SnTT - Methods to Resolve Manager ACL Issues06/25/2008
You have just inherited a Domino environment. The prior Admin was the Manager in all databases on the server and was explicitly named as the only Manager of a database (or all databases). Your Admin "friend" never thought to use Groups. Further, before he left, he didn't leave his password or his ID. You need to change the Manager in the ACLs of all of the databases to reflect your new Administration Group. What do you do?
First, if an Administration group isn't in your Domino Directory, create one. If you have the right to do so. Then add the appropriate people to it. You may also want to consider the creation of an ID for administration of the databases (at this point, I hope that you have access to the Cert.ID and the password).
Next, the use of one of these little applications may be of some use:
ACL Setter
ACL "Modificator" 1.0
AdminACL
Admin ACL 2
R5 Database Manager
PowerTools from HelpSoft
ServerAdmin Plus from Axceler
The latter two are not free, but they do have trial software. And they are excellent tools (I've used them both).
Add Your Name to the ACL
ACLHelp
DomainPatrol
If you are really in pain, you might want to see Hacking the ACL
If you are running Domino R6 and above, you might find some solace in the Full Access Administrator function. From Administrator Help:
Full access administrator is the highest level of administrative access to the server. The full access administrator feature replaces the need to run a Notes client locally on a server. It resolves access control problems -- for example, such as those caused when the only managers of a database ACL have left an organization.
Full access administrators have the following rights:
- All the rights as listed for all administrator access levels (see above).
- Manager access, with all access privileges enabled, to all databases on the server, regardless of the database ACL settings.
- Note ACL roles must still be enabled manually for full access administrators.
- Manager access, with all roles and access privileges enabled, to the Web Administrator database (WEBADMIN.NSF).
- Access to all documents in all databases, regardless of Reader names fields.
- The ability to create agents that run in unrestricted mode with full administration rights.
- Access to any unencrypted data on the server.
Unfortunately, if you aren't listed as Full Access Admin, and if you do not have the right to edit and change Server Documents, this won't work for you. Go back to the applications, above, and hope that one of them will crack an ACL for you.
If nothing else, I hope that this shows that you need to plan for this eventuality. No matter how large or small your organization, you need to prepare for an Admin to leave. Think of it as part of your "Disaster Recovery" plan. Think of it as good business.
Technorati tag: SnTT Show-n-Tell Thursday
Comment posted by Martin06/25/2008 03:48:05 AM
Homepage: http://www.martinhumpolec.cz
Maybe you can try to delete the old admin (just with Delete key) and create him again. There shouldn't be a check for public/private keys so it should work.
Comment posted by Nick Wall06/25/2008 06:07:53 AM
A collegue had a server, and he was completely locked out - the ids certificates had expired, but he had the cert.id and server.id. No ids available to him could access the server.
He knew the name of a user who had Manager access (Full Access in fact) e.g. Joe Bloggs/City/Domain. What I suggested was: on another machine quickly install a server using same cert.id, and when prompted to create Admin id, use exactly the same name as the Admin that was locked out.
Now he could connect to his old server using this ID.
Comment posted by Charles Robinson06/25/2008 02:10:28 PM
Homepage: http://www.cubert.net
@Nick - That only works if public key checking is turned off on the server you're locked out of. I found that out the hard way.
Comment posted by Keith Brooks06/25/2008 07:44:11 PM
Homepage: http://lotustech.blogspot.com
Recently had this happen. Lotus answer is to basically create a new cert(make sure everything is named the same) and then you can recert or update expired ids, eta l.
Fun.
Also greg, you can use Essential Tools from RPR Wyatt
http://www.rprwyatt.com/rprwweb05.nsf/frmsetETProducts?OpenFrameSet
You alos overlooked the fact that running nlnotes on your server will bring up the client in a "local" way.
You are now free to edit the NAb as you feel like, thereby adding yourself or somoene else to admin lists.
PS - Your site still pushes the right column over your text.
BlogSphere V1.3.1
Join The WebLog Revolution at BlogSphere.net
- 