focused on
any site, domain, or OU.
5.4.6 Opening Group Policy from Active Directory Users and Computers
In the console tree in theMMC console, click the + next to Active Directory Users and
Computers.
In the console tree, right-click either the ABB-QCS-PMX.local domain or the OU for
which to access Group Policy.
Click Properties, and click Group Policy.
To access Group Policy scoped to a specific computer (or the local computer), you must load
the Group Policy snap-in into the MMC console namespace targeted at the specific computer
(or local computer). There are two major reasons for these differences:
Sites, domains, and OUs can have multiple GPOs linked to them; these GPOs require
an intermediate property page to manage them.
A GPO for a specific computer is stored on that computer and not in the Active Directory.
5.4.7 Group Policies created for typical ABB Operator and Engineer functions
The following policies can be applied to all or can be disabled so that only certain policies
apply to certain OUs.

3BUS208217 R4001 23

In fig 4 above, for the Operator Policy, you will notice that I have these policies all enabled
and I have the Operator GP disabled. The reason here is that the operator GP had all of these
policies rolled up all in to one before I decided to split it up. For an Engineer policy you may
decide to disable the System GP so that you can access the games. Otherwise if you keep
the same setting as the Operator the engineer will have the same authority as the operator.

Figure 5-8 Desktop Group Policy locks down desktop

24 3BUS208217
R4001

Figure 5-9 Control Panel Group Policy locks down control panel

Figure 5-10 Startup Group Policy locks down Startup Menu and Taskbar

3BUS208217 R4001 25

Figure 5-11 System Group Policy locks down games, drives, and other PC auxiliary items

26 3BUS208217
R4001

Figure 5-12 Windows Explorer Component Group Policy locks down Windows Explorer

3BUS208217 R4001 27

Industrial IT Quality Control 4.0: Powered by 800xa Extended Automation

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Industrial IT Quality Control 4.0: Powered by 800xa Extended Automation

Încărcat de

Drepturi de autor:

Formate disponibile

Industrial IT Quality Control 4.

S-ar putea să vă placă și