Home > IT Answers > Lotus Domino > Lotus Administrator
JMackey
20 pts.
Q:
Lotus Administrator
Lotus Notes, NSF, Domino Server, Lotus Domino Server 5.x, Lotus r5 Domino Server
I work for a mom & pop business and the IT manager left and now I'm suddenly responsible for an old Lotus r5 Domino server.

I do not have ACL access to 95% of NSF files in directory. He erased himself from all ACLs, so I cannot even ask him for password and log on as him to give myself access to anything.

Now, I have the certifier ID and password. I can get into the Administrator panel. But on some NSF files, I get a message saying I'm not authorized to get in, and on others, when I click to manage ACL, it just doesn't do anything.

I kind of need to be able to add/deny users.

I can't seem to find a generic administrator.ID file.

Is there a way to create a new administrator.ID file since I have the certifier ID/password?

Thanks
ASKED: Jun 19 2008  5:39 PM GMT
StanRogers
150 pts.
A:
 RATE THIS ANSWER
+1
Click to Vote:
  •   1
  •  0
  • Bookmark and Share
You can create a generic ID, certainly. But that ID will still need to have access to the various databases. You can start the process by launching the Notes client on the server machine (after taking the server down) -- if you're using a Windows box, launch the nlnotes.exe app. You will then have effectively unrestricted (Manager) access to all databases on the server and can change ACLs at will.

I wouldn't suggest using any single user, even your "admin" id, directly in the ACL -- at least not by itself. Instead, create an admin Group in the public address book and add that group to the ACLs.

Unfortunately, there is no tool in R5 to allow you to play with ACLs en masse when running the local Notes client (nlnotes). If you were on Domino 6 or higher, all you'd need to do is modify the Domino Directory to give yourself sufficient access to the directory, then grant yourself Full Access Administration privileges on the server, then you could use the modify ACLs tool in Administrator to fix 'em all at one shot.
Last Answered: Jun 20 2008  2:17 PM GMT by StanRogers   150 pts.
  •   
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Labnuke99   27980 pts.  |   Jun 19 2008  6:07PM GMT

You poor guy! I wonder if your organization should consider going after this previous employee under some kind of disgruntled employee lawsuit. There is a lot of case law out there to support this. Try this Google search to support the issue: <a href="http://www.google.com/search?hl=en&q=disgruntled+employee+sabotage&btnG=Search" title="http://www.google.com/search?hl=en&q=disgruntled+employee+sabotage&btnG=Search" target="_blank">http://www.google.com/search?hl=en&q…</a>

This is going to cost the organization time and money to recover from his actions. You may need to open a support case with IBM to regain access to these files.

 

JMackey   20 pts.  |   Jun 19 2008  6:31PM GMT

Oh I honestly think it was more a case of he had no idea what he was doing. He was a decent fellow and probably thought he was doing us a security favor.

 

LTLevy   25 pts.  |   Jun 24 2008  3:33PM GMT

Another way to go is to check out the Sandbox on <a href="http://www.notes.net" title="http://www.notes. " target="_blank">www.notes.net</a>. I just did a search on ACL

Here is one agent that might help you:  <a href="http://www-10.lotus.com/ldd/sandbox.nsf/ecc552f1ab6e46e4852568a90055c4cd/f51807e42918e33e00256c090044738f?OpenDocument&Highlight=0,acl" title="http://www-10.lotus.com/ldd/sandbox.nsf/ecc552f1ab6e46e4852568a90055c4cd/f51807e42918e33e00256c090044738f?OpenDocument&Highlight=0,acl" target="_blank">http://www-10.lotus.com/ldd/sandbox.nsf/…</a>

 

ClarkKent1   25 pts.  |   Jul 3 2008  7:47PM GMT

If you can’t get the agent to work that LTLevy pointed out, there is a slow and painful manual process that I had to use on a server due to a careless change while we were using R5.

I think you may be able to have a Notes client access most of the files that you currently do not have enough access to. IBM frowns on installing the client on a server but we’ve done it dozens of time on R5 servers will little effect. Though you must make sure that it installs into its own directory. If you don’t want to install the client on the server (completely understandable) you would probably be able to map a network drive to it and access it from another machine that has the client.

For it to work at a bare minimum you will need to have the server off. It also won’t work on encrypted databases unless you use the id that encrypted it. In this case that would be the server id. If you really need access to an encrypted database, you can switch to a server id and then make your changes.

I don’t envy you for your efforts but I’m pretty sure you can get to the data that you need with some effort.

 

Brooklynegg   2895 pts.  |   Jul 7 2008  2:49PM GMT

What about this?

Create an admin group in the NAB.
Add yourself to the group.
Edit the Server document and add the admin group with whatever rights you want it to have.
Get a copy of the server.id, if you don’t already have it.
Create a LotusScript agent that adds a the admin group to all databases on the server and gives it Manager access.
Switch ID to use the server.id.
Sign the agent with the server.id.
Schedule it to run on the server.
(make sure the agent does not have any UI objects, which would block it from running on the server).

Does anyone know why something like this wouldn’t work? It assumes that you have access to the server ID. Sounds like the old admin (aka “Kind-hearted Saboteur”) didn’t delete that ID before leaving, as the server continues to run.