Novell is now a part of Micro Focus

Backing Up Trustee Assignments

Novell Cool Solutions: Feature
By Mark Russell

Digg This - Slashdot This

Posted: 2 Mar 2005

Note: Mark Russell is a frequent contributor to the site - if you haven't visited recently, check it out today!

Corruption in an eDirectory master replica is not good - not good at all. With the exception of a tactical nuclear strike on your data center, it's one of the single worst things that can happen to your Novell Network. Having said that, it's easy enough to recover eDirectory on the failed server, and during a tactical nuclear strike you'll probably have other things to worry about, such as ensuring you have an adequate supply of food and bottled water, but there is nothing so tedious and frustrating as having to recreate trustee assignments, one by one, folder by folder, user by user. Please note I am talking from bitter experience here. Of corrupt master replicas, that is, not tactical nuclear deployment ...

*DISCLAIMER - if you lose your whole eDirectory, then you have bigger problems than this article can deal with. Hopefully, you're using good practice and have multiple fault-tolerant replicas on other servers. If you've lost your whole eDirectory then I suggest you stock up on food and bottled water, while you still have a paycheck!*

However - should your data center remain unmolested by terrorists, here's a simply but effective way to ensure that your trustee file assignments remain secure. Not all backup software will preserve trustee assignments, and even the major players' software don't always work as planned. I have started using two ancient but very reliable utilities as a backup to the backup - TRUSTBAR.NLM (which backs up and restores trustee assignements) and CRON.NLM (the old Unix scheduling Daemon).

Both are simple enough to use - a good CRON TID is at, and a good TRUSTBAR TID is at

So, basically, you set up a scheduled TRUSTBAR session just before your backup happens. TRUSTBAR creates a small (matter of kilobytes for thousands of users) .XML file which will cost you nothing in terms of magnetic media.

CRON works using a script (CRONTAB, read the TID) - a simple file that specifies the following things (in this order, separated by spaces):

minute hour day-of-month month day-of-week command

The valid values (from the TID) are:


Note: week starts with 0=Sunday

You can also select non-consecutive values using commas (e.g., 1,3,5 as day-of-week will select Monday, Wednesday, Friday, where 0 = Sunday). The wildcard * denotes "all." For example, a command scheduled to run at 10:30 p.m. every Tuesday and Thursday, every day, every month would use a script in CRONTAB of the form:

30 22 * * 2,4 <command>

With me so far? Gooood!

Trustbar.NLM works as follows. You load TRUSTBAR with the following options (again, copied from the TID):

TRUSTBAR [path]: [-options] 

-H Help 
-B Backup trustees 
-R Restore trustees 
-D Delete trustees 
-V Verbose (outputs results to the console) 

So, to Backup trustees on a volume called APPS: you would run TRUSTBAR APPS: -B

This generates a file called TRUSTEES.XML in the root of that volume. To restore the trustee rights, you would run TRUSTBAR APPS:\trustees.xml -R (note that the existing trustees.xml file will be overwritten).

Still with me? Smashing!

Okay - so to create a scheduled trustee backup using CRON and TRUSTBAR at - say - 10:30 p.m. every day, your CRONTAB script would read:

30 22 * * * TRUSTBAR [VOLUME]: -B

It takes seconds, and your backup software will happily copy this to tape, assuming, of course, that your backup software is backing up that particular path.

To restore trustees to the volume, should corruption occur, run (at the server console):

TRUSTBAR [VOLUME]: -D (which will delete all current trustee assignments, 
in case the leftovers have been corrupted), then 
TRUSTBAR [VOLUME]:trustees.xml -R 

I only write this because I've seen it happen a few times, and seen corrupt eDirectory databases restored that have given some students full supervisory access to the HR department's shared area (no lie!). And yes, I've had to manually assign trustee rights one by one to several hundred folders in the past. There's all sorts of other things that will go wrong, of course, but nothing can take more time to get users back into their data than reassigning trustee rights - now you can do it in seconds. It's also a very useful method for moving data between servers. The XML file is readily editable so you can easily account for changes to the file structure should the need arise. For example, suppose you're moving all the subfolders from a volume called DATA: on one server to a volume called SHARED: on another. If it helps one person ever, I'll count this article a good ten minutes well spent!

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates