Suppose, while under immense pressure from your boss to promptly prune user and group accounts on a NetWare 5 server, you accidentally delete the administrator account. Upon doing so, the system kicks you out because you were logged on as the administrator. Sure, you can still log on as another user, but not with administrator rights. Even those accounts with administrator equivalence no longer exist. Further, suppose that you're a security-conscious administrator and you would never have users with supervisor rights in the root of the tree, so there's no way to administer the tree and add the administrator account. What would someone do in a strictly-hypothetical situation like this?
(sgnd) DS (desperate and shameless)
Wonnacott: My first advice, Dan, would be for you to start looking for your next job. It's lucky you're working at the InfoWorld Test Center, and we get paid to make these sort of mistakes. If this were a production environment, though, you'd really feel "immense pressure" just now.
Every diligent administrator has a backup of the server and a thoroughly tested restore operation, right? That was a trick question; unfortunately a restore operation is not going to work because your tape backup account will not have the rights to write to the root of the NetWare tree. You could reinstall and reconfigure the server and then perform a restore. This is a lengthy chore and is bound to bust your downtime limits. You could also call Novell's technical support, as I hear they have a way to get around this unfortunate event. But Novell will charge you for this support.
The best method is to find a utility that rebuilds the administrator account and places it back onto the root of the tree. Try out MakeSU, which is available at www.dreamlan.com. There's a free demo version that allows you to create a user, even at the root of the tree, but with only browser rights. You can verify that it created the user but you can't log in with this user because the password is not known. If you want the complete tool, you'll need to pay $US99.
MakeSU is a NetWare Loadable Module (NLM) that allows you to create a new directory services user with supervisor rights to the root object. In addition to the root object, MakeSU can grant a new user full rights to any other object in the tree. It allows you to get around any Inherited Rights Filter placed on a container or object. You can run MakeSU from the load command with the required parameters, or you can use a menu screen to enter such information as your organisational unit name, new user name, and target object name. This is a powerful utility; to help prevent misuse, the NLM can be loaded only from the disk. When you purchase MakeSU, it is keyed to the name of your Novell Directory Services tree -- another nice security precaution.
Best of all, Dan, you'll get to keep your job. Incidentally, this is a true story and the names have not been changed to protect the guilty. MakeSU works in a matter of minutes, which is much better than having to rebuild the server and perform a restore. If you operate under intense pressure, stash this little treasure nearby as insurance; it will place you back in control in no time flat.
(Laura Wonnacott is technical director at the US test centre of InfoWorld, a sister publication of Computerworld, and has been working with computers for 15 years. Send her your questions at email@example.com.)