Most DFS server processes have an associated administrative list that defines the principals (users and server machines) and groups that can execute commands that affect the process. Server processes on different machines can have different lists, or each process can use a copy of the same list. Different types of processes can also share the same administrative list.
The management of an administrative domain is often shared by groups of administrative users. Each group is granted the privileges needed to execute specific commands on specific machines. By developing different groups, you have the flexibility to allow only certain people to perform specific tasks and access specific files. This allows you to simplify the administration of your domains by adding users to and removing them from groups rather than altering the administrative lists themselves.
You can use the dcecp group create command to create administrative groups. You can then use the bos addadmin command to place the groups on administrative lists. (See Using ACLs and Groups for more information about groups.)
Each DFS server machine also has a keytab file. The file contains server encryption keys, at least one of which is also stored in the cell's Registry Database. Keytab files are used to provide security between server machines and client machines. A server machine uses an encryption key from the keytab file to prove that it is a valid server to clients accessing data from it, as well as to other server machines from which it accesses data.
This topic provides information about using and managing administrative lists and keytab files. Administrative lists, keytab files, and encryption keys are maintained with bos commands. (Note that commands from the DCE Security Service are also available to manipulate keytab files and keys.)